Rowland Watkins

It appears that Windows Cardspace is susceptible to pharming techniques similar to threats that exist in OpenID. According to Intology. It’s always best to go to the source of apparent exploits; there’s an overview here, and the actual paper: On the Insecurity of Microsoft’s Identity Metasystem CardSpace.

While this exploit is a slight headache for Microsoft, it is only as effective as the validity of the SAML token minted by the Cardspace token issuer. All the token issuer needs to do is change their policy for the validity period to alter the risk period. What would be more worrying is if the fraudulent web server was capable of minting SAML tokens. I don’t know how easy it is to be an issuer, so this may not be practical.

It’s interesting to note that the exploit procedure requires restarts to the fraudulent web server. While this in itself can be automated, it does limit the rate of successful pharming incidents if the web server is unavailable. Virtualisation could alleviate this somewhat, creating a farm of pharming servers.

There’s also a mention of so-called Extended Validation (EV) Certificates and the question of whether such certificates (and corresponding browser support) can help tackle such attacks. As the researchers correctly point out, a usability study by Standford University and Microsoft has shown the introduction of EV Certificates in IE 7 has not significantly affected a users’ ability to discriminate between valid and fraudulent web pages; user training remains the best way highlight the on-going risks to users.

I haven’t tried the exploit against Microsoft’s own Cardspace provider, but I might evaluate this myself to see just have practical this pharming technique is.