So I'm a couple days behind on my /. reading... I was reading and came across a link to how Microsoft passes GUIDs between domains. At first I wasn't too concerned. The authentication system I built has very similar behavior in how it passes identity information between servers. The key difference is that my system uses it to transfer credentials, which are unique per site and only given to trusted sites or less trusted after verifying it's OK with the user. The scary part is a GUID is shared everywhere, and Microsoft will give it to anyone who asks. For example if you go here you'll get right back to my site but you'll note your GUID in the URL. And of course in my web server logs... Fun, huh? The explanation about that URL is at the very bottom of the page at that first link.
Copyright ©2000-2008 Jeremy Mooney (jeremy-at-qux-dot-net)
On further review, it seems the GUID is generated new unless passed along, which contradicts the findings in the article. Makes one wonder what the point is then.