As e-commerce proliferates, the need for a tool to help users manage authentication and personal information across a variety of sites becomes increasingly critical. Passport is an ambitious attempt to meet this need while requiring no changes to existing browsers and servers. However, the system carries significant risks to users that are not made adequately clear in the technical documentation available.
The bulk of Passport's flaws arise directly from its reliance on systems either that are not trustworthy (such as HTTP referrals and the DNS) or that assume too much about user awareness (such as SSL). Another flaw arises out of interactions with a particular browser (Netscape). Passport's attempt to retrofit the complex process of single signon to fit the limitations of existing browser technology leads to compromises that create real risks.
Some improvement is possible in Passport without violating the system's goals of supporting unmodified browsers. Rotating the keys used to encrypt cookies would significantly increase the difficulty of retrieving cookie contents, as would using the master key to generate encryption keys instead of encrypting all cookies with the same key. Requiring SSL for all transactions would eliminate the possibility of forged redirects (at the cost of significantly increased load on merchant servers). Replacing password-based authentication with a challenge-response scheme (such as HTTP digest authentication) would make it impossible for an attacker to reuse passwords to impersonate a user.
In the end, Passport's risks may be inevitable for a system with its requirements. We believe that until fundamental changes are made to underlying protocols (through standards such as DNSSEC and IPSec), efforts such as Passport must be viewed with suspicion.