Dave Wags the Dog

In the latest issue of Dave Kearns' newsletter "Setting the record straight on Sxip patents" he talks about the patents that Sxip Identity has applied for which appear to cover OpenID. He relates that Dick Hardt assured him that Sxip Identity will be issuing non-assertion statements on OpenID soon. Of course I find it odd that a company would spend the time, effort, and money to pursue IP that they already don’t intend to enforce. But that’s just my suspicious nature.

But that’s not what I found really odd about Dave’s email. Toward the end Dave flogs Sxip’s Password Management plug-in Sxipper (I blogged about it previously here). Now Sxipper doesn’t yet support IE, just Firefox. No to be discouraged, Dave allows:

But, for me, it’s the most-compelling reason to install Firefox as your primary browser. Sxipper has improved greatly in usability and functionality since I started using it last fall and now I’d be severely impacted if it were no longer available to me. It’s really the best, if not the first, user-centric identity tool.

Dave Kearns

Boy talk about the tail wagging the dog! Install Firefox just to have Sxipper? Dave has it backwards. The lack of support for my browser of choice (actually BMC IT's browser of choice) is the best reason for me not to use Sxipper. As if I needed another reason not to use a product that stores my passwords in a reversible form that can be easily recovered in clear text by anyone with access to my computer. I guess I missed the point at which storing your passwords in such an unsecure fashion became a security best practice.

In all seriousness there is an important issue here. I, like all BMC employees, have a corporate PC for which BMC IT has administrative access. If I installed Firefox on my laptop and used Sxipper, then some BMC IT person could potentially access all my Sxipper enabled passwords. It’s not that I don’t trust my system administrator; I’m not even sure who that would be. I have to trust BMC IT with BMC property. I don’t have to trust them with my personal passwords, and I don’t.

Suppose you use Firefox/Sxipper in an office environment. If you go to lunch or home and don’t lock your PC, your co-worker can easily sit down and recovery your passwords from the Firefox Password Manager.

It’s not uncommon for workers who are terminated or laid off to not be given access to their work PC after they have been notified. What’s to stop an administrator from changing their password to a known value, logging into their box and having Firefox cough up their passwords?

Or suppose your laptop gets stolen. The OS is password protected, but someone could pull the drive out, stick in an external chassis and recover your passwords directly from the Password Manager DB.

Even if you restrict your use of Sxipper to a non-portable home computer there are still serious security issues. There are several reported exploits for getting Firefox to replay the user’s passwords if phished to a malicious site. And since Sxipper is also an OpenID Provider, you could be risking not only your passwords for password protected sites, but access to any OpenID enabled site you have registered your Sxipper OpenID with.

Should we really be recommending a course of action that has so many security risks?

The Moral: never convert a "Something you Know" credential into a "Something you Have" credential.

BTW, the Sxip Patent Applications so far made public include:

• 20070143860 - NETWORKED IDENTITY FRAMEWORK
• 20060005263 - Distributed contact information management
• 20060005020 - Graduated authentication in an identity management system
• 20050283614 - Distributed hierarchical identity management system authentication mechanisms
• 20050283443 - Auditable privacy policies in a distributed hierarchical identity management system

If you are involved in a product in any of these areas, you might want to look at these.

Update 7/20/07: Fixed an error in Dave Kearns' name in the first sentence.


_____
tags: Authentication |  Firefox |  IE7 |  Identity |  Identity Management |  Internet Explorer |  Password