colin dellow's bln

• Better Bitters Brewery

  Despite being a small microbrewery, Better Bitters (maker of the tasty Nickel Brook Green Apple Pilsner) was eager to give us a tour. Or rather, the owner, who was a very affable guy named John Romano, was eager. Despite being busy, John walked us through the process they used to create great beers and even included a sampling of how beer tastes at various stages in the production process. Consummate small business attention to the customer throughout -- we've since finished the six cases we picked up from him. I wonder if they have Nickel Brook in the States? ;)

• Feedjit

  Feedjit is some new whiz bang web 2.0 thang. What kind of thang in particular is not important.

  What is important is that after e-mailing the creator about a bug, I got a response confirming the existence of the bug and apologizing for it within 2 minutes. The bug was fixed within an hour. I received an email from the creator notifying me within an hour of that. Impressive!

Having demonstrated how CookieInjector works on a day-to-day basis, the next question is: how do you tell CookieInjector what your passwords are? How do you get that snazzy Cookie Monster card?

By using the CookieInjector Configuration tool, as demonstrated in the following screencast.

Labels: cardspace, cookieinjector

I've got a first cut of an end-to-end CookieInjector session - check out a sample video below, where I log in to Gmail and Quest (my university's student management system). When logging in to Gmail, I actually log in twice, to demonstrate that separate sessions are being created.

Note that the Cookie Jar claim value holds all the cookies needed to log in, but the display value is simply a hash of the cookies. It's basically a placebo for the user so they know that something happened.

When logging in to Quest, I skip the preview/retrieve steps and do a one-click log in.



This demo should illustrate the concrete improvements that CookieInjector and CardSpace give us:

• consistent UI for authentication to different websites
• centralized tracking of authentication
  
  • ...you can't see it, but my IP/STS records every time I authenticate to a specific service
• and, of course, you never need to enter a primary, long-lived password at a web site!
  • ...this has other ramifications, too: if I want to allow my housemates access to the online portals that show our internet, cable, and power bills, I can do that by granting them their own cards that are allowed to authenticate to a subset of my accounts

Labels: cardspace, cookieinjector

While studying for my ECE 493 exam, I accidentally stumbled on to two large security holes at a major multinational utility provider and a major multinational bank.

I wouldn't care, but c'mon, with revenues like they have, surely they can afford a code review or two.

Labels: cookieinjector, ece493, security

CookieInjector can now log me in to Bank of America, Bloglines, DreamHost, Facebook, Gmail, RBC and TD Canada Trust. I am deeply indebted to Eric Lawrence for his Fiddler HTTP/S traffic sniffer.

One major lesson I have learned: banks have convoluted, mostly-broken web sites.

So far, I just have two of the components functioning:

1. The library component to securely store passwords, authenticate to sites, and return the list of cookies


2. The browser helper object to recognize when we are at a site for which my system can handle authentication

Still to do:

1. Extend the BHO to invoke CardSpace using my CodeCompete SSL cert


2. Write an IP/STS that shreds incoming requests, invokes the appropriate authentication, and returns the cookie

Now that CardSpace has an official icon, supported webpages automatically get the following overlay when the more secure form of authentication is available:

Labels: cookieinjector

Three things you may know about me:

1. My UW password (and thus, my GMail, TD Canada Trust, Bank of America, and cldellow.com passwords) were recently exposed by the ineptitude of my university


2. I dislike multi-factor authentication schemes that have become popular at banks recently. They aren't truly multi-factor and they result in more work for me.


3. CodeCompete, which started in May, is now finished, so I have a spare SSL certificate kicking around.

Granted, the widespread nature of (1) is my own fault. I trusted my university not to expose my password, and thus I was sloppy and used the same password in multiple places. Bottom line: accidents happen, passwords get leaked. Plan for it.

So, once bitten, twice shy. . .



The above is my vision of a tool I've named the Cookie Injector. It is composed of two parts:

1. An IP/STS residing on my machine, that knows all of my passwords and has the ability to automatically talk to web-based authentication servers (e.g., google.com, uwaterloo.ca) to exchange my passwords for HTTP session cookies; and


2. A C#.NET application that can invoke CardSpace to retrieve a token from the above IP/STS, extract the session cookies, and inject them into Internet Explorer on the given computer

Ideally, this will allow me to:

• have different passwords for google.com, microsoft.com, tdcanadatrust.com, bankofamerica.com, and uwaterloo.ca; and


• not remember a single password, ever; which means:


• I'll never type a high-value or long-lived password into an untrusted machine


• I'll have complex, hard-to-remember passwords


• ...which can change on a weekly basis, automatically

I'll be tinkering with this over the next month or so, and will publish any interesting progress.

Labels: cardspace, cookieinjector

UW has a tool called Kiwi that allows you to authenticate to federated systems as a UW student.

Unfortunately, Kiwi logs your userid and password to a file when you log in.

Unfortunately, Kiwi's logs were world-readable.

Yep, we sure are good at that there CS thang.

...21 weeks after I filed it, and right before I start working again. Thanks for nothing, USA!