Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


09:55 AM
Connect Directly

Microsoft Serves Up Security Services

Live Labs services hit developer hot buttons like authentication and peer-to-peer apps

They're live, but not exactly ready for prime time in the enterprise: Two new Web-based security services from Microsoft Live Labs are now available in beta for developers building Internet applications.

Microsoft Live Labs -- a partnership between MSN and Microsoft Research -- is offering Security Token Service (STS) and Relay Service, both part of what the company calls its "cloud services," or early test-phase technologies. STS is an authentication service and Relay Service provides secure, peer-to-peer Web applications like click-to-talk with voice-over-IP.

These services aren't for the faint of heart. Developers using them must use browsers with support for Microsoft's still-to-be-announced InfoCard, such as Internet Explorer 7 Beta 2 or later for each service, as well as WinFX Runtime Components Beta 2 in the authentication service. Microsoft's upcoming Vista desktop operating system will use these and other Live services.

A financial institution's online banking app would "call" STS to enroll and authenticate customers who want to bank online. Banking customers then register their personal data online using InfoCard, Microsoft's virtual information card technology (which hasn't yet been released). It saves the developer the work of writing her own authentication software, not to mention it helps Microsoft, too. "Life is much easier if all users have Vista and IE7 on their PC's," with STS, says John Pescatore, vice president of internet security for Gartner.

Microsoft Live Labs' Relay Service, meanwhile, gives apps like VOIP the ability to connect peer-to-peer between firewalls and network address translator (NAT) gateways that typically prevent inbound network connections. So a customer booking a reservation with an airline could hit a click-to-talk button that sets up a VOIP call to a customer service agent.

Microsoft says both technologies are being previewed by Live Labs, an applied research organization within the Windows Live group, but Live Labs is not actually hosting the services.

Like any service-oriented architecture (SOA) service, these Web-based services can come with security risks of their own. It's not the same as getting the software on a disk or online with updates and patches, Gartner's Pescatore says. Token authentication carries with it sensitive data. "With a service, how do you know you can trust that code and that there aren't vulnerabilities built into it or that Microsoft hasn't changed it the next day?" says Pescatore. "This is an SOA issue, not just a Microsoft thing."

The only way app developers can be sure it's secure is for Microsoft or other vendors providing these services to show third-party test results. "They need to come up with ways to demonstrate these services are safe to use or no one will use them," Pescatore says.

Microsoft has been there before. Its Passport single sign-on authentication service had its vulnerability problems early on. But Pescatore says if Microsoft builds and tests the new security services properly and provides developers assurances that they are airtight, it will be a win-win for developers and users. "This could provide tremendous security advantages," he says. "Otherwise, you might end up with 10 different versions of banking authentication out there. Reusing this technology instead of reinventing the wheel can lead to increased [online] security."

— Kelly Jackson Higgins, Senior Editor, Dark Reading

Companies mentioned in this article:

  • Gartner Inc.
  • Microsoft Corp. (Nasdaq: MSFT)

    Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    Sodinokibi Ransomware: Where Attackers' Money Goes
    Kelly Sheridan, Staff Editor, Dark Reading,  10/15/2019
    How to Think Like a Hacker
    Dr. Giovanni Vigna, Chief Technology Officer at Lastline,  10/10/2019
    7 SMB Security Tips That Will Keep Your Company Safe
    Steve Zurier, Contributing Writer,  10/11/2019
    Register for Dark Reading Newsletters
    White Papers
    Cartoon Contest
    Write a Caption, Win a Starbucks Card! Click Here
    Latest Comment: The old using of sock puppets for Shoulder Surfing technique. 
    Current Issue
    7 Threats & Disruptive Forces Changing the Face of Cybersecurity
    This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
    Flash Poll
    2019 Online Malware and Threats
    2019 Online Malware and Threats
    As cyberattacks become more frequent and more sophisticated, enterprise security teams are under unprecedented pressure to respond. Is your organization ready?
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    PUBLISHED: 2019-10-17
    WordPress before 5.2.4 is vulnerable to a stored XSS attack to inject JavaScript into STYLE elements.
    PUBLISHED: 2019-10-17
    WordPress before 5.2.4 is vulnerable to poisoning of the cache of JSON GET requests because certain requests lack a Vary: Origin header.
    PUBLISHED: 2019-10-17
    WordPress before 5.2.4 is vulnerable to stored XSS (cross-site scripting) via the Customizer.
    PUBLISHED: 2019-10-17
    WordPress before 5.2.4 does not properly consider type confusion during validation of the referer in the admin pages, possibly leading to CSRF.
    PUBLISHED: 2019-10-17
    app/system/admin/admin/index.class.php in MetInfo 7.0.0beta allows a CSRF attack to add a user account via a doSaveSetup action to admin/index.php, as demonstrated by an admin/?n=admin&c=index&a=doSaveSetup URI.