Slashdot Mirror
Mozilla Launches Persona Identity Bridge For Gmail
An anonymous reader writes "Mozilla today announced the Persona Identity Bridge for Gmail users. If you have a Google account, this means you can now sign into Persona-powered websites with your existing credentials. The best part is of course Mozilla's pledge to its users. 'Persona remains committed to privacy: Gmail users can sign into sites with Persona, but Google can't track which sites they sign into,' Mozilla Pesrona engineer Dan Callahan promises."
Can the government track what sites I sign into with Persona? And if they can't, can they do so once they serve the Mozilla Foundation with a Writ of Assistance ^W^W^W National Security Letter.
This is news because the browser becomes increasingly biased. First Facebook integration, now a Google identity bridge (or whatever it is called). Firefox increasingly gravitates towards the money and away from the neutral zone. It's about time to switch to Seamonkey or Chromium.
This is impressive. It's basically separation of powers. Google has your account, but doesn't know what sites you visit. Mozilla doesn't have your account, but knows what websites you visit*. The websites themselves have nothing, except a confirmation that the e-mail address is really yours.
I, for one, trust Mozilla more than Google, and both much more than the average website.
*: I think I read some time ago in the documentation that Mozilla can't see what websites are requesting the auth. I'm not sure I remember it right, and I never checked the claim, and it might have changed since that time. For now, I assume the information is visible.
PlusFive Slashdot reader for Android. Can post comments.
From this identity bridge, Google only gets one authentication request, and it is from Mozilla.
However, considering their yearly donations to Mozilla, they might have other means of accessing it.
PlusFive Slashdot reader for Android. Can post comments.
I believe mozilla can see what websites you are requesting, but they claim they do not retain this because they are not required to do so.
That could change I suppose. Clearly they have to have a list of emails that they can process, but not necessarily what sites you can use them for because they can just try to log in, and let it fail. Then go thru the authorization process.
I like the idea of spreading the knowledge around so that no one source knows everything. This essentially puts a middle-man in the Auth process, but that man knows very little.
But I don't think this will work in the long run because someone will break SSL or demand the keys and the whole thing comes down.
Mozilla is just as much subject to NSA letters as anyone else. And since almost 100% of their funding comes from Google anyway, I can't help but thinking this is a joint project, or at least carried out with Google's full approval. But still it makes it necessary for the NSA to look a lot more places when building a list and checking it twice.
Sig Battery depleted. Reverting to safe mode.
My fantasy is that Mozilla will someday support something like the old Google Sharing Firefox add-on -- run a server that pools all your search requests, mixing your cookies with other users, and replacing your IP. This makes it look like you're running from an organization's NAT'ed local network, with no ability to track your real IP and identity. In addtion, Google Sharing would allow you connect to Google with HTTPS, so that the Google Sharing server can never know what you're searching for, while Google can't find out your identity.
The original Google Sharing was implemented by Moxie Marlinspike and was then taken over by Abine.com in some transaction that I don't understand. Since then Google Sharing has become very unstable and pretty much unusable, and Abine makes no mention of it on their web site. Anybody know what happened?
It's meaningless when most sites use Google Analytics and you'll be tracked by Google anyway.
Because "The Government" isn't the only boogeyman in the world.
It's meaningless when most sites use Google Analytics and you'll be tracked by Google anyway.
What, you don't use NoScript?
That reminds me, I should send that guy another donation
Because there was another story on it four stories earlier.
Damnit, i want a conspiracy theory. Can we delete the other post too...
You might like startpage.
Startpage is run by a British company (same as IxQuick), but seems to use US servers. DuckDuckGo is a US company but its servers are in Singapore.
Take your pick. I'd say there could be a good business opportunity for Iceland to host private cloud servers and search companies if they wanted to go that way.
If I use this then presumably every website that I sign in to would have my real private Gmail address. As it is now, I use a free forwarding service (Spamgourmet) to create a unique address for everyone I sign up with. That way, if and when the spam starts, I can disable just that one address rather than having to go through the tassel of abandoning my prime email address. And I have been spammed at some of those addresses that I created, both by the people that I signed up with and sometimes even by Chinese malware sent to addresses that only one company had and that should have been keeping their data very secure. So, no thank you, I'll go through the extra hassle of keeping separate names and passwords for all of the sites that I want to sign in to, and be a little less concerned that I opened myself to endless spamming and attacks.
And before anyone questions it, yes, I have had to abandon some email addresses before I started using a forwarding service. In one case that I particularly remember I logged in one day and there was so much duplicate spam in my inbox that it used the mailbox's full quota and was effectively a denial of service attack. The attack lasted longer than the account did.
I'm an American. I love this country and the freedoms that we used to have.
For me, the deal-breaker with Persona is that it is tied to my email address and exposes that unique identifier to every website that does Persona.. The pro-persona types argue that is a benefit, that people are used to using their email address as a relatively constant identifier.
My argument is that giving the same email address out to every website makes it super-easy for those websites to cross-reference my web usage. Nowadays your email address is the online equivalent of your social-security number for marketers. It is the most useful key in the cyberstalker/marketing databases. All of the cyberstalker companies like BlueKai, Janrain, Scorecard, Doubeclick, etc create phantom profiles of people on the web that just sit dormant until you give one of their partner websites your email address and then they file all that dormant data in with any other data associated with your address.
Some people say, no problem, just create a different email address for every website you visit. Yeah, right. That's no problem at all. The system isn't designed for that. If there were a way to generate a login credential unique to each website so cross-referencing didn't work and it was easy and automatic, then Persona would be useful. As it is now it is only mis-leading, addressing a privacy problem we had 5 years ago but it does nothing to protect us against the current state of the art in privacy invasion.
The difference between Persona and OpenID is that if/when the email services and browsers (I think I can name at least one browser which is sure to do this) add native support for it, then you can authenticate to your email host once and a private key will be loaded into your browser, and then you can authenticate to sites directly yourself with that key easily, and then no 3rd party (Mozilla, your email provider, etc) knows you've authenticated there. With OpenID, your OpenID service can see everywhere that you log into.
*: I think I read some time ago in the documentation that Mozilla can't see what websites are requesting the auth. I'm not sure I remember it right, and I never checked the claim, and it might have changed since that time. For now, I assume the information is visible.
This is correct.
The way Persona works:
* browser generates public-private key pair with the e-mail address as an attribute
* you send the public part to Mozilla (or whichever ID provider (IdP) you want) to sign
* the IdP confirms that you have access to said e-mail address, and if so, gives you back the signed data (like a CA) by using the IdP's private key
* you send the signed data to the website
* the website grabs the IdP's public key and verifies the signature
Basically think of it as a decentralized PKI and/or a variant of PGP's web of trust: public-private keys with distributed signing to confirm that you have access to a particular e-mail address account.
All Mozilla (or any IdP) knows is that a web site grabbed it's public key (which can be cached, so traffic analysis isn't useful either). The IdP doesn't know which person's signed data is being checked. Whenever you want to sign in, the website sends your browser a timestamped nonce. The website has your verified public key on file and so can verify the signature of your browser's response.
Each device you have (or web browser you use) has its own private key/s, and so if you lose a smartphone you can revoke the keys on it. You should have a "master password" for your web browser with an auto-logout.
This is similar to a password manager, but you don't have to type anything in, and if a website's database is compromised then the attackers don't actually have anything useful.
You can also use multiple e-mail address, even for the same website.
With the assault on privacy and human rights, why would I ever want to have my credentials
across a multitude of sites?
Then new trend will be towards obfuscation, not sharing.
But ... but ... but ... "Dan Callahan promises."
And since almost 100% of their funding comes from Google anyway, I can't help but thinking this is a joint project, or at least carried out with Google's full approval.
About 85%, and that's from a standard commercial arrangement - eg a fee for a service. It bought Google the default search engine spot, but nothing else.
Microsoft had the opportunity to buy the spot for Bing, but chose not to.
http://www.businessinsider.com/why-did-microsoft-let-google-win-the-firefox-deal-2011-12
"I've got more toys than Teruhisa Kitahara."
Persona is a reference implementation of the BrowserID protocol, which is fully decentralized.
If your browser and email provider (or your own domain!) support BrowserID / Persona, then Mozilla is completely removed from the login transaction. We don't want to be able to track you, and we've designed a system that automatically removes us from the picture as it gains traction.
Uhhhh...you just NOW figured this out?
Sigh, more anti-FOSS fud from somebody who should know better. Plenty of people have explained this to you in past conversations.
In fact, Google is not the default search engine in all the localized versions of Firefox. There's long been a Yandex version of Firefox and Yandex is the default in Russia and Russian speaking countries.
More recently, Mozilla partnered with Microsoft, once its arch nemesis, to offer a Bing-themed version of Firefox. Bing, of course, is a default search option in Firefox.
Now, Microsoft and Mozilla are partnering once again with a MSN-themed version of the browser, for the people that still use MSN for some reason. Probably the same reason why people still use Yahoo Mail.
This version of the browser comes with the standard modifications, Bing as the default search engine, both in the search box and the AwesomeBar, a link to msnNOW in the toolbar and MSN as the homepage.
http://news.softpedia.com/news/MSN-ified-Version-of-Firefox-Dilutes-Mozilla-s-Dependence-on-Google-310533.shtml
I don't remember how it was in NoScript, but in ScriptSafe (for Chrome), even in whitelist mode, a preset of known URLs are blocked before requests could be sent.
Democracy is for the people; you only vote once per season and we'll do the rest of the work for you don't have to.
You trust Mozilla even though they want to build aggregating and selling [mozilla.org] your browsing history and "interests" (derived from the contents of the pages you visit) into the Firefox browser?
Your statement does not even remotely reflect what Mozilla are saying in the blog postng you linked to.
To quote from your link:
"We recently shared our view that personalization must be handled with respect for the individual user. We want to see even more personalization across the Web from large and small sites, but in a transparent way that retains user control. The team at Mozilla Labs is focused on exploring ways to move the Web forward, and has thought a lot about how the browser could play a role in making useful content personalization a reality."
What is your motivation for making a lying post to show Mozilla in a hostile light, and why do you think you're being moderated up?
OAuth requires specific providers to individually be enabled by each consuming website, yes.
OpenID does not. If a website implements OpenID properly, any OpenID provider can be used, even if the website owner has never heard of it.
1) This is not part of Firefox
2) The first bridge was for Yahoo, not Google, and it's part of an authentication system (Persona) that is actually completely unbiased towards any provider.
Dilbert RSS feed
Persona only needs a "middle man" if the domain you use doesn't support it natively. It's a fallback, not a requirement.
If you used a provider that supported Persona natively, not only you wouldn't need Mozilla as the middle man, as (unlike with OpenID), that same provider wouldn't know where you were logging in to.
Dilbert RSS feed
No, it's not the same thing, because 1) you don't have to use Google to use Persona, and 2) with Persona, Google doesn't know where you're logging in to.
Dilbert RSS feed
Amen to that. Since using ghostery have less clutter on pages and they load faster as well. Only difficulty is when something on a page isn't working and I don't readily know how to find out what's blocking it - that can get tedious and much of the time I give up.
To really stop it, you need a proxy like Privoxy or Squid.
Try the RequestPolicy plugin. It blocks all 3rd-party requests by default, and you can selectively enable stuff while browsing like you do in NoScript.