Slashdot Mirror
Mozilla BrowserID: Decentralized, Federated Login
An anonymous reader writes "Mozilla Labs has just launched the prototype of its BrowserID project and the accompanying Verified Email Protocol standard. Basically, BrowserID is a browser-based federated login provider like Facebook Connect, but without the privacy leaks. Fundamentally, BrowserID is public key encryption. You register an email address with your browser, which is then confirmed with a standard 'click here to confirm' email. A public/private key pair is then generated; your browser keeps the private key, and your email provider keeps the public key. Now, when you visit Facebook (or any site that supports BrowserID), your browser gives Facebook your email address and an identity token signed with your private key. Facebook queries your email provider for your public key, decrypts your identity token, and logs you in — voila, secure, private, browser-based logins. Oh, and the prototype is written in HTML and JavaScript — so it works across every modern browser, too."
This does nothing to protect my anonymity.
yeeeeeeeeeeeeeeeeeeeeeeeeeeessssssss!
finally. thank the deities.
Ah, so when i have to reinstall my OS due to HDD death or OS death and for whatever reason, can't save my profile app data files (depending on where it stores the key)... then what?
Will i just be able to do a "Forgot my password" type action to regenerate a private key?
Wow, talk about irony. I've heard that they're still popular in some countries, but for god's sake, who uses internet cafes "these days"?? Just buy a laptop and go a real cafe!
As I understand it, the browser keeps your private key in your profile, just as it keeps your bookmarks and cookies in your profile. And as the protocol spec states: "It does not forbid synchronization" of the private key across devices. So back up your profile.
Please don't leave cookies in an internet cafe. You're asking for trouble.
So this system just gives your verified email address to whatever site wants to have it?
Slashdot social media options: AIM, ICQ, Yahoo, Jabber and Mobile Text. Why no MySpace?
Not sure if you're trolling or not (you probably are), but in 2nd and 3rd world countries Internet Cafes and cellphones are the primary means of Internet access...
The biggest problem with the current "e-mail address as username" is spam. So how does this prevent the site in question from selling my e-mail address to spammers?
isn't the browser basically the most targeted piece of software on a computer? if the private key is stored in the browser, doesn't that mean that potentially one successful exploit in the browser would let a hacker log into any website as you?
and what's to stop malware from stealing your private key?
or a man-in-the-middle attack?
is there a passphrase you'll use to open it each time you launch the browser?
how about when you use another trusted computer?
a public computer?
So wait - why doesn't this use the existing PGP web of trust and software?
And how does it mitigate the MITM/Phishing attacks that plagued OpenID?
I'm skeptical, but encouraged to see some efforts here...
Semantics is the gravity of abstraction
So where does this leave Internet users whose e-mail providers decline to implement Verified Email Protocol?
My browser will automatically provide my e-mail address? The very thing I do NOT want to provide when signing in with the majority of sites?
Also, as a web developer, I think it is a real bad design error to use an e-mail address as a login. What happens if you change your provider? Do you log in with your new (thus unknown) e-mail address? Or do you want to send the lost password to the no longer existing one?
Nae king! Nae laird! Nae yurrupiean pressedent! We willna be fooled again!
... that privacy nuts will cry their asses off at this?
A million, 2 million, a billion?
This idea extended to the level of ISPs would be significantly more useful as well.
ISP level credentials could be used for banking and stuff that requires actual, personally identifiable information to be correct.
No information is leaked to the sites themselves.
Say, if site.com wanted to do transaction, it forwards the details TO the ISPs banking page, which then does all the hard work of verifying stuff before sending the transaction on to banks.
This would take a huge strain out of internet banking being inconsistently done on so many sites, headaches with unsupported cards, and it might actually annoy Paypal, which is equally hilarious and good for us all.
Plus, it'd cut down a huge amount of phishing if you got actual customers involved with checking their stuff often. Have portals to every card site so you can check and verify that you did indeed make that purchase for a dragon dildo or whatever.
Will it be done? Hell naw. Privacy nuts already killed it before it will be attempted.
They'll probably be on this in a heartbeat.
Thanks, you loonies. Hope your details get stolen, I'll laugh harder than when that idiot posted his SSN to prove his security system worked and failed.
Well then you don't use this system in an internet cafe. I dont use my fingerprint scanner outside my house, i just have to remember a password, urgh
Seems Mozilla is back on the straight and narrow and innovating ideas again. They lost their way for a long time, and allowed Google in. Glad to see they are back in the game and giving Chrome competition. After all, Mozilla are the only ones out there who actually genuinely care about web and want it to thrive into something even more beautiful. Microsoft and Google both have their own personal agendas.
Mozilla doesn't know how people use browsers these days. How the fuck is this going to work in an Internet cafe for eg?
Apparently neither do you. They'll be around for a bit, but internet cafes of the past are a dying breed replaced more and more by restaurants and coffee shops with wifi. With the price of wireless hardware dropping, people are getting their own devices. Even in the 3rd world people aren't buying hardline access. If you can't afford your own phone, people just buy a sim card and then rent a phone when they need to call or check messages. (yes that's really how it's done, at least in Afghanistan)
Of course, since the point of something like this is security, rule number one should be to not use it on untrusted hardware. Now of course the phone isn't any more trusted, but the mobile version can at least store the user's private key on their sim card. Until the phones are compromised to copy people's private keys and passwords.
Any decent public key system will still require password access to the private key. This can at least delay the compromise of a users private key, until they use it on a compromised keylogging computer.
Not sure what the fuss is about.
Sincerely,
AC
Dont know, if you want to use your cell phone you may be able to syc your keys to that browser, however if you are really going to an internet cafe, maybe you should remember your password.... So you hate this extra security, because your choice in browsing is innately insecure... No ones problem but your own.
When you cant win, ad hominem.
they get access to all your shiznit.
OOoops! too late your browser has already given you up...
And what if you need to have multiple identities?
Rick B.
I remember seeing another Mozilla video about good password habits. One of the pieces of advice given was to pick a "base" password and add a couple different letters depending on what site you were signing up for (somehow incorporating the website name), this way your passwords would be different across all the sites you visit, and one being compromised wouldn't necessarily mean that your entire online identity would be gone.
However, this BrowserID seems to function (from strictly a user standpoint) as a password manager would. You have one global password that logs you into each and every site. So aren't we back to square one? Isn't that a Bad Thing? Or is there something I'm missing?
And will this make attacking the browser even more lucrative? Things are already pretty bad.
I tried the demo at http://myfavoritebeer.org/ and the result was:
"Error encountered while attempting to confirm your address. please try again. (error message: unknown)"
It have been done before. It is Microsoft CardSpace.
It can be the same as with username/password authentication: when you log into your email provider, you see a box that says "store this login info", and you don't check it.
The number one way that passwords are now being harvested is by attacking the client. If your browser stores the public key it now makes it really easy to steal your private key if your machine is broken into. All malware is going to attack this. How can this provide protection against that? With passwords at least the damage is limited to sites that I have logged into while the malware is installed and the malware will have to wait until I use these sites. With the new system it will be trivial to collect all your passwords. I only see this as being useful for low risk sites like facebook, but not backing or anything similiar. Can they add something like a smart card reader where the private key is stored there and a pin (I guess this ruins the point of it). Better yet encrypt the private key with a one time key that is tied to your cell phone, this way there is a standardized authority on the keys and I don't need one device on my key chain for each thing I log into. Seems like this is the start to a good idea, but needs two factor authentication added. One factor authentication is just not cutting it these days.
You've reinvented client certificate auth, with a lookup layer...
Got damn Feds is getting involved in everything these days.
Hell, pretty soon they're gonna be all up in my Social Security and Medicare. That's why I'm a-voting for that pretty Mi-chele Bachmann. And let me tell you, I'd like to show her what a real man is. You know she ain't getting it from that big homo she's married to. And by homo, I mean gay as pink ink. Dude has to tie weights to his shoes so they don't float right out of the closet. He's queerer than a box of monkeys on DMT. Gay cubed.
You are welcome on my lawn.
I am a free man!
Because that private key would never be accessible to crackers....no.
This is essentially using a soft cert with the difference being authentication is in the HTTP protocol instead of SSL negotiation. Everything else is the same:
1. Trusted 3rd party signs a certificate that you store in your browser
2. The browser has a "Selector" to let you choose the cert based on acceptable signed 3rd parties
3. The cert can be expired or revoked
4. you have the same issues with crl checking, if my "key" is comprimised and i have my provider revoke it before it expires the RP still needs to validate it against a revocation list at some point
When creating browserid I need to provide email address and password. What is the password for? seems pointless, since i verify my identity via link in email
With traditional login, I can usually change the email address for an account as long as I remember the password (or answer to "secret question", or out-of-band verification such as SMS). When email becomes the primary key and everything is bound to it, what do I do when I realize someone has had access to my email account?
But what exactly does this get me over SSL Client Certificates?
Frankly, I don't entirely understand why the world hasn't started using SSL Client Certificates, and I wonder what will make people use this scheme, when client certificates have lain unused for so long.
Who gets to pick the key size? So far the user doesn't have enough input into this decision.
The Mozilla people should have had some very serious conversations with people working in the spam/phish/botnet space before going down this road. It doesn't matter how clever or robust this scheme is, in the contemporary environment it's absolutely worthless.
In fact: it's worse, because it provides a new attack vector to people who have already demonstrated that they're very adept.
It had damn well better be done locally, or you have no guarantee that your private key is actually private. Are they going to write the keygen code in Javascript?
General Relativity: Space-time tells matter where to go; Matter tells space-time what shape to be.
Where Facebook rejects ALL traffic associated with a browser I am using?
"Flyin' in just a sweet place,
Never been known to fail..."
Really amazin how full of manure can the Mozilla team can be. I mean, they can barely keep up with their own roadmaps and yet they can come with a solution that is safe. Safe like the browser updated blacklisting? Safe like going SSL, because TLS is too much and nobody made a lib they can use?
Technically, this is using public/private key pairs to do digital signature verification, not encryption and decryption.
http://en.wikipedia.org/wiki/Digital_signature
I just saw this at the bottom of my /. page
Get more comments "119 of 118 loaded"
Race condition or faulty logic? I would prefer a race condition as it makes me feel like I just won the lottery.
Sounds interesting, but right now the role of identity provider seems to be limited to (to quote the page itself) "dudes like Yahoo!, Google, Twitter, Facebook, and even github".
Well, thank you, but I run my own server and I own my own domain and I want to provide my own identity.
So, call me again when there's a Debian package for that. Until that happens, I'm not interested.
Assorted stuff I do sometimes: Lemuria.org
I can't see how this is better than client certificate based logins, I wish major sites implement this as an additional authentication method. You don't need an expensive CA to sign your certificate request, self signed certificates are sufficient. (Try this with OpenID provider http://www.clavid.com/)
I noticed Mozilla is not a member of the Kantara Initiative
Is there a plan to integrate this project with that?
Sorry to be the one to break the news to you, but the second world ceased to exist when the Soviet Bloc disintegrated in 1991. That was twenty years ago. Please stop misusing this obsolete term.
Shutting down free speech with violence isn't fighting fascism. It IS fascism!
Or get Google to maintain Gmail.com for you!
Gmail has a "user+@gmail.com" facility which you can use to simulate individual addresses per correspondent.
Lets say your email address is 'Example@gmail.com'. Simply give out 'Example+BankOfAmerica_2011@gmail.com' when registering on Bank Of America's website. The '+BankOfAmerica_2011' bit is completely made up by you. Now any emails sent to you by BOA show up in your Gmail inbox, where you can sort by recipient. The only issue is remembering the email address you had cooked up in the first place, when logging into their website. :) But naming conventions and browser autocomplete help.
Of course, anyone with knowledge of Gmail's convention can figure out your 'real' email address by stripping out the bit after the plus sign. So these addresses are not really untrackable.
Misread it.
Thought they were talking about de-centralized identity.
Basically about as polar opposite as possible.
I need a new browser, I guess.
Computer memory is just fancy paper, CPUs just fancy pens with fancy erasers; the 'net is just a fancy backyard fence.
1. If I use multiple computers, how do I log in? E.g. I'm at a friends house, and log in in their web browser. THAT computer doesn't have my private key. Or if I regularly use public computers at a school.
2. If my computer is hacked, what happens to my key collection?
3. If my drive crashes, how do I recover my key collection?
4. If I regularly use linux, mac and windows real and virtual machines, how do I keep my keys sync'ed when Mozilla can't even do this with my bookmarks.
Third Career: Tree Farmer Second Career: Computer Geek First Career: Teacher, Outdoor Instructor, Photographer.
I use NoScript. The demo site requires code from googlecode.com to be permitted. While the Javascript provided by Google may be innocuous, I would personally not make this assumption. I don't think that it would be possible for it to get the private key, but I would suspect that it would do datamining which would reveal the email addresses in use.