Slashdot Mirror

← Back to Stories (view on slashdot.org)

Mozilla Offers Alternative To OpenID

Posted by timothy on Saturday January 21, 2012 @01:31AM from the none-shall-pass dept.

Orome1 writes "Mozilla has been working for a while now on a new browser-based system for identifying and authenticating users it calls BrowserID, but it's only this month that all of its sites have finally been outfitted with the technology. Mozilla aims for BrowserID to become a more secure alternative to OpenID, the decentralized authentication system offered to users of popular sites such as Google, Yahoo!, PayPal, MySpace and others."

1 of 105 comments (clear)

Min score:

Reason:

Sort:

Simplicity = BAD by Anonymous Coward · 2012-01-21 02:54 · Score: 0, Flamebait

https://www.browserid.org/about
No password?? Are you kidding me??
The moment I saw that 3rd step, I just.... I'm speechless. What the fuck?
From the code I looked at, the thing doesn't deal with passwords at all!
And that's not even the worst part.
Apparently it relies on you, as a the website owner, trusting the JavaScript in the browser completely, since it's browser (read JavaScript) authentication *only*!
That means I can hack this shit with 5 minutes of Firebug and Greasemonkey, listen in on the communication, and get a login to wherever I like.
What idiot thought this was a good idea?
A proper authentication for *my* site *always* goes through *my* servers, and my servers only, *before* sending anything to the client.