The capabilities of today’s browsers are not sufficient for meeting the security needs of web applications requiring authentication and payments. One of the two primary deficiencies is that content from one site cannot be adequately sandbox when executed on a relying web site. Yet embedding such third party micro-apps has become commonplace. The second deficiency is the reliance on passwords, as is so eloquently described by this post from Eevee.
Take making a PayPal transaction at a merchant web site as an example of the first deficiency. To make this work the merchant web site must redirect the user to PayPal’s web site where he or she then authenticates and authorizes the payment. The user is taken out of context, away from the merchant’s web site, with the possibility of being subject to phishing. This is done because any PayPal code running within the context of the merchant’s site would not be secure: PayPal and the merchant cannot isolate each other’s code.
Facebook put out an infograph revealing that 600,000 identities are compromised per day. That’s a lot of identities. Continuing from a previous post of mine, you could perhaps conclude that Facebook Connect is suitable for casual identity, but not for strong identity.
It’s not that Facebook isn’t trying to protect identities.The infograph reveals an impressive array of risk management tools. Facebook certainly look like they are setting themselves up to be a strong identity provider.
I suggest that the casual value of Facebook to most people is what gets in the way of Facebook acting as a strong identity source. People chose weaker passwords and are less inclined to be serious about account recovery steps then they would be with a bank, PayPal or even email account. A second issue is that users are more susceptible to phishing and spam issues by virtue of Facebook being a popular target with a large attack surface. Not to mention that users may be a little wary of Facebook’s track record of leaky privacy and therefore less willing to give up vital data needed to protect their identity (e.g. cell phone numbers and security questions).
For a further examination of the issue of Facebook identity compromises please read this Sophos article.
Think of it: if you want a strong identity, you want one that is backed by financial information. That makes banks great natural identity providers. But financial institutions don’t seem to be interested in this space, and/or regulatory issues are in the way.
GPUs have brought brute force breaking of any 7 character random alphanumeric password down to a maximum of 17.5 minutes, as compared to 4 days with a CPU. For 8 characters it takes 18.5 hours with a CPU, or 1 year with a CPU. This is what Vijay Devakumar found when he used a GPU card and the free password hash cracker called ighashgpu to crack the NTLM password hash, which is used when logging in to Windows.
Peter Bright posted a terrific piece over at Ars Technica describing the fraudulent issuance of nine high value SSL certificates by Comodo. This included such top level domain certificates as www.google.com, login.yahoo.com and login.skype.com and addons.mozilla.org. Other equally good reads are the Tor site detection of the problem and Comodo's explanation. I'm sure Comodo's CEO, Melih Abdulhayoglu, is having fun this week.
The case reveals the instrinsic problems with PKI that we've all been aware of for a long time.
I am a bit surprised by a couple of things, though suprised is perhaps too strong a word.
There is an interesting post by Om Malik over at GigaOm suggesting how Google can get it mojo back from Facebook.
Taking a slight spin on this, I make the observation that a large part of Facebook's value is your identity and your associations and Facebook's willingness to leverage this information elsewhere on the web (Facebook Connect). Facebook Connect is becoming the most common way to login to other sites. The reputation of your identity is increased by your associations: it requires a consipricy to create a fake Facebook account and have N friends, the presence of which increases your identity's reputation.
Good article by Jeff Atwood on the Gawker web site compromise. The jist of it is that Gawker stored passwords, which is oh so wrong. Yet many sites continue to follow such rediculous practices. It's not just the small sites. eTrade did this during their first years in operation. If you called for a password reset, they'd read you your password over the phone. Altassian Software sent you your password in the clear if you did a password reset. I find that when you alert companies to their incorrect practices they invariably show disregard. At least until they don't.
Atwood calls for a greater use of federated identity so that users don't need to create as many accounts. I couldn't agree more. There is, however, the sticky problem of usability. OpenID botched this. Facebook Connect does a good job with usability but at the cost of reduced security. The web is still waiting for a good user interface solution to federating identity: one that is usable and secure. There was an opportunity for Adobe to solve this problem with Flash because Flash allows code execution within a sandbox. This opportunity has passed since Adobe ceded their opportunity for ubiquity to Apple's interests.
Amazon apparently thinks it’s okay to send you email asking you to click on a link and enter your credit card information. I confirmed with Amazon that the email shown below was in fact sent by them.
A good article on mobile phone security and authentication.
Just protecting the user’s login screen will not be protection enough as the stakes increase. There must be a way to bind the physical identity of the mobile device—some identifying hardware characteristic—to the PayPal account, while allowing only minimum exposure of the user’s password to the network. He suggested several alternatives, only to reject each of them. SIM cards could work, but would require the cooperation of the world’s service providers—an unlikely scenario at best. Micro SD cards similarly could work, but would add cost to the handset that neither the service providers nor the end users would likely accept.
I'd have thought the cooperation of the world's service providers would be something they would be pursuing.