GNUCITIZEN has an article on Live Mesh up, a product I have been thinking about as well.  Some folks like Joel Spolsky seem to think it is a failed idea to begin with, but from a user standpoint I have been hoping for a seamless means of synchronizing data easily across many devices, which is exactly what Live Mesh ultimately hopes to do.  I have used several solutions in the past, everything from the SyncXP/SyncVista power tools, to custom scripts that first synchronized to xdrive and then skydrive.  All of the solutions sucked for various reasons, and from my experience with Live Mesh, many of the things I have hated in previous solutions have been mitigated.

There are multitudes of security concerns with the product though, but I think GNUCITIZEN misses many of these:

1) It is based on Microsoft Live ID. This means that if someone hacks into your WebMail they essentially hack into your network as well. Cross-site Scripting attacks does not look that harmless now, do they? That messages is intended for all haters.

2) It works form the browser using SilverLight. This means that everything is accessible via the reach GUI environment of .NET. Sweet! Files, documents, etc.

3)It uses HTTP enhanced RDP to provide remote desktop connectivity. As the video on Channel 10 suggest, It bypasses the firewall! Now this is interesting. I wonder how my RDP shell injection attack will work here.

I think these three things are blown WAY out of proportion.  Point 1) seems to not understand how Live ID works.  It is really a glorified token granting service similar to kerberos.  It does not grant a unified sessionID that would allow the whole federation to be compromised by stealing the session out of the cookie (the cross domain restrictions on cookies would be an issue that would prevent a third party session ID from working to begin with).  Compromising one website to steal the LiveID token would not translate into compromising all LiveID websites.  In terms of XSS, Live Mesh has a very limited attack surface, so it is probably going to be quite difficult to get its specific LiveID token for a user.  

Now I think single sign-on is a really bad idea in general anyway, but not because to the fear of stealing sessions.  It puts all eggs in one basket- if the credentials are ever compromised then the user is screwed.   Phishing is my great fear with SSO attempts, though CSRF is also quite worrisome (as the chance that the user is logged in increases).  Having played around with Office Live quite a bit, MS seems to be expiring sessions fairly often to mitigate CSRF though.

I don’t understand point 2).  Yeah, the experience is much richer, but it is also sandboxed a great deal more than something all ajax-ified.  By this I don’t mean sandboxed from the system, but rather from the browser.  It puts a logical boundary between the application and the browser.  From a user experience standpoint this isn’t always great, since it presents the experience of another application that just happens to be open in the browser tab, rather than an application integrated with the browser functionality (which is why I HATE 90% of flash sites).  From a security standpoint, assuming no vulnerabilities in this boundary, the application is more protected from typical DOM focused attacks. 

Point 3) isn’t a new issue.  RDP already has firewall exceptions in its current state, it doesn’t really matter that it is going over port 80 rather than 3389, other than the traffic may not be as heavily scrutinized as it would otherwise be.

So those issues aren’t what bothers me a great deal.  They could be vulnerable, but I think that is less likely than with traditional web apps rather than more.  What bothers me is that the attack surface for this thing is HUGE for a consumer.  Every synchronized client, as well the website, are potential attack points.  The threat model must be crazy.  Moreover, the setup is a great way to propagate viruses (infect one file, have it auto-synchronize) to all of a user’s machines (and potentially smart devices), and while MS likely scans files for malware it necessarily has to be signature based (Skydrive and Office Live both do I believe, so that neither service can be used to distribute malware).  Signature based scans, like all blacklists, sucks.  So I think there are a lot of concerns with the product, things researchers should look into, but traditional web application attacks aren’t the most glaring worries in my mind.

~ Joshbw