Passport Passwords Stored in Plaintext

Joseph Ashwood ashwood at msn.com
Fri Oct 5 14:22:31 EDT 2001


----- Original Message -----
From: "bernie" <metaphone at eudoramail.com>

> Some of the people here wants to use the .NET for critical applications.

I'm sorry.

> How secure is the .NET?

The short answer is that it isn't secure. There are two main problems with
it being secure. The first is the password vulnerability that you replied
to. The second is that it uses a custom blended Kerberos-esque
implementation. I say Kerberos-esque because it has some significant
problems. First it uses RC4, a cipher which is increasingly being considered
insecure, and in using it windows doesn't take the precautions necessary to
make it secure. They are the only company foolish enough to have embedded
access control information in the kerberos ticket, this adds even more
leaking information, and just enough of it to determine the users password.
Basicly they have made nearly every effort to eliminate the security of the
system while making it appear secure to a layman. For further evidence that
Microsoft can't do anything secure I point to (in no particular order) IIS,
pptp, pptp2, Internet Explorer, Outlook Express, Windows 95, Windows98,
WindowsME, WindowsNT, Windows2000, and while I haven't verified it yet I
believe also WindowsXP. Some of these probably need some explaination, IIS
is the script kiddie choice it has more holes than a pound of Swiss cheese.
pptp was severely broken, pptp2 was slightly less severely broken. Internet
Explorer has had so many security vulnerabilities I can't even count that
high. Outlook Express is a virus writers dream. Windows95 offered no
security, same with 98 and ME. WindowsNT is subject to extremely basic
attacks on the password system that Microsoft refused to recognise, same
with 2000, and probably the same with XP. In 2000 MS introduced a "secure"
encrypted filesystem which lacked any reasonable ability to encrypt
documents securely (it put the keys in a file in plaintext, the file is
easily readable). Even the cryptoAPI that Microsoft designed and offered has
holes in it, allowing arbitrary code to be run in the place of what the
programmer intended. I am unaware of anything microsoft has ever written
that could be considered secure and there is evidence that they plan to
continue this less than stellar performance with .NET.
                    Joe




---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com




More information about the cryptography mailing list