Slashdot Mirror

← Back to Stories (view on slashdot.org)

Mozilla BrowserID: Decentralized, Federated Login

Posted by Soulskill on from the grand-unified-login dept.

An anonymous reader writes "Mozilla Labs has just launched the prototype of its BrowserID project and the accompanying Verified Email Protocol standard. Basically, BrowserID is a browser-based federated login provider like Facebook Connect, but without the privacy leaks. Fundamentally, BrowserID is public key encryption. You register an email address with your browser, which is then confirmed with a standard 'click here to confirm' email. A public/private key pair is then generated; your browser keeps the private key, and your email provider keeps the public key. Now, when you visit Facebook (or any site that supports BrowserID), your browser gives Facebook your email address and an identity token signed with your private key. Facebook queries your email provider for your public key, decrypts your identity token, and logs you in — voila, secure, private, browser-based logins. Oh, and the prototype is written in HTML and JavaScript — so it works across every modern browser, too."

24 of 179 comments (clear)

  1. Re:Yeah but... by zero0ne · · Score: 2

    Nor does logging into your online bank account with a normal username / password. This looks to just be a wrapper for a more secure, trusted identity.

  2. Re:Yeah but... by andymadigan · · Score: 2

    You can still have pseudonymity, just sign up for an e-mail address and don't use your real name.

    --
    The right to protest the State is more sacred than the State.
  3. Browser keeps the private key? by Anonymous Coward · · Score: 2, Insightful

    Ah, so when i have to reinstall my OS due to HDD death or OS death and for whatever reason, can't save my profile app data files (depending on where it stores the key)... then what?

    Will i just be able to do a "Forgot my password" type action to regenerate a private key?

    1. Re:Browser keeps the private key? by tero · · Score: 3, Informative

      It's still one of those minor issues that is not "entirely ready" yet.

      https://github.com/mozilla/browserid/issues/17

    2. Re:Browser keeps the private key? by axx · · Score: 3, Funny

      Even better! Thanks to our convenient, safe and secure process, the private key will be calculated from your public key and sent back to you via email for you to store on your new computer!

      --
      No wit here.
    3. Re:Browser keeps the private key? by todrules · · Score: 2

      And how does this work across multiple devices? I have my work laptop, home laptop, and home workstation. From the summary, I don't see how this can work.

    4. Re:Browser keeps the private key? by whiteboy86 · · Score: 2

      and those blackhats can conveniently grab the user's private key via trojan or a hacked browser now

  4. Re:Bad idea idiots by BHearsum · · Score: 3, Insightful

    Not sure if you're trolling or not (you probably are), but in 2nd and 3rd world countries Internet Cafes and cellphones are the primary means of Internet access...

  5. i'm no security expert by Anonymous Coward · · Score: 5, Insightful

    isn't the browser basically the most targeted piece of software on a computer? if the private key is stored in the browser, doesn't that mean that potentially one successful exploit in the browser would let a hacker log into any website as you?

    1. Re:i'm no security expert by ArsenneLupin · · Score: 3, Insightful

      How is that different from now, where you can have the browser autocomplete the password for most login forms anyways? If the browser is hacked, the autologin password db is exposed too.

    2. Re:i'm no security expert by tftp · · Score: 2

      How is that different from now, where you can have the browser autocomplete the password for most login forms anyways?

      To begin with, my browser saves my password for Slashdot, but not for my bank. I make that decision.

      Secondly, when I connect to something from a remote, possibly untrusted location (like the work computer) I can choose to not store anything at all, and perhaps even run in the "private browsing" mode.

      This system would insist on having a private key, one way or another, for a login into a protected site. That private key is a file; once you store it onto the disk you never know that it had been successfully deleted - especially on a computer that is not entirely under your control. Today it's guaranteed that all private keys end up "in the cloud" - on Google, for example - because it is so easy, and in fact you need access to those keys all the time.

      If someone wants a single sign-on then they are welcome to this system. It is not any worse than any other form of a single sign-on.

      However I don't feel a need for such a system. I either remember my passwords, or I have them written down, or they could be encrypted on a separate device. I don't want any key material to land onto the HDD.

      The problem with server side security can be easily fixed by not storing plaintext passwords, for example. Or you can store whatever you want, but do it on a separate box that has no TCP/IP and can't be hacked. There are many possibilities, and they all permit you to have a separate identity for each Web site you visit - and you are in control of what identities, if any, you want to share among what kind of sites.

  6. Skeptical but encouraged by anarcat · · Score: 2

    So wait - why doesn't this use the existing PGP web of trust and software?

    And how does it mitigate the MITM/Phishing attacks that plagued OpenID?

    I'm skeptical, but encouraged to see some efforts here...

    --
    Semantics is the gravity of abstraction
  7. Let me get this straight by Errol+backfiring · · Score: 4, Insightful

    My browser will automatically provide my e-mail address? The very thing I do NOT want to provide when signing in with the majority of sites?

    Also, as a web developer, I think it is a real bad design error to use an e-mail address as a login. What happens if you change your provider? Do you log in with your new (thus unknown) e-mail address? Or do you want to send the lost password to the no longer existing one?

    --
    Nae king! Nae laird! Nae yurrupiean pressedent! We willna be fooled again!
  8. Re:Bad idea idiots by sleiper · · Score: 2

    Well then you don't use this system in an internet cafe. I dont use my fingerprint scanner outside my house, i just have to remember a password, urgh

  9. Re:Bad idea idiots by thaylin · · Score: 3, Insightful

    Dont know, if you want to use your cell phone you may be able to syc your keys to that browser, however if you are really going to an internet cafe, maybe you should remember your password.... So you hate this extra security, because your choice in browsing is innately insecure... No ones problem but your own.

    --
    When you cant win, ad hominem.
  10. Re:a good start, perhaps... by Joce640k · · Score: 2

    If you've got malware then you're screwed anyway....

    --
    No sig today...
  11. Re:I'd just like to say by sirlark · · Score: 2

    Agreed, it would be a wonderful thing to have, but it still has issues as far as I can see.

    TFS says 'but without the privacy leaks', but really you can still be tracked/followed/denied/fucked with from a single point/service, namely your email provider.

    Also, there's the age old problem of common password for everything, if one is compromised, they all are. Granted in this case, it's a private key and not password, which is slightly harder to acquire though social engineering, mainly because most people aren't even aware of what private keys are, and those that are usually know enough not to give them up. But still, you shouldn't use one key for everything either... or so I've been told ;)

  12. Re:How much you betting... by mlts · · Score: 2

    What I'd like to have is something simpler, and this was suggested by another /. person:

    Go to a site. Type in your username. It will have a string of random character (or perhaps a timestamp + some random characters) that is copy/pastable. Copy this text. Sign it with your PGP/gpg private key. Paste the result back, and log in.

    The advantage of this is that PGP/gpg is pretty much platform agnostic, the keys can be stored in secure locations such as smart cards, or TPMs, PGP has proven itself and stood the test of time, and one's private key remains theirs, generated by the mechanism they so chose. For example, if I wanted a key that was generated on a smart card and would never leave that physical enclosure, I can do so. I even can have an offline computer to do the signature validations, although it is a PITA to type that in though.

    This should be done over SSL, as an attacker could grab the session once authenticated, but as for passwords stored, there isn't much an attacker can do with a bunch of public keys unless they happen to have a spare TWIRL or quantum factorization machine in their basement.

    As for ISPs, the older mom and pop ISPs, I'd mostly trust. However, some other ISPs like some in the UK can't even be trusted to not actively MITM your Web connections, much less actually be worthy of housing secure credentials.

  13. Re:Yeah but... by Lennie · · Score: 3, Insightful

    But it doesn't.

    It is just a way to verify the the email-address you already own, but without waiting for the email to arrive (or having it getting stuck in spamfilters) and clicking a link.

    Now you click a link only ones to connect your browser to your email address (and obviously you only share the email-address information to site the sites you want).

    This allows for a lot more interresting UI changes to make it easier for users to do so:
    https://wiki.mozilla.org/images/4/4c/IdentityInTheBrowser.png

    Also it prevents Facebook from tracking you all over the web, like they currently do with the Facebook Connect-button (!)

    --
    New things are always on the horizon
  14. Re:Really? by handslikesnakes · · Score: 2

    To whatever site you decide to give it to. User intervention (at least one click in the browser chrome) is required.

    (This is obvious, why do people assume that new systems do the dumbest thing possible and not even bother to check?)

  15. Re:I'd just like to say by smallfries · · Score: 2

    The issues that you point out already exist with current email-to-reset approaches. What they are suggesting is not a perfect solution to authentication, but after glancing through their spec it seems to be at least as reliable as what we use currently. At the moment your email provider could screw with any account that relies on password confirmation / reset request emails. With this system the provider would only hold your public key, so while it would still be able to track / deny-service it would not have as much power as with the current system.

    Overall it seems like a nice compromise between the ideal and a system that has a hope of wide-spread adoption. Although as it seems to require implementation by the mail provider anyway they could have gone for an IBE signature system.

    --
    Slashdot: where don knuth is an idiot because he cant grasp the awesome power of php
  16. Damn government by PopeRatzo · · Score: 4, Funny

    a browser-based federated login provider

    Got damn Feds is getting involved in everything these days.

    Hell, pretty soon they're gonna be all up in my Social Security and Medicare. That's why I'm a-voting for that pretty Mi-chele Bachmann. And let me tell you, I'd like to show her what a real man is. You know she ain't getting it from that big homo she's married to. And by homo, I mean gay as pink ink. Dude has to tie weights to his shoes so they don't float right out of the closet. He's queerer than a box of monkeys on DMT. Gay cubed.

    --
    You are welcome on my lawn.
  17. Re:Yeah but... by JMJimmy · · Score: 2

    Except who uses the same email for all logins? I have one for professional use, one for personal use, one for sites I don't know if I can trust, and at least 2 alternates for different ids. I'm not going to setup 6 profiles and open close the browser depending on which one I need. Worse yet it means others using my computer can authenticate themselves as me.

    It's just a bad idea all round.

  18. Re:Yeah but... by cayenne8 · · Score: 2

    You can still have pseudonymity, just sign up for an e-mail address and don't use your real name.

    Or...set up a real anonymous email account with a nym server...?

    Set up this account that bounces through a few remailers....will be a real email account, but virtually untraceable.

    --
    Light travels faster than sound. This is why some people appear bright until you hear them speak.........