×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Mozilla BrowserID: Decentralized, Federated Login

Soulskill posted more than 2 years ago | from the grand-unified-login dept.

Mozilla 179

An anonymous reader writes "Mozilla Labs has just launched the prototype of its BrowserID project and the accompanying Verified Email Protocol standard. Basically, BrowserID is a browser-based federated login provider like Facebook Connect, but without the privacy leaks. Fundamentally, BrowserID is public key encryption. You register an email address with your browser, which is then confirmed with a standard 'click here to confirm' email. A public/private key pair is then generated; your browser keeps the private key, and your email provider keeps the public key. Now, when you visit Facebook (or any site that supports BrowserID), your browser gives Facebook your email address and an identity token signed with your private key. Facebook queries your email provider for your public key, decrypts your identity token, and logs you in — voila, secure, private, browser-based logins. Oh, and the prototype is written in HTML and JavaScript — so it works across every modern browser, too."

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

179 comments

Yeah but... (0)

Anonymous Coward | more than 2 years ago | (#36773872)

This does nothing to protect my anonymity.

Re:Yeah but... (2)

zero0ne (1309517) | more than 2 years ago | (#36773892)

Nor does logging into your online bank account with a normal username / password. This looks to just be a wrapper for a more secure, trusted identity.

Re:Yeah but... (1)

Anonymous Coward | more than 2 years ago | (#36773994)

Trusting yet another 3rd party service with authentication data. What could possibly go wrong?

Re:Yeah but... (3, Insightful)

Lennie (16154) | more than 2 years ago | (#36774362)

But it doesn't.

It is just a way to verify the the email-address you already own, but without waiting for the email to arrive (or having it getting stuck in spamfilters) and clicking a link.

Now you click a link only ones to connect your browser to your email address (and obviously you only share the email-address information to site the sites you want).

This allows for a lot more interresting UI changes to make it easier for users to do so:
https://wiki.mozilla.org/images/4/4c/IdentityInTheBrowser.png [mozilla.org]

Also it prevents Facebook from tracking you all over the web, like they currently do with the Facebook Connect-button (!)

First post! (-1)

Anonymous Coward | more than 2 years ago | (#36773888)

First post!

I'd just like to say (1)

milimetric (840694) | more than 2 years ago | (#36773922)

yeeeeeeeeeeeeeeeeeeeeeeeeeeessssssss!

finally. thank the deities.

I'd just like to say (0)

Anonymous Coward | more than 2 years ago | (#36774126)

Not sure what the fuss is about.

Sincerely,
AC

Re:I'd just like to say (0)

Anonymous Coward | more than 2 years ago | (#36774312)

Imposter!

Sincerely,
The Real AC

Re:I'd just like to say (0)

Anonymous Coward | more than 2 years ago | (#36774526)

It clearly says "by Anonymous Coward", not "by The Real Anonymous Coward", so who's the imposter!?

Re:I'd just like to say (2)

sirlark (1676276) | more than 2 years ago | (#36774324)

Agreed, it would be a wonderful thing to have, but it still has issues as far as I can see.

TFS says 'but without the privacy leaks', but really you can still be tracked/followed/denied/fucked with from a single point/service, namely your email provider.

Also, there's the age old problem of common password for everything, if one is compromised, they all are. Granted in this case, it's a private key and not password, which is slightly harder to acquire though social engineering, mainly because most people aren't even aware of what private keys are, and those that are usually know enough not to give them up. But still, you shouldn't use one key for everything either... or so I've been told ;)

Re:I'd just like to say (1)

capo_dei_capi (1794030) | more than 2 years ago | (#36774486)

Also, there's the age old problem of common password for everything, if one is compromised, they all are. Granted in this case, it's a private key and not password, which is slightly harder to acquire though social engineering, mainly because most people aren't even aware of what private keys are, and those that are usually know enough not to give them up. But still, you shouldn't use one key for everything either... or so I've been told ;)

At least that single key pair is fairly easy to replace, if you notice that it has been compromised. But yeah, I agree, the one account for everything approach, which this basically is an instance of, is definitely less secure than having different accounts and login credentials for all the services you use.

Re:I'd just like to say (2)

smallfries (601545) | more than 2 years ago | (#36774502)

The issues that you point out already exist with current email-to-reset approaches. What they are suggesting is not a perfect solution to authentication, but after glancing through their spec it seems to be at least as reliable as what we use currently. At the moment your email provider could screw with any account that relies on password confirmation / reset request emails. With this system the provider would only hold your public key, so while it would still be able to track / deny-service it would not have as much power as with the current system.

Overall it seems like a nice compromise between the ideal and a system that has a hope of wide-spread adoption. Although as it seems to require implementation by the mail provider anyway they could have gone for an IBE signature system.

Browser keeps the private key? (2, Insightful)

Anonymous Coward | more than 2 years ago | (#36773926)

Ah, so when i have to reinstall my OS due to HDD death or OS death and for whatever reason, can't save my profile app data files (depending on where it stores the key)... then what?

Will i just be able to do a "Forgot my password" type action to regenerate a private key?

Re:Browser keeps the private key? (3, Funny)

axx (1000412) | more than 2 years ago | (#36773960)

Even better! Thanks to our convenient, safe and secure process, the private key will be calculated from your public key and sent back to you via email for you to store on your new computer!

Re:Browser keeps the private key? (0)

Anonymous Coward | more than 2 years ago | (#36774002)

Even better! Thanks to our convenient, safe and secure process, the private key will be calculated from your public key and sent back to you via email for you to store on your new computer!

Perfect! So now all I ever need to remember is my email password to have full access to any site I want to visit!

Re:Browser keeps the private key? (2)

whiteboy86 (1930018) | more than 2 years ago | (#36774400)

and those blackhats can conveniently grab the user's private key via trojan or a hacked browser now

Re:Browser keeps the private key? (1)

sgt scrub (869860) | more than 2 years ago | (#36774818)

No doubt! Letting your browser save passwords is stupid. Letting your browser store keys is insane! I like single sign on tech for internal low security stuff as much as the next guy, but global? sigh.

Re:Browser keeps the private key? (1)

spydum (828400) | more than 2 years ago | (#36774922)

I don't think the browser would ever need to transmit the private key in this scenario. However, yes: if the user or browser was some how tricked into uploading it -- you are compromised. This is still better than passwords, which are easy to attack with dictionaries and rainbow tables.

Back up your profile (1)

tepples (727027) | more than 2 years ago | (#36773974)

As I understand it, the browser keeps your private key in your profile, just as it keeps your bookmarks and cookies in your profile. And as the protocol spec [mozilla.org] states: "It does not forbid synchronization" of the private key across devices. So back up your profile.

Re:Back up your profile (0)

Anonymous Coward | more than 2 years ago | (#36774200)

Would I need to do that before or after I close my "incognito" browser window?

Re:Browser keeps the private key? (2)

todrules (882424) | more than 2 years ago | (#36774226)

And how does this work across multiple devices? I have my work laptop, home laptop, and home workstation. From the summary, I don't see how this can work.

Re:Browser keeps the private key? (1)

handslikesnakes (659012) | more than 2 years ago | (#36774386)

The same as when you use a different browser, or start using BrowserID for the first time:

You log into your email provider, which asks your browser to generate a key. Your email provider signs the key, and your browsers stores it.

There's no single keyair that you're totally dependent on.

Re:Browser keeps the private key? (1)

improfane (855034) | more than 2 years ago | (#36774754)

Maybe this is what you would use Mozilla Sync for? (At the risk of keeping your internet life at a single provider.)

Of course you backup your Mozilla profile*, don't you?

* That directory that keeps all your bookmarks, history and saved passwords.

Bad idea idiots (-1, Flamebait)

Anonymous Coward | more than 2 years ago | (#36773942)

Mozilla doesn't know how people use browsers these days. How the fuck is this going to work in an Internet cafe for eg?

Re:Bad idea idiots (0)

Anonymous Coward | more than 2 years ago | (#36773972)

Wow, talk about irony. I've heard that they're still popular in some countries, but for god's sake, who uses internet cafes "these days"?? Just buy a laptop and go a real cafe!

Re:Bad idea idiots (3, Insightful)

BHearsum (325814) | more than 2 years ago | (#36773996)

Not sure if you're trolling or not (you probably are), but in 2nd and 3rd world countries Internet Cafes and cellphones are the primary means of Internet access...

Re:Bad idea idiots (2)

sleiper (1772326) | more than 2 years ago | (#36774094)

Well then you don't use this system in an internet cafe. I dont use my fingerprint scanner outside my house, i just have to remember a password, urgh

Re:Bad idea idiots (3, Insightful)

thaylin (555395) | more than 2 years ago | (#36774164)

Dont know, if you want to use your cell phone you may be able to syc your keys to that browser, however if you are really going to an internet cafe, maybe you should remember your password.... So you hate this extra security, because your choice in browsing is innately insecure... No ones problem but your own.

Re:Bad idea idiots (0)

Anonymous Coward | more than 2 years ago | (#36773980)

Please don't leave cookies in an internet cafe. You're asking for trouble.

Password still required Re:Bad idea idiots (0)

Anonymous Coward | more than 2 years ago | (#36774104)

Mozilla doesn't know how people use browsers these days. How the fuck is this going to work in an Internet cafe for eg?

Apparently neither do you. They'll be around for a bit, but internet cafes of the past are a dying breed replaced more and more by restaurants and coffee shops with wifi. With the price of wireless hardware dropping, people are getting their own devices. Even in the 3rd world people aren't buying hardline access. If you can't afford your own phone, people just buy a sim card and then rent a phone when they need to call or check messages. (yes that's really how it's done, at least in Afghanistan)

Of course, since the point of something like this is security, rule number one should be to not use it on untrusted hardware. Now of course the phone isn't any more trusted, but the mobile version can at least store the user's private key on their sim card. Until the phones are compromised to copy people's private keys and passwords.

Any decent public key system will still require password access to the private key. This can at least delay the compromise of a users private key, until they use it on a compromised keylogging computer.

Re:Password still required Re:Bad idea idiots (0)

BrokenHalo (565198) | more than 2 years ago | (#36774654)

...but internet cafes of the past are a dying breed replaced more and more by restaurants and coffee shops with wifi.

Better still, if you want really decent coffee, you're mostly better off staying at home anyway. This doesn't necessarily mean a big expense; if you buy good beans and take a bit of care, you can get great results from a cheapie stovetop expresso machine. And if you are happy to be a true nerd, you can always roast your own coffee with a heat-gun or a popcorn popper. I buy green beans at very reasonable prices from Coffee Snobs [coffeesnobs.com.au], a truly excellent supplier of top-grade single-estate varietal beans here in Australia, and I'm sure there must be equivalents in your own country of residence.

Re:Password still required Re:Bad idea idiots (1)

RobbieThe1st (1977364) | more than 2 years ago | (#36774862)

Erm... Is this an advertisement/spam or a legit post? I can't quite tell...
On the one hand, it's well written, unlike most ads. On the other, it has the same one-link-to-paragraph-of-information I've seen several times before.
If it had been written by AC, I'd have considered it spam, but...

Re:Bad idea idiots (1)

handslikesnakes (659012) | more than 2 years ago | (#36774420)

It can be the same as with username/password authentication: when you log into your email provider, you see a box that says "store this login info", and you don't check it.

Really? (0)

mwvdlee (775178) | more than 2 years ago | (#36773988)

So this system just gives your verified email address to whatever site wants to have it?

Re:Really? (1)

robmv (855035) | more than 2 years ago | (#36774020)

The same way nearly all signup forms request your email in order to be able to recover your account if you forget your password. Oh I forgot people create fake emails if they do not trust the site

Re:Really? (-1)

Anonymous Coward | more than 2 years ago | (#36774038)

troll.

Re:Really? (1)

Richard_at_work (517087) | more than 2 years ago | (#36774044)

Not just that, but now you have to remember to back up your browsers private key, and have them synced across different browser installs...

Re:Really? (0)

Anonymous Coward | more than 2 years ago | (#36774084)

No, you don't. It sounds like your e-mail provider can generate new public / private keys for you whenever it needs to.

Re:Really? (1)

Lennie (16154) | more than 2 years ago | (#36774464)

Yes, Mozilla created a seperate specification that others can implement.

BrowserID is the Mozilla project and Verified Email Protocol is the specification they created.

It should be really easy for a large mail provider like GMail to provide this and it needs to have is to store a public key and have it available to anyone who would want to check it.

Re:Really? (1)

handslikesnakes (659012) | more than 2 years ago | (#36774474)

Just to be clear, your email provider asks your browser to generate a new public/private keypair. The email provider only ever sees your public key.

Re:Really? (1)

Anonymous Coward | more than 2 years ago | (#36774068)

If only I hadn't used used "password123" when I signed up for Hotmail, Gawker, Neverwinter Nights, etc.

This system adds nothing to the security of identity as it does nothing the change typical user behavior.

Re:Really? (1)

ArsenneLupin (766289) | more than 2 years ago | (#36774282)

So this system just gives your verified email address to whatever site wants to have it?

One verified address. So just set up the system so that the browser can manage more than one such id. For most sites, you'd then use the id tied to a throwaway hotmail address. Or to a specialized server that only generates email lookalikes which you cannot actually deliver to.

Re:Really? (2)

handslikesnakes (659012) | more than 2 years ago | (#36774442)

To whatever site you decide to give it to. User intervention (at least one click in the browser chrome) is required.

(This is obvious, why do people assume that new systems do the dumbest thing possible and not even bother to check?)

Re:Really? (1)

sgt scrub (869860) | more than 2 years ago | (#36774848)

(This is obvious, why do people assume that new systems do the dumbest thing possible and not even bother to check?)

Because setting up that click event to be the close box on a pop up is beyond simple.

Re:Really? (1)

thePowerOfGrayskull (905905) | more than 2 years ago | (#36774886)

To whatever site you decide to give it to. User intervention (at least one click in the browser chrome) is required.

(This is obvious, why do people assume that new systems do the dumbest thing possible and not even bother to check?)

Because on slashdot, naming the most obvious flaws in a new idea is what passes for insightful. I'm starting to think the between-the
-lines subtext is, "I did not think of this cool idea and am slightly envious, therefore it must be fatally flawed." because surely the people who come up with new ideas are incapable of thinking of these obvious and sometimes crippling flaws on their own.

Spam? (1)

Anonymous Coward | more than 2 years ago | (#36773998)

The biggest problem with the current "e-mail address as username" is spam. So how does this prevent the site in question from selling my e-mail address to spammers?

Re:Spam? (0)

Anonymous Coward | more than 2 years ago | (#36774160)

I have Gmail, what is this spam you speak of?

Re:Spam? (1)

prionic6 (858109) | more than 2 years ago | (#36774744)

I may have some data about your theory. For quite some time now (a few years), I have a catch-all on my domain, so I can basically use any address I want. When some site wants my email, I give it firstname.@mydomain.de. Now, from time to time, I look through my spam folder to do a bit of research. Turns out, most of the spam goes to an adress I have used in the far past on usenet or variations of it. Second in rank is a random string as username (comes naturally with a catch-all) and right after that is my vanilla firstname@mydomain.de, that I give to friends and also have used on sites before I started this scheme. In the current month, there are about five to ten spam messages (out of a few thousand) that can be tracked to the place where I entered them, and these places are two semi obscure forums and stuffit.com.

i'm no security expert (5, Insightful)

Anonymous Coward | more than 2 years ago | (#36774006)

isn't the browser basically the most targeted piece of software on a computer? if the private key is stored in the browser, doesn't that mean that potentially one successful exploit in the browser would let a hacker log into any website as you?

Re:i'm no security expert (0)

Anonymous Coward | more than 2 years ago | (#36774284)

One would assume that the private key is encrypted using something like AES with a password-based key. There are usually 95 valid character choices for a password, which is 7 bits; a 256-bit AES key would be about 39 characters, a 128-bit key would be about 20 characters. Of course, in reality the actual entropy of the password would be about 26**7, or around 32 bits, since even people who use supposedly strong passwords tend to use very simple and predictable patterns.

Re:i'm no security expert (3, Insightful)

ArsenneLupin (766289) | more than 2 years ago | (#36774300)

How is that different from now, where you can have the browser autocomplete the password for most login forms anyways? If the browser is hacked, the autologin password db is exposed too.

Re:i'm no security expert (1)

Lennie (16154) | more than 2 years ago | (#36774488)

If you know your private key is stolen you just generate a new one and the problem is solved (unless they get access to your email account as well ofcourse).

a good start, perhaps... (0)

Anonymous Coward | more than 2 years ago | (#36774040)

and what's to stop malware from stealing your private key?

or a man-in-the-middle attack?

is there a passphrase you'll use to open it each time you launch the browser?

how about when you use another trusted computer?

a public computer?

Re:a good start, perhaps... (1)

Lennie (16154) | more than 2 years ago | (#36774522)

"is there a passphrase you'll use to open it each time you launch the browser?"

That depends on the browser implementation, but I'm sure many will do so.

A new form of "Single Sign-On" ?

Re:a good start, perhaps... (1)

handslikesnakes (659012) | more than 2 years ago | (#36774602)

What exactly are you going to man-in-the-middle? The only things being sent are public keys and signed assertions.

Skeptical but encouraged (2)

anarcat (306985) | more than 2 years ago | (#36774048)

So wait - why doesn't this use the existing PGP web of trust and software?

And how does it mitigate the MITM/Phishing attacks that plagued OpenID?

I'm skeptical, but encouraged to see some efforts here...

E-mail providers that don't opt in (1)

tepples (727027) | more than 2 years ago | (#36774058)

So where does this leave Internet users whose e-mail providers decline to implement Verified Email Protocol?

Re:E-mail providers that don't opt in (1)

tero (39203) | more than 2 years ago | (#36774264)

That's where the secondaries come in. The RP's are asked to implicitly to trust the authentication coming from these "trusted sources".

Mozilla is proposing making their own browserid.org as one such secondary.

Re:E-mail providers that don't opt in (1)

Joce640k (829181) | more than 2 years ago | (#36774270)

The kind of users who use this will be the kind of users who use hotmail/gmail/yahoo/etc.

Re:E-mail providers that don't opt in (1)

Lennie (16154) | more than 2 years ago | (#36774534)

I think that is what the BrowserID project is for, see the video.

They mail you a link just like all these sites currently do, you just need to do it ones to verify your email address instead of for each and every site.

Let me get this straight (4, Insightful)

Errol backfiring (1280012) | more than 2 years ago | (#36774064)

My browser will automatically provide my e-mail address? The very thing I do NOT want to provide when signing in with the majority of sites?

Also, as a web developer, I think it is a real bad design error to use an e-mail address as a login. What happens if you change your provider? Do you log in with your new (thus unknown) e-mail address? Or do you want to send the lost password to the no longer existing one?

Re:Let me get this straight (1)

Anonymous Coward | more than 2 years ago | (#36774340)

Answer: Buy your own domain... You'll never have to change your e-mail address again.

Re:Let me get this straight (1, Insightful)

marcosdumay (620877) | more than 2 years ago | (#36774380)

The first issue is fixed simply by the browser asking your permission before it sends your data. The UI can be made in a way that is harder to give permission (at the first login) than just clicking 'Yes'.

The second issue is real, but is also moot. Everybody uses email for authentication. A few people that can think offer the option of changing your email, others don't. Those same groups would do correclty/incorrectly any authentication method you can think of.

Re:Let me get this straight (0)

Anonymous Coward | more than 2 years ago | (#36774484)

It would be a good bet to sort this out including email changes for logins, browserid or whatever before you switch email.

Re:Let me get this straight (1)

Lennie (16154) | more than 2 years ago | (#36774548)

Not automatically obviously. It still needs user-interaction.

How do all these other sites currently handle accounts ?

They use email-addresses and a verification-email and have a profile-page where you can change the email-address.

This is not that different.

Re:Let me get this straight (1)

Bengie (1121981) | more than 2 years ago | (#36774604)

"Also, as a web developer, I think it is a real bad design error to use an e-mail address as a login"

Playing the critic. How does one remember their login for every website?

Whenever my browser forgets/clears my user/pass cache, I have to request my username to be sent to me and my password reset.

On almost a daily basis, I'll reply to someone on a forum, it'll request I register, I attempt to register and it'll say that email is in use. I don't remember signing up, so I just do a password reset.

It's so annoying to have to request my username and reset my password 2-3 times a day for different sites. The only sites I don't have problems with are the ones that use my GoogleID.

How much you betting... (0)

Anonymous Coward | more than 2 years ago | (#36774092)

... that privacy nuts will cry their asses off at this?
A million, 2 million, a billion?

This idea extended to the level of ISPs would be significantly more useful as well.
ISP level credentials could be used for banking and stuff that requires actual, personally identifiable information to be correct.
No information is leaked to the sites themselves.
Say, if site.com wanted to do transaction, it forwards the details TO the ISPs banking page, which then does all the hard work of verifying stuff before sending the transaction on to banks.
This would take a huge strain out of internet banking being inconsistently done on so many sites, headaches with unsupported cards, and it might actually annoy Paypal, which is equally hilarious and good for us all.
Plus, it'd cut down a huge amount of phishing if you got actual customers involved with checking their stuff often. Have portals to every card site so you can check and verify that you did indeed make that purchase for a dragon dildo or whatever.

Will it be done? Hell naw. Privacy nuts already killed it before it will be attempted.
They'll probably be on this in a heartbeat.
Thanks, you loonies. Hope your details get stolen, I'll laugh harder than when that idiot posted his SSN to prove his security system worked and failed.

Re:How much you betting... (2)

mlts (1038732) | more than 2 years ago | (#36774328)

What I'd like to have is something simpler, and this was suggested by another /. person:

Go to a site. Type in your username. It will have a string of random character (or perhaps a timestamp + some random characters) that is copy/pastable. Copy this text. Sign it with your PGP/gpg private key. Paste the result back, and log in.

The advantage of this is that PGP/gpg is pretty much platform agnostic, the keys can be stored in secure locations such as smart cards, or TPMs, PGP has proven itself and stood the test of time, and one's private key remains theirs, generated by the mechanism they so chose. For example, if I wanted a key that was generated on a smart card and would never leave that physical enclosure, I can do so. I even can have an offline computer to do the signature validations, although it is a PITA to type that in though.

This should be done over SSL, as an attacker could grab the session once authenticated, but as for passwords stored, there isn't much an attacker can do with a bunch of public keys unless they happen to have a spare TWIRL or quantum factorization machine in their basement.

As for ISPs, the older mom and pop ISPs, I'd mostly trust. However, some other ISPs like some in the UK can't even be trusted to not actively MITM your Web connections, much less actually be worthy of housing secure credentials.

That was a bumpy ride.. (1)

Anonymous Coward | more than 2 years ago | (#36774102)

Seems Mozilla is back on the straight and narrow and innovating ideas again. They lost their way for a long time, and allowed Google in. Glad to see they are back in the game and giving Chrome competition. After all, Mozilla are the only ones out there who actually genuinely care about web and want it to thrive into something even more beautiful. Microsoft and Google both have their own personal agendas.

Re:That was a bumpy ride.. (1)

Lennie (16154) | more than 2 years ago | (#36774854)

Yes and no. This project has been in the works for over 2 years at Mozilla in different forms, among being based around OpenID and other systems.

The Verified Email Protocol specification has been in the works for a while now too.

The biggest problem was, I think, that they still needed to solve that not all email-providers would (immediately) implement this, so that is what the BrowserID project is for.

And what if you want to be anonymous? (1)

Grand Facade (35180) | more than 2 years ago | (#36774192)

OOoops! too late your browser has already given you up...

And what if you need to have multiple identities?

Re:And what if you want to be anonymous? (1)

jank1887 (815982) | more than 2 years ago | (#36774260)

or what if multiple people use the same web browser? think: family room PC where mom/dad/teenager go and open up a web browser then log into their own facebook account. no, they don't have separate windows profiles and don't bother with addons that let you have multiple firefox profiles, etc, within one windows profile. (how would THAT affect this anyway...)

Re:And what if you want to be anonymous? (1)

PhilHibbs (4537) | more than 2 years ago | (#36774916)

Well, you'd have to use multiple profiles. This would require the browser writers to make profile switching much easier than it currently is. The browser would basically take over the "login" function, it decrypts your private key when you launch the browser and throws the key away when you close it or log out of your profile. A good browser would have an option to share bookmarks across profiles, for families that want to bookmark things for each other.

Re:And what if you want to be anonymous? (1)

handslikesnakes (659012) | more than 2 years ago | (#36774516)

No, your browser only tells sites your email address when you tell it to. If you have multiple identities, you select which email address you want to present to the site.

I'm confused about this. (1)

Anonymous Coward | more than 2 years ago | (#36774242)

I remember seeing another Mozilla video about good password habits. One of the pieces of advice given was to pick a "base" password and add a couple different letters depending on what site you were signing up for (somehow incorporating the website name), this way your passwords would be different across all the sites you visit, and one being compromised wouldn't necessarily mean that your entire online identity would be gone.

However, this BrowserID seems to function (from strictly a user standpoint) as a password manager would. You have one global password that logs you into each and every site. So aren't we back to square one? Isn't that a Bad Thing? Or is there something I'm missing?

And will this make attacking the browser even more lucrative? Things are already pretty bad.

Re:I'm confused about this. (1)

Lennie (16154) | more than 2 years ago | (#36774644)

I think the private key in the browser is used to generate a key per site, which can be used to verify you own the public key which is related to your email-address.

But I could be wrong. :-)

Microsoft CardSpace (0)

Anonymous Coward | more than 2 years ago | (#36774350)

It have been done before. It is Microsoft CardSpace.

Misses one major problem..... (0)

Anonymous Coward | more than 2 years ago | (#36774456)

The number one way that passwords are now being harvested is by attacking the client. If your browser stores the public key it now makes it really easy to steal your private key if your machine is broken into. All malware is going to attack this. How can this provide protection against that? With passwords at least the damage is limited to sites that I have logged into while the malware is installed and the malware will have to wait until I use these sites. With the new system it will be trivial to collect all your passwords. I only see this as being useful for low risk sites like facebook, but not backing or anything similiar. Can they add something like a smart card reader where the private key is stored there and a pin (I guess this ruins the point of it). Better yet encrypt the private key with a one time key that is tied to your cell phone, this way there is a standardized authority on the keys and I don't need one device on my key chain for each thing I log into. Seems like this is the start to a good idea, but needs two factor authentication added. One factor authentication is just not cutting it these days.

Re:Misses one major problem..... (1)

Lennie (16154) | more than 2 years ago | (#36774596)

Encrypt all the passwords and keys before storing them on disk and have the user provide a passprase before using the browser.

I expect that is how it will work.

Congratulations, Mozilla (0)

Anonymous Coward | more than 2 years ago | (#36774518)

You've reinvented client certificate auth, with a lookup layer...

Re:Congratulations, Mozilla (1)

Lennie (16154) | more than 2 years ago | (#36774584)

Yes, they tried to levarage OpenID a few years ago, it didn't work out.

So now they created this.

And good thing is, a lot of proven technology already (client cert).

Damn government (4, Funny)

PopeRatzo (965947) | more than 2 years ago | (#36774556)

a browser-based federated login provider

Got damn Feds is getting involved in everything these days.

Hell, pretty soon they're gonna be all up in my Social Security and Medicare. That's why I'm a-voting for that pretty Mi-chele Bachmann. And let me tell you, I'd like to show her what a real man is. You know she ain't getting it from that big homo she's married to. And by homo, I mean gay as pink ink. Dude has to tie weights to his shoes so they don't float right out of the closet. He's queerer than a box of monkeys on DMT. Gay cubed.

I am not a BrowserID (0)

Anonymous Coward | more than 2 years ago | (#36774846)

I am a free man!

Finally a 100% secure alternative! Yay! (0)

Anonymous Coward | more than 2 years ago | (#36774936)

Because that private key would never be accessible to crackers....no.

Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...