Slashdot Mirror

← Back to Stories (view on slashdot.org)

Mozilla Launches Persona Identity Bridge For Gmail

Posted by samzenpus on from the being-yourself dept.

An anonymous reader writes "Mozilla today announced the Persona Identity Bridge for Gmail users. If you have a Google account, this means you can now sign into Persona-powered websites with your existing credentials. The best part is of course Mozilla's pledge to its users. 'Persona remains committed to privacy: Gmail users can sign into sites with Persona, but Google can't track which sites they sign into,' Mozilla Pesrona engineer Dan Callahan promises."

13 of 114 comments (clear)

  1. Re:And this is impressive why? by Noughmad · · Score: 5, Informative

    This is impressive. It's basically separation of powers. Google has your account, but doesn't know what sites you visit. Mozilla doesn't have your account, but knows what websites you visit*. The websites themselves have nothing, except a confirmation that the e-mail address is really yours.

    I, for one, trust Mozilla more than Google, and both much more than the average website.

    *: I think I read some time ago in the documentation that Mozilla can't see what websites are requesting the auth. I'm not sure I remember it right, and I never checked the claim, and it might have changed since that time. For now, I assume the information is visible.

    --
    PlusFive Slashdot reader for Android. Can post comments.
  2. Re:And this is impressive why? by icknay · · Score: 5, Informative
    Are you kidding? Persona solves a whole raft of super common problems
    • -Say for example kittens.com site you post on is hacked. With Persona the bad guys don't get anything. There is no password stored on kittens.com. It's more akin to certs. That alone will eliminate a whole class of internet disasters that we read about every week on slashdot.
    • -I don't want to make up yet another stupid username/password recovery question for every site. Now I can just use one of the Persona identities I already have, and I'm done. I also trust Mozilla or Google a lot more to be on top of security than kittens.com
    • -Unlike, say, facebook connect, this is a federated standard, not dependent on any org. You can run your own identity-provider if you like, not that most people would care to.
  3. Re:And this is impressive why? by Desler · · Score: 3, Informative

    It's meaningless when most sites use Google Analytics and you'll be tracked by Google anyway.

  4. Re:What about the NSA? by icebike · · Score: 5, Informative

    NSA letter. Where the hell have you been?

    http://news.cnet.com/8301-13578_3-57595202-38/feds-put-heat-on-web-firms-for-master-encryption-keys/
    http://it.slashdot.org/story/13/07/24/1812227/anonymous-source-claims-feds-demand-private-ssl-keys-from-web-services
    http://www.digitaljournal.com/article/355146

    --
    Sig Battery depleted. Reverting to safe mode.
  5. Re:Lavabit shutdown/snowden story deleted by EvanED · · Score: 4, Informative

    Because there was another story on it four stories earlier.

  6. Re:Identity Federation? by Agent+ME · · Score: 4, Informative

    The difference between Persona and OpenID is that if/when the email services and browsers (I think I can name at least one browser which is sure to do this) add native support for it, then you can authenticate to your email host once and a private key will be loaded into your browser, and then you can authenticate to sites directly yourself with that key easily, and then no 3rd party (Mozilla, your email provider, etc) knows you've authenticated there. With OpenID, your OpenID service can see everywhere that you log into.

  7. Re:Seems like a really bad idea by Jah-Wren+Ryel · · Score: 3, Informative

    many spam use BCC so that you don't know what email address the spam was sent to...

    It is always possible to figure out the delivery address by looking at the raw headers on the email message. The receiving system knows what the address is, else it could not deliver it to you in the first place, and they all record it somewhere, usually in one of the Received: lines.

    --
    When information is power, privacy is freedom.
  8. Re:And this is impressive why? by ozmanjusri · · Score: 4, Informative

    And since almost 100% of their funding comes from Google anyway, I can't help but thinking this is a joint project, or at least carried out with Google's full approval.

    About 85%, and that's from a standard commercial arrangement - eg a fee for a service. It bought Google the default search engine spot, but nothing else.

    Microsoft had the opportunity to buy the spot for Bing, but chose not to.

    http://www.businessinsider.com/why-did-microsoft-let-google-win-the-firefox-deal-2011-12

    --
    "I've got more toys than Teruhisa Kitahara."
  9. Re:And this is impressive why? by Anonymous Coward · · Score: 5, Informative

    Persona is a reference implementation of the BrowserID protocol, which is fully decentralized.

    If your browser and email provider (or your own domain!) support BrowserID / Persona, then Mozilla is completely removed from the login transaction. We don't want to be able to track you, and we've designed a system that automatically removes us from the picture as it gains traction.

  10. Re:What about the NSA? by Anonymous Coward · · Score: 2, Informative

    Mozilla can, for now, have records of where you visit because the system is still bootstrapping off their servers. In the common case right now, the site (RP) includes a JavaScript file from Mozilla's servers to do the login; and that uses the Mozilla database for a fallback until your email provider/IdP opts in into supporting Persona. So, right now, Mozilla can see which site you're trying to visit and what your account is because the window you enter your credentials into is all hosted by them. (I have no particular reason to believe that they're actually recording any of this, but they are capable of doing so if they really wanted to.)

    In the future, once the adoption of the whole system has gone up, this will no longer be true. In that hypothetical future, the RP will have all the verification stuff locally, and the IdP is your email provider, and nothing ever gets sent to Mozilla. That future is not yet here.

  11. Re: And this is impressive why? by Anonymous Coward · · Score: 2, Informative

    You trust Mozilla even though they want to build aggregating and selling [mozilla.org] your browsing history and "interests" (derived from the contents of the pages you visit) into the Firefox browser?

    Your statement does not even remotely reflect what Mozilla are saying in the blog postng you linked to.

    To quote from your link:

    "We recently shared our view that personalization must be handled with respect for the individual user. We want to see even more personalization across the Web from large and small sites, but in a transparent way that retains user control. The team at Mozilla Labs is focused on exploring ways to move the Web forward, and has thought a lot about how the browser could play a role in making useful content personalization a reality."

    What is your motivation for making a lying post to show Mozilla in a hostile light, and why do you think you're being moderated up?

  12. Re:And this is impressive why? by Anonymous Coward · · Score: 2, Informative

    OAuth requires specific providers to individually be enabled by each consuming website, yes.
    OpenID does not. If a website implements OpenID properly, any OpenID provider can be used, even if the website owner has never heard of it.

  13. Re:And this is impressive why? by icebraining · · Score: 4, Informative

    1) This is not part of Firefox

    2) The first bridge was for Yahoo, not Google, and it's part of an authentication system (Persona) that is actually completely unbiased towards any provider.

    --
    Dilbert RSS feed