Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Mozilla: Unlike FB and Twitter Single Sign-in, Persona Protects User Privacy

Soulskill posted about a year and a half ago | from the and-it-has-fiber-and-calcium-and-zero-carbs dept.

Mozilla 81

tsamsoniw writes "Mozilla today unveiled Persona Beta 2, the newest edition of the organization's open authentication system. The release includes Identity Bridging, which lets user sign in to Persona-supported sites using their existing webmail accounts, starting with Yahoo. Mozilla used the release as an opportunity to bash social sign-in offerings from Facebook and Twitter, which 'conflate the act of signing into a website with sharing access to your social network, and often granting the site permission to publish on your behalf,' said Lloyd Hilaiel, technical lead for Mozilla Persona. He added that they are built in such a way that social providers have full visibility into a user's browsing behavior."

cancel ×

81 comments

Sorry! There are no comments related to the filter you selected.

User Privacy (0)

Anonymous Coward | about a year and a half ago | (#43406729)

you guys still believe in this myth?

Re:User Privacy (5, Funny)

ackthpt (218170) | about a year and a half ago | (#43407051)

you guys still believe in this myth?

Asolutely, Mr. Elsgarth J. Finchlipp; 8871 W. Blortmann Terrace; Bleemington, VT, 01010; who recently read the Guardian, New York Times and Scotts Valley Patch, via Google News and purchased Lime Bagels with Soy Cheese at Eugor's Coffee Shoppe and Tea Room.

This just in... (-1, Flamebait)

girlintraining (1395911) | about a year and a half ago | (#43406735)

If it's free guys, you are the product. Please browse responsibly.

Re: This just in... (3, Insightful)

Anonymous Coward | about a year and a half ago | (#43406863)

Not always true. Facebook, yahoo, microsoft, google and the like are for profit companies that rely on advertisements and social graphs or referrals to generate revenue, which they need constantly more of. Got to keep those stock prices high!

Mozilla is a not for profit. They generate revenue with donations and a start page that links to Google. They don't care what you do on the web unless it causes their product to fail.

Mozilla is probably the only group you can trust for authorization, as they don't consider you a revenue model.

Re: This just in... (3, Insightful)

fustakrakich (1673220) | about a year and a half ago | (#43406941)

Mozilla is a not for profit.

Don't be so sure [mozilla.org] . Mozilla is the pipeline... Why else would Google 'value' them so much?
Hyman Roth always makes money for his partners.

Re: This just in... (2, Insightful)

Anonymous Coward | about a year and a half ago | (#43408481)

Because they value all platforms that improve the web.

It doesn't affect Mozilla's autonomy.

Re: This just in... (1, Troll)

girlintraining (1395911) | about a year and a half ago | (#43409793)

Not always true. Facebook, yahoo, microsoft, google and the like are for profit companies that rely on advertisements and social graphs or referrals to generate revenue, which they need constantly more of.

Who are those advertisements for? You. Who's in those social graphs? You. Who's the name on those referrals? You.

Re:This just in... (1)

DanTheStone (1212500) | about a year and a half ago | (#43407031)

Linux is free. How are we the product in that situation?

Re:This just in... (0, Flamebait)

girlintraining (1395911) | about a year and a half ago | (#43407179)

Linux is free. How are we the product in that situation?

When linux is a web-based service, call me and we'll talk. Until then, stop taking things out of context... it makes you look retarded.

Re:This just in... (1)

SolitaryMan (538416) | about a year and a half ago | (#43407725)

What is your phone number?

Re:This just in... (-1, Troll)

girlintraining (1395911) | about a year and a half ago | (#43407943)

What is your phone number?

(202) 456-1414 is my home number. I don't give out my cell.

Re:This just in... (3, Informative)

styrotech (136124) | about a year and a half ago | (#43408429)

When linux is a web-based service, call me and we'll talk. Until then, stop taking things out of context... it makes you look retarded.

When you understand what Persona is, call me and we'll talk. Until then, stop taking things out of context... it makes you look retarded.

Hint: Personal is a decentralised system/protocol implemented using open source code. Anybody can set up an identity provider, and Mozilla will have no connection to it. In terms of the rest us being users vs being products it is far closer to Linux than your "web based services" (eg Facebook or Twitter).

Re:This just in... (2)

gmuslera (3436) | about a year and a half ago | (#43408777)

Free as in beer or free as in freedom? If is hidden what they do with you is then probably you are the product. But if is done in an open, clear, and verifiable way, you may have some ground to base your trust on it or not.

Menu - New incognito window (Ctrl+Shift+N) (1)

cantsleep (2723025) | about a year and a half ago | (#43406747)

You've gone incognito. Pages you view in this window won't appear in your browser history or search history, and they won't leave other traces, like cookies, on your computer after you close all open incognito windows. Any files you download or bookmarks you create will be preserved, however.

Re:Menu - New incognito window (Ctrl+Shift+N) (4, Informative)

The MAZZTer (911996) | about a year and a half ago | (#43406823)

I think you missed the point. Persona is to allow a website to add a sign in feature for users who WANT to sign in.. for example, to save their preferences for the site or have an identity... without the hassle of having users create an account just for your site. The idea definitely isn't new, this is just Mozilla's own take on it.

Re:Menu - New incognito window (Ctrl+Shift+N) (0)

Anonymous Coward | about a year and a half ago | (#43406943)

I doubt if the newspaper sites (i.e. the ones that create much of the original professional content) would go for that. But I'm glad there are attempts to do something different in this space, eventually someone may get it right.

I'd rather have multiple authentication realms (5, Interesting)

Misagon (1135) | about a year and a half ago | (#43407171)

The biggest thing I have against single-sign-on is that I need different levels of security for different sites, and I want to keep the sites compartmentalised from each other.
For instance, I want high security for my email account and access it only from computers/devices that I have control over.
However, I have private playlists on Youtube that I may want to show to a friend, on a third guy's (two degrees of separation) computer. I don't want to have to be afraid of logging into Youtube on that machine because that computer would also get access to my email.

When I am on my trusted home computer, having different accounts for different things can get cumbersome with those sites that force single-sign-on on you!
Yes, while I could use the Incognito mode in Chromium to separate my logins -- it does only separate [i]two[/i] sites, and I would have to login each time I need a new window in incognito mode.
It would be much more convenient if I could have different "realms" or "personas", where I could browse each site in its own realm.

Re:I'd rather have multiple authentication realms (1)

Lennie (16154) | about a year and a half ago | (#43410547)

Persona == email address.

So create multiple email addresses, they are free.

Re:I'd rather have multiple authentication realms (1)

jalopezp (2622345) | about a year and a half ago | (#43410565)

You can have as many profiles on your browser as you want. They will each keep separate logins. Each profile is stored in ~/.config/chromium.

Re:Menu - New incognito window (Ctrl+Shift+N) (1)

Richard_at_work (517087) | about a year and a half ago | (#43410223)

Didn't Firefox just get shat on because it turns out that incognito and clearing histories etc doesn't actually remove everything? People were very surprised when files from years ago popped up into their download history again, and previously opened tabs etc etc etc.

Not google? (4, Insightful)

geek (5680) | about a year and a half ago | (#43406815)

So Mozilla took a jab at Facebook and Twitter but left Google alone? Is this because they take money from Google?

Re:Not google? (4, Informative)

Anonymous Coward | about a year and a half ago | (#43406897)

Google's sign-in is OpenID based and is explicit about what access you are granting to the website (usually just that they get to know your Google ID which is also your e-mail address). I guess if you have an associated G+ account then the website would be able to look at your public G+ posts/friends, but It's not comparable to Facebook letting apps post items to your newsfeed or even looking at your information marked as private (for Facebook applications).

Re:Not google? (2)

Jah-Wren Ryel (80510) | about a year and a half ago | (#43406951)

Google's sign-in is OpenID based and is explicit about what access you are granting to the website (usually just that they get to know your Google ID which is also your e-mail address).

If mozilla's personas system also exposes your email address, or some other id that is unique across multiple websites, then it is no better than OpenID.

So, either personas have better privacy than OpenID, and thus google's system deserves bashing too --- or personas are no better than OpenID and so I have to ask, why bother re-inventing the wheel?

Re:Not google? (3, Insightful)

AnyoneEB (574727) | about a year and a half ago | (#43407183)

Wikipedia's article on Mozilla Persona [wikipedia.org] (which links to "How BrowserID differs from OpenID" [mozilla.com] ) clarifies that. While the site you are authenticating to gets the same information it would get via OpenID, the authentication provider doesn't know what sites you are using. Due to the indirection of storing the cryptographic credentials in the browser, the OpenID provider doesn't need to be contacted for every login and therefore doesn't know what sites you are logging into.

This is related to the design of Persona being browser-based instead of web-based, which also provides additional security (harder to fake a password entry box if it's normally generated by the browser).

Re:Not google? (4, Interesting)

Jah-Wren Ryel (80510) | about a year and a half ago | (#43407515)

So, if I am reading that right, personas do not directly leak every login to a central database. But, it does use the same id across different websites so if the website used a service to cross-reference ids with other websites the net result would be the same.

Given the massive proliferation of trackers that we already have, I think we would quickly see them include persona id tracking too.

Re:Not google? (1)

paulkoan (769542) | about a year and a half ago | (#43407665)

It would be fairly straightforward to have a single login authentication method that exposed a unique id to each login destination. That would eliminate cross-referencing.

Re:Not google? (0)

Anonymous Coward | about a year and a half ago | (#43407991)

For most of us, yes. For 99.9% of users? No.

Re:Not google? (1)

Jah-Wren Ryel (80510) | about a year and a half ago | (#43408899)

It would be fairly straightforward to have a single login authentication method that exposed a unique id to each login destination. That would eliminate cross-referencing.

If it wasn't based on your email address, it might be feasible for a firefox add-on to pregenerate a couple of hundred persona ids and then automagically assign them to each individual website that has a login. But, my guess is that the email address requirement makes that effectively impossible except for people who own their own domains.

Re:Not google? (1)

Chrisq (894406) | about a year and a half ago | (#43409875)

It would be fairly straightforward to have a single login authentication method that exposed a unique id to each login destination. That would eliminate cross-referencing.

If it wasn't based on your email address, it might be feasible for a firefox add-on to pregenerate a couple of hundred persona ids and then automagically assign them to each individual website that has a login. But, my guess is that the email address requirement makes that effectively impossible except for people who own their own domains.

Why impossible? probabilistic encryption [wikipedia.org] schemes could easily generate any number of unique IDs which are bound to your email address

Re:Not google? (1)

Lennie (16154) | about a year and a half ago | (#43410567)

When you sign up to websites you usually use have to supply an email address.

If only for password recovery.

They can already use that to cross-reference ids from users over multiple sites.

That is why Mozilla Persona uses email addresses, it's clearly an identity (unlike for example OpenID where are website/webpage is your identity). And you already needed an email address anyway.

Lots of people already have multiple identities: email address for work and one for home.

And you can create new identities for free, there are lots of free email providers.

Re:Not google? (2)

Jah-Wren Ryel (80510) | about a year and a half ago | (#43410715)

When you sign up to websites you usually use have to supply an email address.

That's what mailinator is for.

That is why Mozilla Persona uses email addresses, it's clearly an identity (unlike for example OpenID where are website/webpage is your identity). And you already needed an email address anyway.

I read that same line of reasoning too. It is flawed. There is little to no value in having the SAME identity across multiple websites. But it is infeasible for most people to have a unique email address for each website.

And you can create new identities for free, there are lots of free email providers.

Free is a relative term, creating a new email account for each website is a hassle. Computer systems should make things easier, not require extra hassle.

Re:Not google? (1)

MattJD (1020453) | about a year and a half ago | (#43411717)

Except that mailinator could in theory implement an identity provider for its email addresses. There would be no security, but they could. Realistically it would be no worse then using mailinator now.

And most people have one email, and use it everywhere. This specification doesn't decrease their privacy because of that. If you are not already using multiple email addresses, you lose nothing by using browserid.

Re:Not google? (1)

Jah-Wren Ryel (80510) | about a year and a half ago | (#43415327)

And most people have one email, and use it everywhere. This specification doesn't decrease their privacy because of that. If you are not already using multiple email addresses, you lose nothing by using browserid.

That is circular reasoning. If a goal of browserid is to increase the user's security, this system does not achieve that, it only maintains the status quo.

Re:Not google? (1)

MattJD (1020453) | about a year and a half ago | (#43415697)

And most people have one email, and use it everywhere. This specification doesn't decrease their privacy because of that. If you are not already using multiple email addresses, you lose nothing by using browserid.

That is circular reasoning. If a goal of browserid is to increase the user's security, this system does not achieve that, it only maintains the status quo.

The goal of BrowserID isn't to reduce user tracking across sites. Its goal is to reduce the use of passwords, something it does pretty well. The objection to it was that it requires the site to know your email address, but most sites know this anyways. So privacy is not diminished, however the use of passwords (which most people don't handle well) is dramatically reduced. So yes, it improves security.

And just to add another point, if you own a domain and use a catch-all for multiple email addresses, nothing stops you from setting up an identity provider that authenticates all your email address by your one password, making multiple email addresses even easier to deal with.

I have issues with Persona, but this isn't one of them. The core BrowserID protocol is well thought out.

Re:Not google? (1)

Jah-Wren Ryel (80510) | about a year and a half ago | (#43415865)

The objection to it was that it requires the site to know your email address, but most sites know this anyways.

No, my objection is that it provides a unique id across multiple websites. An id that will be used for tracking purposes. The fact that the unique id is an email address is really irrelevant.

The goal of BrowserID isn't to reduce user tracking across sites. Its goal is to reduce the use of passwords, something it does pretty well.

By that requirement, there is no functional improvement. It does it just as well as centralized single-sign on like openid/facebook/googleplus. Maybe even worse since the credentials are stored in the browser, making it difficult to sit down at friend's computer and use it to log in.

Re:Not google? (1)

MattJD (1020453) | about a year and a half ago | (#43416423)

The objection to it was that it requires the site to know your email address, but most sites know this anyways.

No, my objection is that it provides a unique id across multiple websites. An id that will be used for tracking purposes. The fact that the unique id is an email address is really irrelevant.

Except that it is not irrelevant. Websites already have your email address, and in most of the cases it is a pretty good identifier of the person. Most people I know have only one main email they use, the only exception being work emails. None of them use multiple emails to avoid tracking. And guess what most websites use as your identifier? Your email address. The fact BrowserID standardized on it doesn't reduce privacy for most people, and for those who care there are easy workarounds (regardless if you use multiple gmail/yahoo/etc addresses, mailinator, or domain catch-alls).

The goal of BrowserID isn't to reduce user tracking across sites. Its goal is to reduce the use of passwords, something it does pretty well.

By that requirement, there is no functional improvement. It does it just as well as centralized single-sign on like openid/facebook/googleplus. Maybe even worse since the credentials are stored in the browser, making it difficult to sit down at friend's computer and use it to log in.

It improves upon those systems in one way, the authentication source never knows where the person signed into. OpenID requires this knowledge due to how the protocol works (and it's not centralized btw). Facebook/G+ are the same. And using your friend's computer to login still works. The credentials stored in your browser are temporary.

The reason the above is true is that the email provider and the website do not talk to discuss an individual user's credentials. So your email provider (ex. Google) don't know where you are logging into. And your browser only stores a token for an individual site that is valid for a short time (with a limit of 24 hours I believe). So any browser can be used, because the really authority is your email provider, not your browser.

Re:Not google? (1)

Jah-Wren Ryel (80510) | about a year and a half ago | (#43416573)

Except that it is not irrelevant.

Come on, don't try to put words in my mouth. It is MY OBJECTION and I don't care that it is based on email. OK? What I am objecting to is the fact that it uses a unique ID across multiple websites. THAT IS THE OBJECTION.

It improves upon those systems in one way, the authentication source never knows where the person signed into.

That is a benefit so small as to be meaningless. If anything this makes the situation worse because instead of just one company tracking you across all those logins now you have a unique id that any tracker can key off.

The fact BrowserID standardized on it doesn't reduce privacy for most people,

However it does not significantly INCREASE privacy for most people either. So what is the point?

And using your friend's computer to login still works. The credentials stored in your browser are temporary.

No, only some of the credentials are temporary. The private keys used to sign those temporary credentials are permanent. My point is not about leaving them behind for someone else to misuse, my point is that those private keys are not there to begin with. You can't sit down at someone else's browser and just use it to log in because those private keys used to sign the credential are only stored back on your own computer.

Re:Not google? (1)

MattJD (1020453) | about a year and a half ago | (#43417783)

Come on, don't try to put words in my mouth. It is MY OBJECTION and I don't care that it is based on email. OK? What I am objecting to is the fact that it uses a unique ID across multiple websites. THAT IS THE OBJECTION.

I'm not putting words into your mouth, I'm saying nothing has changed. How many websites don't track your email address? And how many people change their email address across websites? If you change the email, then you have no change in your privacy level. If you don't, then your privacy stays the same too. Nothing changes.

It improves upon those systems in one way, the authentication source never knows where the person signed into.

That is a benefit so small as to be meaningless. If anything this makes the situation worse because instead of just one company tracking you across all those logins now you have a unique id that any tracker can key off.

If you are so worried about being tracked, it should be important. BrowserID stops one company from tracking you across every website you login too just by having you use their service. Of course if companies compare notes, then yes they can track your email address. But that is no different then before, and no different with OpenID.

The fact BrowserID standardized on it doesn't reduce privacy for most people,

However it does not significantly INCREASE privacy for most people either. So what is the point?

It's not about increasing privacy. It's about increasing security by killing extra passwords. That is its goal. It is about a decentralized single sign on. And BrowserID is working on that goal quite well.

No, only some of the credentials are temporary. The private keys used to sign those temporary credentials are permanent. My point is not about leaving them behind for someone else to misuse, my point is that those private keys are not there to begin with. You can't sit down at someone else's browser and just use it to log in because those private keys used to sign the credential are only stored back on your own computer.

According to this overview [mozilla.org] , that is not true. There are keys generated and used, but they are only valid for up to 24 hours (mentioned inside the above document). So yes you can just sit down at a computer and login to your favourite site, the computer will just generate a new key pair. It can even destroy the key pair once you are done, ensuring no one else can steal your identity.

And yes the private key can be re-used, but the public key is what expires and that is the signed component that matters. Thus after 24 hours, it doesn't matter that you have the private key.

Re:Not google? (1)

Jah-Wren Ryel (80510) | about a year and a half ago | (#43419663)

I'm not putting words into your mouth, I'm saying nothing has changed.

Nothing has changed == irrelevant.

Your problem is you are cherry picking from the three current systems - email verification, openid, and facebook/googleplus-style logins. Each of them has drawbacks. You keep shifting your argument based on the particular drawback to say that browserid is better, the problem is browserid does not eliminate any of those drawbacks, it just shuffles them around.

You: Eliminates multiple passwords
Me: So does facebook/googleplus and openid

You: Just as vulnerable to tracking by 3rd party trackers as email verification
Me: Facebook/googleplus stops 3rd party trackers

You: Stops googleplus/facebook/openid authorization provider from tracking you
Me: So does email verification

See? There is no net benefit here, just a re-arranging of the deck chairs on the titanic.

Re:Not google? (1)

MattJD (1020453) | about a year and a half ago | (#43419755)

Now you are just cherry-picking my quotes. The tracking ability of independent websites co-operating has not changed. And realistically, as long as you identify yourself the same way across sites, this won't change. If you change your identity (Facebook/G+/OpenID/Email/etc), then they can't track you (according to our discussion of tracking). BrowserID can't change that. Even if BrowserID sent a unique ID to each website, each website would then require an email address anyways. Guess what? You are back to being tracked.

Now, what BrowserID does give you is independence from your Identity Provider tracking you. Under Facebook/G+, it is trivial to see how this occurs. Under OpenID, it is the same. Under BrowserID, the Identity Provider never knows what sites you talk to. In fact, email verification does not provide this security. If your email provider reads your emails (as Google does), Google knows what sites you are talking too. So regarding your points:

You: Eliminates multiple passwords
Me: So does facebook/googleplus and openid

True. OpenID and BrowserID are decentralized, which is there primary draw.

You: Just as vulnerable to tracking by 3rd party trackers as email verification
Me: Facebook/googleplus stops 3rd party trackers

Incorrect. Facebook/G+ gives you an identity. That is there entire purposes. So not only do Facebook/G+ know who you talk to, the sites can easily co-operate to know this too. And I've checked their API documentation.

You: Stops googleplus/facebook/openid authorization provider from tracking you
Me: So does email verification

Partially correct. As pointed out above, your email provider can track you still. And removes the benefit of removing multiple passwords, which is the real benefit being pushed.

To ensure there is no goal post moving, this is my stance:

  1. You are no less protected from privacy invasion from random sites. So not a concern for adoption, and a problem most people don't even care about. For those who do, there are already methods to work around the issue as I've explained earlier (using multiple addresses, mailinator is 100% supportable, etc).
  2. You are isolated from the Identity Provider, giving the advantage over Facebook/G+/OpenID.
  3. You lose the multiple passwords, which is the real security benefit. This is the claimed benefit. And it is successful.

Now, if you can prove any point above is violated, then I'm interested in discussing this further. Please bring proof of the violation. Otherwise I'm done here.

Re:Not google? (1)

Jah-Wren Ryel (80510) | about a year and a half ago | (#43420157)

You lose the multiple passwords, which is the real security benefit. This is the claimed benefit. And it is successful.

Low hanging fruit right there:

https://blog.mozilla.org/beyond-the-code/2013/04/09/persona-beta2/ [mozilla.org]

Persona: more privacy, better security while making developers and users happy!

More security is not THE claimed benefit, it is only A claimed benefit.

That's not the first time you under-represented the claims:

It's not about increasing privacy. It's about increasing security by killing extra passwords.

This entire sub-thread which I started is not about increasing security, despite your constant efforts to muddy the waters.

Re:Not google? (1)

MattJD (1020453) | about a year and a half ago | (#43439001)

I'll give you the blog post. I've always read the project as being the security first, and privacy as the tack on to "sell it." My focusing on security came from that stance. I'll move that goal post then. If you want to ignore the security aspect, then Personas loses its (IMO) big benefit. But it doesn't become a privacy nightmare either. The key to remember is websites already have emails (many using them as the login id anyways), so BrowserID keying off that isn't a direct problem. Its decentralized manner means anyone can claim an email address, or an infinite amount if they want, so multiple IDs are just as possible.

Re:Not google? (1)

Jah-Wren Ryel (80510) | about a year and a half ago | (#43439243)

But it doesn't become a privacy nightmare either.

You are correct. The situation ALREADY IS a privacy nightmare. Browserid does essentially nothing to improve it. Which was the entire point of my objection from the first post.

Re:Not google? (1)

jalopezp (2622345) | about a year and a half ago | (#43410579)

But that's true of literally any single login scheme. It's better in the sense that no-one gets to store all the places you've logged into and all the sites you visit afterwards.

Re:Not google? (3, Interesting)

styrotech (136124) | about a year and a half ago | (#43408335)

usually just that they get to know your Google ID which is also your e-mail address

It's actually more private than that. Without knowing all the nitty gritty details - if an app follows Google's process for signing up users, that user gets a unique OpenID specific to that app via a common 'discovery' url.

That way all the apps you sign up for can't really connect you with anything else.

It is a slight pain for open standards though - Google is making it much harder to know what your standard OpenID actually is.

Re:Not google? (0)

Anonymous Coward | about a year and a half ago | (#43406945)

People might care what got posted to their Google+ account if anyone bothered to use Google+, but as it is it's like writing your browse history to /dev/null

No (1)

Frankie70 (803801) | about a year and a half ago | (#43409269)

Mozilla took a jab at Facebook and Twitter on behalf of Google.

Re:Not google? (1)

stephanruby (542433) | about a year and a half ago | (#43409311)

It's because no one uses the Google+ sign-in yet. Google has barely started phasing out the normal Google sign-in in favor of their Google+ sign-in [blogspot.com] .

Two key innovations introduced by the new Google+ sign-in over its predecessor, the plain Google sign-in. It's no longer compatible with an open standard like OpenID, it now uses its own proprietary standard. Plus, it exports everything plus the kitchen sink when signing-in into a web site (assuming you give it the permission to).

Still, I prefer the Google+ sign-in because it actually gives me granular control over which circles can see what I'm sharing without having to spam the rest of my acquaintances with content they don't want to see. Criticize Google all you want, but even when they do evil, they seem to be doing it better than other companies.

Re:Not google? (0)

Anonymous Coward | about a year and a half ago | (#43411407)

Google has barely started phasing out the normal Google sign-in in favor of their Google+ sign-in

I lost my Youtube account SEVERAL years ago, because Google would no longer allow me to login without having a G+ account.

That's not "barely started" in my book.

Privacy by fragmentation (3, Insightful)

Teun (17872) | about a year and a half ago | (#43406909)

Although total net privacy is these days nigh-impossible, attempting to spread or fragment your presence over many different systems might help some way, at least it's better than throwing all in the lap of a single vendor like Google, MS or God forbid, FB.

I am fortunate to be with a very privacy and security focussed ISP (xs4all.nl) and keep my mail addresses with them because of my dislike of harvesting by the 'free' mail providers.

It is not that I try to hide at every expense, like I use my real name on Usenet, but I'm surely not going to make it easy on the harvesters.

Re:Privacy by fragmentation (1)

Mister Liberty (769145) | about a year and a half ago | (#43407351)

XS4ALL sucks. Their spokesperson thinks Apple spells SECURITY.

Re:Privacy by fragmentation (1)

Teun (17872) | about a year and a half ago | (#43410021)

And their techs run most core applications on Linux.

I had not heard such from their spokesperson but at least he/she understands it's not Windows.

Re:Privacy by fragmentation (0)

Anonymous Coward | about a year and a half ago | (#43412591)

Dude, they're Dutch - that they can use a computer should be applauded.

Stop making it easier to require sign-ins (3, Insightful)

Anonymous Coward | about a year and a half ago | (#43406959)

I do not want to sign in. I don't want content personalized to me. I want to see what everybody else sees. Stop hiding stuff from me based on what you think I want to see. And let's not mince words here: You're not creating content for me. You're showing me stuff which already exists and was not tailor-made for me. You're "customizing my experience" by hiding stuff from me. Stop that. I will not sign in.

Re:Stop making it easier to require sign-ins (3, Informative)

Quasimodem (719423) | about a year and a half ago | (#43407315)

DuckDuckGo (https://duckduckgo.com/)

Re:Stop making it easier to require sign-ins (3, Interesting)

SolitaryMan (538416) | about a year and a half ago | (#43407741)

I gave it a try. Tried to use it at home for several months and really-really tried to like it. However, Google's results are still so much better that I kept using their "g!" feature more and more. Then just switched back to Google.

+1 (0)

Anonymous Coward | about a year and a half ago | (#43409117)

Same. DuckDuckGo might be anonymous, but it's not really a great search engine.

It is better than some of the alternatives, though, I will grant you.

Re:+1 (1)

ZorroXXX (610877) | about a year and a half ago | (#43410511)

I have been using https://www.ixquick.com/ [ixquick.com] for a long time with decent result (decent in the meaning that I seldom compare with google to see if here are some results missing).

Re:+1 (0)

Anonymous Coward | about a year and a half ago | (#43415101)

same but except pron...

in praise of AC (0)

Anonymous Coward | about a year and a half ago | (#43407053)

I have this naive hope that single-signon systems will mature to provide for ability to comment in an anonymous manner again.
In the past few years, most of the sites started requiring one to log in using facebook, twitter or some other identity-tracking system. So I stopped commenting ... except for slashdot, of course :)

want to be private (0)

ozduo (2043408) | about a year and a half ago | (#43407085)

get off the grid, go live in a cave or find a deserted island and wear camo gear.

Re:want to be private (0)

Anonymous Coward | about a year and a half ago | (#43407573)

I put my camo gear in the closet and now I can't find it.

Re:want to be private (1)

SolitaryMan (538416) | about a year and a half ago | (#43407753)

The problem is that you *can't* get off the grid, even once.

That is why (1)

Clifton Beach (809210) | about a year and a half ago | (#43407187)

"they are built in such a way that social providers have full visibility into a user's browsing behavior".
And that is exactly why they are popular with web sites.

Re:That is why (1)

gbjbaanb (229885) | about a year and a half ago | (#43410215)

step 1: embrace the social networks desires and give them full access to your details for, umm, "personalisation" reasons while also allowing the networks to claim better privacy.

step 2: enhance the social networks privacy settings to allow a single user to present multiple 'views' of himself to the networks users whilst still allowing the network to see a single person for, umm, "personalisation" reasons.

step 3: extinguish the pretend privacy offered by the social network by further enhancing the user details so the user can set which persona the social network gets to see.

worked well for a certain other company, why not here :)

Innocent Sin or Eternal Punishment? (0)

Anonymous Coward | about a year and a half ago | (#43407417)

http://en.wikipedia.org/wiki/Persona_2

Awesome design (for the late 1990s) (0)

Anonymous Coward | about a year and a half ago | (#43407677)

The year is 2013. The developed world, and much of the developing world, is now comfortable with computers and can very easily understand and work with something like... oh, I don't know... a password manager. I've seen 8 year olds and 80 year olds pick up KeePass in nothing flat.

Re:Awesome design (for the late 1990s) (3, Insightful)

unrtst (777550) | about a year and a half ago | (#43410639)

The year is 2013. The developed world, and much of the developing world, is now comfortable with computers and can very easily understand and work with something like... oh, I don't know... a password manager. I've seen 8 year olds and 80 year olds pick up KeePass in nothing flat.

If you go with the password manager route (or just memorize them), every site will SEE the username and password for itself. This means that every site must implement all the password and account management things securely (ex. password reset). This includes system security as well.

If one uses single sign-on, the participating sites never see the password (in most implementations).

So, the upshot is that you don't end up with a bunch of bit players trying to re-invent the wheel badly, each being an authentication breech waiting to happen. Add to that the fact that many users re-use the same password at multiple sites, and the situation looks worse.

The downside is that, if someone gets your single sign-on account information, then they get access to all your sites. The same is true if they get your keepass db and password, but that's not a service that runs somewhere else.

I think one of the most confusing bits about single sign-on is the end user perception on how its sold... the "you only need to remember one account" is often the first selling point that is pushed. That's really just a side effect. The "no site ever has access to your password" is the bigger selling point, but it's too confusing to explain how that works, and people don't really care.

It's trivial to remove the "authenticate once, single sign-on, and when you visit another participating site you don't have to login again" part. For example, see section 2.1.1 of the Jasig CAS protocol (http://www.jasig.org/cas/protocol),

renew [OPTIONAL] - if this parameter is set, single sign-on will be bypassed. In this case, CAS will require the client to present credentials regardless of the existence of a single sign-on session with CAS.

When that is set, the CAS IdP does not automatically redirect you back to the original site. It will not re-use the established SSO session. It will prompt for login again. This could easily be set on the users profile, or globally on the IdP. You'd then still have the benefit that each participating site would never see your credentials, but it would prevent sites from automatically logging you in. You could also use this to enter different credentials (ie. more than one account on the CAS IdP), so you could still have multiple accounts, and the sites would be none the wiser.

All that said, I'm personally comfortable with maintaining a separate username and password for every service I use, and still prefer it. Besides, the scary part isn't that some site could get the password I use for them, but that some site could be storing a bunch of information about me and I don't want that to get leaked (like vudu's recent thing, where they got hacked and leaked the last 4 digits of users credit cards - the first 4 - 8 digits identify the type of card, the bank, and the branch office where the account was opened, so they're not that difficult to guess; the last 4 are the most unique part of your CC#, so it sucks that it's common practice to print that on all receipts and store it everywhere).

SAML? (1)

manu0601 (2221348) | about a year and a half ago | (#43408113)

How does that compare to SAML?

Re:SAML? (1)

styrotech (136124) | about a year and a half ago | (#43408453)

How does that compare to SAML?

It isn't an XML and SOAP powered enterprise style sea of complexity?

I'm sure there are other differences :)

Re:SAML? (1)

manu0601 (2221348) | about a year and a half ago | (#43408501)

It isn't an XML and SOAP powered enterprise style sea of complexity?

The XML and SOAP stuff in SAML is almost transparent to the users and administrators, as far as I experienced

Re:SAML? (1)

Lennie (16154) | about a year and a half ago | (#43410637)

Re:SAML? (2)

manu0601 (2221348) | about a year and a half ago | (#43410699)

Theses are implementation vulnerabilities, not protocol vulnerabilities.

Beside this, as a user of simpleSAMLphp, I am happy to see it was not vulnerable in this paper

Re:SAML? (1)

Lennie (16154) | about a year and a half ago | (#43415845)

If only 2 in 14 implementers of a security, euh... authentication protocol can get the implementation somewhat right without making huge mistakes then maybe the protocol was more complicated then needed.

Re:SAML? (1)

manu0601 (2221348) | about a year and a half ago | (#43418279)

Another possible interpretation: 11 of the 12 vulnerable implementation were in java. Perhaps they are all bloatwares written by programmers that struggle to master an overcomplicated language? (that suggestion will probably not rise my karma :-)

Re:SAML? (1)

Lennie (16154) | about a year and a half ago | (#43425321)

that suggestion will probably not rise my karma

It did with me. :-)

Persona vs Browserid (1)

MattJD (1020453) | about a year and a half ago | (#43412317)

I still don't like Mozilla's Persona. For a system meant to be distributed and open, it sure relies a lot on Mozilla services. I like the idea of BrowserID (the underlying specification to Persona), I just really dislike how everyone has to rely on Mozilla to use Persona.

Re:Persona vs Browserid (1)

dveditz (11090) | about a year and a half ago | (#43426023)

Mozilla isn't too keen on that, either: we're quite serious about wanting this to be a distributed system. Announcing Yahoo as an Identity Provider is an important step toward that. Another important step will be native navigator.id support in the browser so sites don't need to load the polyfill from persona.org.

There is a simple solution to this, really (0)

Anonymous Coward | about a year and a half ago | (#43483045)

If they're trying to steal your identity, give them your identity, but not the real one. Make a bogus parallel ID for things that you don't really wanna associate with yourself.
I have already done this for google products: thefirstanonymousman.
Also install Disconnect. You're good to go.

Check for New Comments
Slashdot Login

Need an Account?

Forgot your password?