Features
- Cover Type: Paperback with 384 pages
- Published by: Addison-Wesley Professional
- Edition: 1st Edition January 6, 2008
- Written in: English
- ISBN 10 Number: 0321496841
- ISBN 13 Number: 978-0321496843
-
Book Dimensions:
9 x 6.8 x 1.2 inches
- Weighs: 1.2 pounds
Reader Reviews
CardSpace is an interesting offering from Microsoft that improves on their earlier, much unlamented Passport. Essentially a refactoring of user information. So that instead of a website asking for it and keeping it, especially where this is the (username, password), it can seek out an authoritative site on the Internet that has what information about the user is relevant. There's more to CardSpace. But one gist is to minimise the effort by users to maintain username and password across many websites. Another motivator is to reduce the danger of phishing. In part by letting a user detect if a website is pretending to be a good website which she has visited before. This is done through her having several Cards, and having earlier chosen a particular Card to use at that good website. A fake website [pharm] simply won't have this information, and the lack of it can be a telltale warning to her. Indeed, phishing appears in many parts of the text. A driving force in explaining why we should adopt CardSpace. Unfortunately, efficacy is limited. Much phishing consists of emails, with links to pharms controlled by the phisher. Nothing in CardSpace attacks those emails directly, giving the recipient or her email provider a lightweight and objective means of detecting phishing messages and deleting or disabling them. Absolutely zero discussion of this in the text. Nor does CardSpace attack another type of phishing. Instead of the message pretending to be from a bank at which you already have an acount, it asks you to submit an application to open an account at a bank. Or to apply for a credit card, say. In these cases, the pharm is not pretending to be a place you've been to before. So you don't have any Card history usage there. How can you tell if the website is really run by a real financial institution? Here, the intent of the pharm is to harvest your personal information, for later use in identity fraud. This phishing modality sidesteps entirely the abovementioned protection. What if, in response, you as a Card user, say you'll only hand over information to an unknown website via CardSpace, instead of typing it into that website's page? Still doesn't work. The pharm can implement CardSpace, acting as a Relying Party. So it fools you into letting it get information about you from an Identity Provider. If it's acting as a financial site, then it is natural to ask you for such things as your TaxID (SSN for Americans), date of birth, etc. Whether you type it in or it gets this from an IP is the same to the pharm. In fact, it might even prefer that you use an IP to give it data. Because that is more likely to be correct. At this point, someone says, "Easy. The IP will only divulge to a reliable RP". Well, what defines "reliable"? Is it possibly that the RP has an Extended Validation Certificate? (The book makes repeated reference to EV.) While these are more expensive and harder to get than current Certificates, the level of scrutiny here can be defeated. A phisher can enrol as an employee at an existing IP that has an EV. (Or bribe an employee.) Or even set up a company that will get an EV. Remember, in general an EV holder does not have the same level of internal checks that a bank has, on its employees, to guard against subversion. Most EV holders will be merchants with websites. Merchants of varying sizes and sophistication. This phishing modality is currently relatively infrequent, compared to normal phishing. Perhaps because phishers find it more lucrative to focus on accessing existing bank accounts, which they drain. (Whereas identity fraud is more effort.) But if this popular form of phishing were to fade, for whatever reason, including for the sake of argument, the widespread use of CardSpace, then the other modality can be expected to rise. CardSpace's main virtue is convenience, in reducing the duplication of personal data on the Internet. Yes, to the extent that this happens, it does improve personal privacy and safety. But against phishing, it really only has, or promises to have, an indirect impact. Worse, and ironically, the very convenience of extensive CardSpace usage might actually increase the incidence of personal data leakage.
Comment | |
(Report this)
Search for books at
