Slashdot Mirror
Mozilla Launches Persona Identity Bridge For Gmail
An anonymous reader writes "Mozilla today announced the Persona Identity Bridge for Gmail users. If you have a Google account, this means you can now sign into Persona-powered websites with your existing credentials. The best part is of course Mozilla's pledge to its users. 'Persona remains committed to privacy: Gmail users can sign into sites with Persona, but Google can't track which sites they sign into,' Mozilla Pesrona engineer Dan Callahan promises."
I'm supposed to find it impressive that a website can take my username and password, and present it to another website and confirm its validity?
So I don't tell Google what I'm logging in to, but I instead give you my authentication information for Google?
I don't think so Tim.
Color me unimpressed with Mozilla rehashing something from 40 years ago ... and doing it wrong in the process.
Persistent Volume manager for Kubernetes - https://github.com/dwimsey/openshift-pvmanager
Can the government track what sites I sign into with Persona? And if they can't, can they do so once they serve the Mozilla Foundation with a Writ of Assistance ^W^W^W National Security Letter.
And no Social Networking button? What wrong with these people!
Google can't track Somehow, I'm suspicious of this claim.
Because there was another story on it four stories earlier.
Damnit, i want a conspiracy theory. Can we delete the other post too...
If I use this then presumably every website that I sign in to would have my real private Gmail address. As it is now, I use a free forwarding service (Spamgourmet) to create a unique address for everyone I sign up with. That way, if and when the spam starts, I can disable just that one address rather than having to go through the tassel of abandoning my prime email address. And I have been spammed at some of those addresses that I created, both by the people that I signed up with and sometimes even by Chinese malware sent to addresses that only one company had and that should have been keeping their data very secure. So, no thank you, I'll go through the extra hassle of keeping separate names and passwords for all of the sites that I want to sign in to, and be a little less concerned that I opened myself to endless spamming and attacks.
And before anyone questions it, yes, I have had to abandon some email addresses before I started using a forwarding service. In one case that I particularly remember I logged in one day and there was so much duplicate spam in my inbox that it used the mailbox's full quota and was effectively a denial of service attack. The attack lasted longer than the account did.
I'm an American. I love this country and the freedoms that we used to have.
For me, the deal-breaker with Persona is that it is tied to my email address and exposes that unique identifier to every website that does Persona.. The pro-persona types argue that is a benefit, that people are used to using their email address as a relatively constant identifier.
My argument is that giving the same email address out to every website makes it super-easy for those websites to cross-reference my web usage. Nowadays your email address is the online equivalent of your social-security number for marketers. It is the most useful key in the cyberstalker/marketing databases. All of the cyberstalker companies like BlueKai, Janrain, Scorecard, Doubeclick, etc create phantom profiles of people on the web that just sit dormant until you give one of their partner websites your email address and then they file all that dormant data in with any other data associated with your address.
Some people say, no problem, just create a different email address for every website you visit. Yeah, right. That's no problem at all. The system isn't designed for that. If there were a way to generate a login credential unique to each website so cross-referencing didn't work and it was easy and automatic, then Persona would be useful. As it is now it is only mis-leading, addressing a privacy problem we had 5 years ago but it does nothing to protect us against the current state of the art in privacy invasion.
The difference between Persona and OpenID is that if/when the email services and browsers (I think I can name at least one browser which is sure to do this) add native support for it, then you can authenticate to your email host once and a private key will be loaded into your browser, and then you can authenticate to sites directly yourself with that key easily, and then no 3rd party (Mozilla, your email provider, etc) knows you've authenticated there. With OpenID, your OpenID service can see everywhere that you log into.
With the assault on privacy and human rights, why would I ever want to have my credentials
across a multitude of sites?
Then new trend will be towards obfuscation, not sharing.
But ... but ... but ... "Dan Callahan promises."
Persona/BrowserID is a lot closer to OpenID than SAML or OAuth.
Doing SAML federation can be a bit of a nightmare, and AFAIK there's no "standard" way to do sort of on-demand federation between two entities (that is, if user using IdP A wants to visit service X, usually A and X generally need to already know about each other).
OAuth really isn't about *authentication*. It can be used for authn as sort of a side-effect, but it's really not its' intent.
As for OpenID (and OAuth and SAML, too), the big advantage of Persona/BrowserID is that your IdP doesn't actually know what sites you're visiting. If you take the additional step of using unique email addresses to sign in to each different site you visit, there's also no way for two different sites to know you're the same user (at least, based on your BrowserID "identity"... obviously there's other tricks they can employ).
Given the pathetic interface of Gmail and ever more frustrating themes, I wish Gmail integrated more closely with browser persona.
First off, I have no bloody interest in logging into web sites with my Google credentials. I will log into them (if at all) with the set of credentials I choose, and if the browser is going to think "hey, I see you're logged into Google, so I'll just log you into this site" -- then I'm going to have to either disable that, or stop using the browser. I have no interest in being automatically logged in with my Google credentials.
And second, I don't believe that you can log into a site using Google credentials and not have Google know it. How the hell do you have my credentials, and if you're verifying them with Google, how the hell can they not know? If you're not verifying them with Google, why is it I'm trusting you with them?
This sounds like something which is going to want to wave around your credentials all over the place, and it sure as hell isn't something I want -- I sincerely hope that if I haven't signed up for whatever the hell this Persona thing is nothing happens. Just because I visit randomwebsite.com doesn't mean I have any interest in randomwebsite.com knowing who the hell I am or that I even have a Google account or that I'm currently logged into it.
I disagree with this whole cross-site credentials thing, because it's way too much information that is potentially going to places without me realizing it. I don't want to hit some random web site and have it know my identify and automatically log me in and let the marketing douchebags know I was there.
Now get off my damned lawn.
Lost at C:>. Found at C.
In order to deliver the message, your own mail server needs to know the correct address. Ideally, it should include the destination address in this line. I don't know the correct syntax but it's something like Received: from 98.76.xx.xx by 123.45.xx.xx for chester@example.com