Microsoft Opens Up Windows Live ID 212
randommsdev writes "Microsoft has announced the release of Windows Live ID Web Authentication. This means that WLID (formerly known as Passport) is now opened to third party websites to use as their authentication system. Any Windows Live user can potentially log in to a website that implements Web Authentication. Interestingly sample implementations are available in the Ruby, Python, Perl, and PHP open source languages amongst others — tested on openSUSE 10.2 but expected to work on any platform that supports these languages. More details are available in the SDK documentation."
How long (Score:5, Insightful)
Re:So what? (Score:5, Insightful)
Re:No License? (Score:5, Insightful)
Copyright (c) 2007 Microsoft Corporation. All Rights Reserved.
and yeah, no license. So I guess implicitly you're not allowed to redistribute it at all.
Typical MS! (Score:1, Insightful)
With so many security and authentication issues inherent to MS products, this seems another case of marketing pushing faster/harder than the development teams can keep up with.
If it backfires for them, look for flying chairs...*ducks*.
Re:How long (Score:5, Insightful)
If a 'single sign-on' became everyone's only method of authenticating to anything, then it would make identity theft just too easy.
You can go to extreme lengths to protect all the sign-on pages in the world, but as long as there are people who will click on a 'your account will be deleted in 2 days unless you go to http://i.am.going.to.steal.your.identity.com/veri
I can't think of any way of preventing that problem without there still being the possibility of a "man in the middle" attack...
Re:How long (Score:4, Insightful)
The safeguards only work if the user is paying attention. It only takes a fraction of a percent of people to click a 'log in here with your bank of america credentials to see if you have won a prize' link and the scammers can make a profit, and will keep on scamming.
Still... if you've got a way around this that is truly idiot proof, I'd like to hear it! The best thing I can come up with is that the banks themselves initiate the scam, and then send 'the boys' around to break the thumbs of anyone who falls for it, or otherwise punish the scammee (that's strange... my spell check says scammee isn't a valid word...).
Re:So what? (Score:5, Insightful)
It's much easier than that (Score:5, Insightful)
So, first check you should do whenever you're logging into a page is what? That's right, check the url. "http://login.live.com/login.srf?wa=wsignin1.0&rp
This page has none of those things. Well done Microsoft.
Oh, but it gets better. There's this link that says "Use enhanced security". I would have thought that "enhanced" security was a sensible default, silly me. It's not underlined, so you don't know it is a link until you hover your mouse over it, but it will take you to a https:/// [https] page. Of course, the certificate it offers you is not for login.live.com, it's for graphics.hotmail.com. If you accept this certificate then you are basically saying that you're ok with trusting this data that didn't come from graphics.hotmail.com as if it did come from graphics.hotmail.com. Just for the hell of it, let's fire up this "enhanced security" page in IE and see what happens. Oh.. I see. We get no warnings. In fact, if we double click on the padlock we see that the certificate now IS for live.login.com. Hmm, what's going on here. Ahh, I see, half the content on this page didn't come from live.login.com, it came from graphics.hotmail.com.. so this isn't a secure site *at all*, it's a mixed domain site and IE's pitiful support for multiple certificates on a single page is happy to just ignore this (and doesn't even warn you).
XSS anyone?
OpenID (Score:5, Insightful)
I'd prefer to see the rise of OpenID [openid.net]. Now if Microsoft gave you an OpenID authentication point with your LiveID (preferably with something simple, like adding the OpenID <link> tags to login.live.com or even just live.com), that would be a feature worth using and supporting. And wouldn't require changing the sites that already support OpenID, including, AFAIK, the SixApart family of blogs.
With modern technology, diverse applications are a good thing (healthier market and better apps from consumer selection). Information, however, is more useful the more widely it can be read and used. Unless you are specifically trying to hide something.
Unfortunately, like Live ID, there seems to be more OpenID providers than servers that use them for authentication.
Re:CardSpace? (Score:3, Insightful)
Re:How long (Score:4, Insightful)
Re:OpenID (Score:3, Insightful)
It is worth noting, that OpenID is a decentralized system, so you don't have to depend on single ID provider.
Re:OpenID (Score:2, Insightful)
Why am I not convinced? (Score:2, Insightful)
Re:How long (Score:5, Insightful)
Secondly, as far as identity theft is concerned, my email accounts are already single points for attack. Once you have the email, the password recovery services will do your bidding. A single-identity-solution allows you to just shift this from email to some server which was created to keep and handle this data. Whats more you could be the one setting up that server... (not in the ms case but in the case of openid).
So, on the whole, single sign ons can work and openid hopefully will. I dont even want to rtfa. If I cant decide who keeps my username password for my single signon, I am just not interested.
Re:How long (Score:2, Insightful)
It's a pity that OpenID somehow doesn't take off as many expected and I don't think a Microsoft solution will either. Google comes to mind as one company that could probably do it successfully.
Why? (Score:3, Insightful)
Re:It's much easier than that (Score:4, Insightful)
Terms of Use (Score:3, Insightful)