Student researchers have NOT demonstrated the simultaneous compromise of the systems necessary for the attack to succeed.
Students at Ruhr Universitat Bochum in Germany have published an account this week describing an attack on the use of CardSpace within Internet Explorer. Their claim is to “confirm the practicability of the attack by presenting a proof of concept implementation“.
I’ve spent a fair amount of time reproducing and analyzing the attack. The students were not actually able to compromise my safety except by asking me to go through elaborate measures to poison my own computer (I show how complicated this is in a video I will post next). For the attack to succeed, the user has to bring full administrative power to bear against her own system. It seems obvious that if people go to the trouble to manually circumvent all their defenses they become vulnerable to the attacks those defenses were intended to resist. In my view, the students did not compromise CardSpace.
Kim is right. I'm still glad to see that there are people out there trying because the hope is anything found leads to a more secure system for us all and, in the end, that's what we all want.
Technorati Tags: CardSpace, InfoCard, Microsoft, MSFT, identity management