colin dellow's bln

Having demonstrated how CookieInjector works on a day-to-day basis, the next question is: how do you tell CookieInjector what your passwords are? How do you get that snazzy Cookie Monster card?

By using the CookieInjector Configuration tool, as demonstrated in the following screencast.

Labels: cardspace, cookieinjector

I've got a first cut of an end-to-end CookieInjector session - check out a sample video below, where I log in to Gmail and Quest (my university's student management system). When logging in to Gmail, I actually log in twice, to demonstrate that separate sessions are being created.

Note that the Cookie Jar claim value holds all the cookies needed to log in, but the display value is simply a hash of the cookies. It's basically a placebo for the user so they know that something happened.

When logging in to Quest, I skip the preview/retrieve steps and do a one-click log in.



This demo should illustrate the concrete improvements that CookieInjector and CardSpace give us:

• consistent UI for authentication to different websites
• centralized tracking of authentication
  
  • ...you can't see it, but my IP/STS records every time I authenticate to a specific service
• and, of course, you never need to enter a primary, long-lived password at a web site!
  • ...this has other ramifications, too: if I want to allow my housemates access to the online portals that show our internet, cable, and power bills, I can do that by granting them their own cards that are allowed to authenticate to a subset of my accounts

Labels: cardspace, cookieinjector

Three things you may know about me:

1. My UW password (and thus, my GMail, TD Canada Trust, Bank of America, and cldellow.com passwords) were recently exposed by the ineptitude of my university


2. I dislike multi-factor authentication schemes that have become popular at banks recently. They aren't truly multi-factor and they result in more work for me.


3. CodeCompete, which started in May, is now finished, so I have a spare SSL certificate kicking around.

Granted, the widespread nature of (1) is my own fault. I trusted my university not to expose my password, and thus I was sloppy and used the same password in multiple places. Bottom line: accidents happen, passwords get leaked. Plan for it.

So, once bitten, twice shy. . .



The above is my vision of a tool I've named the Cookie Injector. It is composed of two parts:

1. An IP/STS residing on my machine, that knows all of my passwords and has the ability to automatically talk to web-based authentication servers (e.g., google.com, uwaterloo.ca) to exchange my passwords for HTTP session cookies; and


2. A C#.NET application that can invoke CardSpace to retrieve a token from the above IP/STS, extract the session cookies, and inject them into Internet Explorer on the given computer

Ideally, this will allow me to:

• have different passwords for google.com, microsoft.com, tdcanadatrust.com, bankofamerica.com, and uwaterloo.ca; and


• not remember a single password, ever; which means:


• I'll never type a high-value or long-lived password into an untrusted machine


• I'll have complex, hard-to-remember passwords


• ...which can change on a weekly basis, automatically

I'll be tinkering with this over the next month or so, and will publish any interesting progress.

Labels: cardspace, cookieinjector