Implications of using CardSpace on an unsecure connection (without SSL)
As Vittorio wrote in his blog, choosing to use CardSpace over http unsecure connections have 2 mayor consequences:
1 - Data in not encrypted, anyone listening on the wire can read the messages.
2 – The domain is not authenticated by any authority.
He wrote: “So, let me stress this one more time: we are still using asymmetric cryptography here. The UniqueID check is as solid as it with HTTPS, losing the transport encryption does not affect it.”
The identity for authentication can still be verified because the only one who has the private key for signing the PPID is the user requiring authentication.
Additionally, the second consequence brings the bigger menace. The man-in-the-middle attack can be used, taking advantage of the fact that no Certificate Authority is certifying the domain the user is connecting to.