I was recently pointed to this post that highlights a " successful attempt " by some students in Germany to crack Microsoft Cardspace .After reading through the post several times, I became convinced that it is NOT what it seems it is and that if the " breach " is what it says it is, there must be some pre-conditions that must be satisfied before it can happen and these criteria are not going to be easy... Just as I was putting some of my thoughts down that relates to why I think the attempt is somehow " inappropriately glorified ": If an end-user would be stupid enough to put and store his/her passwords, credit card information on his PC There must be some sort of DNS compromise on the end-user side, which also means successfully hacking into his/her router There must be some sort of Digital Certificate Store compromise on the end-user side, which also means successfully hacking into his machine with highly-elevated priviledges or saying, the user's machine password has been stolen Points [2] and [3] relates to the statements from the attempt and I quote from the above post: To reproduce the demonstration, you should change your own DNS settings and install an untrusted certificate If I can do both those points sucessfully, to be honest, I already have control over what the user does on his machine, stealing his Infocard is probably of low priority at that point in time. Then, the brains behind Cardspace, Kim Cameron , himself, wrote a comprehensive reply , which basically was
Read More...