TPM could have saved Sarah Palin’s blushes

Posted by Ken Y-N on September 30th, 2008 at 02:38pm

When I first saw this article I thought it was a bit of cheap bandwagon jumping, but then the more I thought about the issue the more I thought this was actually a very valid proposal.

As you no doubt heard, Alaska Governer and US Vice Presidential candidate Sarah Palin got her email account hacked thanks to just a little bit of Google searching to answer the security questions posed by Yahoo! mail’s password recovery options. This highlighted a weakness in the secret question option, and there is also the issue of a government official allegedly conducting business through a free web mail account, but let’s skip over these issues and look at the main thrust of the post, how to make web mail user authentication stronger.

As this is a trusted computing blog, not surprisingly the solution is trusted computing. Many existing corporate login solutions already use smart cards or other hardware token-based systems, but do you really want to carry a GMail card, a Hotmail token, and all the rest, and can they afford to give away a token to access free email? However, since most corporate computers these days have Trusted Platform Module (TPM) chips in them, why not use them instead?

With about quarter of a billion TPM-chipped computers on the net, it’s hardly a niche market, and since the TPM standards are open and vendor neutral, there is no danger of lock-in from using these chips.

Steven Sprague, the president and CEO of Wave Systems and the author of this article argues that adding TPM-based authentication to Yahoo! or other systems is a quite simple task, and once it is implemented the incremental cost per user is minimal, for both the service provider and the consumer. His call to action is thus:

• Announce planned support for Yahoo login to use the TPM
• Work with the OEMs, software vendors and customers to implement simple enrollment and use models
• Provide optional support for TPM as a global authentication mechanism to Yahoo mail and all other Yahoo services
• Join the Trusted Computing Group to enhance and deploy the standards that are already broadly available

It’s a compelling argument, and as a modest proposal to extend this idea, companies could develop or purchase from Yahoo! (or whoever jumps first) an email forwarder that encrypts internal mail when forwarding to Yahoo!, and on the client, automatic decryption on download from Yahoo!, so neither Yahoo! nor the wire sees plaintext email, thus allowing employees to securely use Yahoo! for forwarding company mail.

Read the full story at scmagazineus.com.

Tags: email, sarah palin, steven sprague, wave, yahoo!

Under Advocacy Tags: email, sarah palin, steven sprague, wave, yahoo!