Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Mozilla Launches Persona Identity Bridge For Gmail

samzenpus posted 1 year,20 days | from the being-yourself dept.

Mozilla 114

An anonymous reader writes "Mozilla today announced the Persona Identity Bridge for Gmail users. If you have a Google account, this means you can now sign into Persona-powered websites with your existing credentials. The best part is of course Mozilla's pledge to its users. 'Persona remains committed to privacy: Gmail users can sign into sites with Persona, but Google can't track which sites they sign into,' Mozilla Pesrona engineer Dan Callahan promises."

cancel ×

114 comments

Sorry! There are no comments related to the filter you selected.

And this is impressive why? (1, Insightful)

BitZtream (692029) | 1 year,20 days | (#44515545)

I'm supposed to find it impressive that a website can take my username and password, and present it to another website and confirm its validity?

So I don't tell Google what I'm logging in to, but I instead give you my authentication information for Google?

I don't think so Tim.

Color me unimpressed with Mozilla rehashing something from 40 years ago ... and doing it wrong in the process.

Re:And this is impressive why? (2, Interesting)

Anonymous Coward | 1 year,20 days | (#44515597)

This is news because the browser becomes increasingly biased. First Facebook integration, now a Google identity bridge (or whatever it is called). Firefox increasingly gravitates towards the money and away from the neutral zone. It's about time to switch to Seamonkey or Chromium.

Re:And this is impressive why? (1)

hairyfeet (841228) | 1 year,20 days | (#44516715)

Uhhhh...you just NOW figured this out? Them being more and more tied in has been SOP at Moz for awhile, its pretty dang obvious that like Canonical they are in the "show me the money!" phase instead of listening to users.

BTW for those that want a different browser, mind a suggestion? Try Comodo Dragon [comodo.com] for those that like the Chromium based and Comodo Ice Dragon [comodo.com] for those that prefer the Gecko way of doing things as not only does it have none of the phone home stuff (any and all extra features are opt in and both ask during install and can be turned on and off in settings if you change your mind) but the extra features are all based around increasing security, Dragon comes with PrivDog (can disable if you choose) to block tracking, both have the option of Comodo Secure DNS which uses the Comodo AV blacklists to block known phishing and malware sites, and if you want you can pair it with the also free Comodo Internet Security [comodo.com] which will give both Dragon and Ice Dragon a second icon on your desktop which is virtual mode. In the VM the browser is completely sandboxed which since I've started giving this combo to my customers malware infections have dropped right off the chart, in fact I've not needed to do a single malware cleanup on any system running a Comodo browser and CIS.

This is one place where we have it sooooo much better than we ever did, because now we actually have choice, its no longer "Take Moz or IE or websites won't render right", now we have a wealth of options, nearly all free, so if you don't like FF, Chrome, or IE? There is Dragon and Ice Dragon, SWIron, Opera, Safari, Kmeleon, heck if you need a browser that will run on pretty much anything QTWeb runs on windows, *NIX and BSD, you have a wealth of choices so don't just take what you are given if it doesn't work for you, find one that fits you instead.

Re:And this is impressive why? (1, Insightful)

Anonymous Coward | 1 year,20 days | (#44516861)

Are you still hawking that Comodo shit? How much kickback do they pay you for each endorsement?

Re:And this is impressive why? (3, Interesting)

Anonymous Coward | 1 year,20 days | (#44517085)

Uhhhh...you just NOW figured this out?

Sigh, more anti-FOSS fud from somebody who should know better. Plenty of people have explained this to you in past conversations.

In fact, Google is not the default search engine in all the localized versions of Firefox. There's long been a Yandex version of Firefox and Yandex is the default in Russia and Russian speaking countries.

More recently, Mozilla partnered with Microsoft, once its arch nemesis, to offer a Bing-themed version of Firefox. Bing, of course, is a default search option in Firefox.

Now, Microsoft and Mozilla are partnering once again with a MSN-themed version of the browser, for the people that still use MSN for some reason. Probably the same reason why people still use Yahoo Mail.

This version of the browser comes with the standard modifications, Bing as the default search engine, both in the search box and the AwesomeBar, a link to msnNOW in the toolbar and MSN as the homepage.

http://news.softpedia.com/news/MSN-ified-Version-of-Firefox-Dilutes-Mozilla-s-Dependence-on-Google-310533.shtml [softpedia.com]

Re:And this is impressive why? (1)

wannabgeek (323414) | 1 year,19 days | (#44518645)

Hey don't diss Yahoo! mail. That's what I use to signup to various websites so my regular email is not spammed by websites that I used only once in my life.

Re:And this is impressive why? (0)

Anonymous Coward | 1 year,19 days | (#44518817)

You should try guerrillamail for this

Re:And this is impressive why? (0)

Anonymous Coward | 1 year,19 days | (#44520663)

Why? He has a solution that works for him, so why try another based on an AC suggestion?

Re:And this is impressive why? (1)

hairyfeet (841228) | 1 year,19 days | (#44525891)

LOL look at the FOSSIe! I suggested over a dozen alternatives, ALL OF THEM FOSS except for Opera but because he is a foaming at the mouth religious lunatic he isn't goes "ZOMG u don't like teh Moz, u must be the debil!". Try reading dumbass, the source for every one of the alternatives is on their website, moron. BTW please keep it up, you make all FOSS users look completely batshit, I'm sure Apple and MSFT love you.

Re:And this is impressive why? (1, Insightful)

TheRaven64 (641858) | 1 year,19 days | (#44518445)

An Internet Security suite from a company that no longer has its root certificate in my trusted list because of their inability to secure their own systems? Why on earth would I want something like that?

Re:And this is impressive why? (1)

Clsid (564627) | 1 year,19 days | (#44520261)

Lol, comodo what? Go back to the hole you came from troll. Today if you are not using Chrome, Firefox or Safari, I hope you can at least say it is because you are using Icecat.

All of those alternate browser fail because of the add-ons. That's the main thing today with browsers since anybody can build a proper browser using Gecko, Webkit or even Trident.

Re:And this is impressive why? (1)

hairyfeet (841228) | 1 year,19 days | (#44525929)

So you suggest 2 browsers that send everything back to corporate, one of which frankly doesn't even run worth a shit on Windows, or a browser where their own devs have said on their website repeatedly their current focus is on MOBILE and NOT the desktop? Yeah, keep slurping that koolaid pal, BTW there AREN'T any addons on ANY of the alternatives I named, there is a button that lets you use Secure DNS, just as there is a button to tie Chrome to your Gmail, but if you actually tried them instead of mouthing off you would know this.

Re:And this is impressive why? (4, Informative)

icebraining (1313345) | 1 year,19 days | (#44518249)

1) This is not part of Firefox

2) The first bridge was for Yahoo, not Google, and it's part of an authentication system (Persona) that is actually completely unbiased towards any provider.

Re:And this is impressive why? (1)

X0563511 (793323) | 1 year,19 days | (#44520183)

If it was part of Firefox (it isn't) switching to Seamonkey wouldn't get you anything different...

Re:And this is impressive why? (5, Informative)

Noughmad (1044096) | 1 year,20 days | (#44515625)

This is impressive. It's basically separation of powers. Google has your account, but doesn't know what sites you visit. Mozilla doesn't have your account, but knows what websites you visit*. The websites themselves have nothing, except a confirmation that the e-mail address is really yours.

I, for one, trust Mozilla more than Google, and both much more than the average website.

*: I think I read some time ago in the documentation that Mozilla can't see what websites are requesting the auth. I'm not sure I remember it right, and I never checked the claim, and it might have changed since that time. For now, I assume the information is visible.

Re:And this is impressive why? (0)

Anonymous Coward | 1 year,20 days | (#44515833)

This is impressive. It's basically separation of powers. Google has your account, but doesn't know what sites you visit. Mozilla doesn't have your account, but knows what websites you visit*. The websites themselves have nothing, except a confirmation that the e-mail address is really yours.

Yes, and the government has ALL of it, so tell me again how this "separation" really fucking matters?

I, for one, trust Mozilla more than Google, and both much more than the average website.

Well, then I suppose you're both ignorant and naive. Good luck with that mentality and trust model.

Re:And this is impressive why? (4, Insightful)

Your.Master (1088569) | 1 year,20 days | (#44516127)

Because "The Government" isn't the only boogeyman in the world.

Re:And this is impressive why? (0)

Anonymous Coward | 1 year,19 days | (#44522521)

Even we assume that the government is the only entity you should be concerned about, it has the power to take the data collected by all of the entities that you aren't worried about, like Google. This is why any entity should only be allowed the minimum amount of your information needed to perform the services you use them for.

Re:And this is impressive why? (5, Insightful)

icebike (68054) | 1 year,20 days | (#44515915)

I believe mozilla can see what websites you are requesting, but they claim they do not retain this [thenextweb.com] because they are not required to do so.
That could change I suppose. Clearly they have to have a list of emails that they can process, but not necessarily what sites you can use them for because they can just try to log in, and let it fail. Then go thru the authorization process [mozilla.com] .

I like the idea of spreading the knowledge around so that no one source knows everything. This essentially puts a middle-man in the Auth process, but that man knows very little.

But I don't think this will work in the long run because someone will break SSL or demand the keys and the whole thing comes down.

Mozilla is just as much subject to NSA letters as anyone else. And since almost 100% of their funding comes from Google anyway, I can't help but thinking this is a joint project, or at least carried out with Google's full approval. But still it makes it necessary for the NSA to look a lot more places when building a list and checking it twice.

Re:And this is impressive why? (4, Informative)

ozmanjusri (601766) | 1 year,20 days | (#44516823)

And since almost 100% of their funding comes from Google anyway, I can't help but thinking this is a joint project, or at least carried out with Google's full approval.

About 85%, and that's from a standard commercial arrangement - eg a fee for a service. It bought Google the default search engine spot, but nothing else.

Microsoft had the opportunity to buy the spot for Bing, but chose not to.

http://www.businessinsider.com/why-did-microsoft-let-google-win-the-firefox-deal-2011-12 [businessinsider.com]

Re:And this is impressive why? (1)

Clsid (564627) | 1 year,19 days | (#44520333)

I hate to break it to you but Firefox has a lot of Google integration without you noticing. Take a system like Safebrowsing for instance, Microsoft developed their own thing and so did a lot of antivirus companies. Firefox's solution? Instead of trying to use something like WOT or even some local replicated list a la DNS, they just send your queries to Google in hash form. Ask yourself if Google is so benevolent why don't they allow a service where those queries are done locally?

Also if you do not install something like NoScript or Ghostery, there is a lot of tracking that they don't even care to protect you from. Mozilla should be the people's browsers and they should be at the forefront of the privacy fight. Instead they just take a back seat and let add-ons do the job while they collect the big paycheck from the advertisement companies.

Re:And this is impressive why? (0)

Anonymous Coward | 1 year,19 days | (#44520527)

You don't know what Firefox is, do you?

Re:And this is impressive why? (5, Informative)

Anonymous Coward | 1 year,20 days | (#44516957)

Persona is a reference implementation of the BrowserID protocol, which is fully decentralized.

If your browser and email provider (or your own domain!) support BrowserID / Persona, then Mozilla is completely removed from the login transaction. We don't want to be able to track you, and we've designed a system that automatically removes us from the picture as it gains traction.

Re:And this is impressive why? (1)

hobarrera (2008506) | 1 year,19 days | (#44518171)

I like the idea of spreading the knowledge around so that no one source knows everything. This essentially puts a middle-man in the Auth process, but that man knows very little.

Why spread that knowledge? OpenID doesn't require you to make any information available to any third party - unless you pick a third party provider, but still, you've a large amount of options from where to pick.

Re:And this is impressive why? (3, Informative)

Desler (1608317) | 1 year,20 days | (#44516025)

It's meaningless when most sites use Google Analytics and you'll be tracked by Google anyway.

Re:And this is impressive why? (3, Insightful)

godel_56 (1287256) | 1 year,20 days | (#44516263)

It's meaningless when most sites use Google Analytics and you'll be tracked by Google anyway.

What, you don't use NoScript?

That reminds me, I should send that guy another donation

Re:And this is impressive why? (1)

Desler (1608317) | 1 year,20 days | (#44516307)

Sure, but the vast majority of web users don't.

Re: And this is impressive why? (-1)

Anonymous Coward | 1 year,20 days | (#44516533)

Why would you send yourself a donation? Isn't self-promotion enough?

Re:And this is impressive why? (1)

Anonymous Coward | 1 year,20 days | (#44516799)

What, you don't use NoScript?

NoScript isn't enough, unless you never enable JS for any sites. In which case - why use NoScript when you could just turn off JS?
Any sites you enable JS for will load Google's JS, even if NoScript prevents them from executing - and that's enough for Google to track you.

To really stop it, you need a proxy like Privoxy or Squid.
Even with that, I'm having a hard time keeping up with all the new ways Google tries to track.

Re:And this is impressive why? (3, Insightful)

syockit (1480393) | 1 year,20 days | (#44517091)

I don't remember how it was in NoScript, but in ScriptSafe (for Chrome), even in whitelist mode, a preset of known URLs are blocked before requests could be sent.

Re:And this is impressive why? (1)

Clsid (564627) | 1 year,19 days | (#44520903)

I think Ghostery does a better job and it is a bit user to use.

Re:And this is impressive why? (1)

icebraining (1313345) | 1 year,19 days | (#44518255)

Uh, you haven't actually used it, have you? You can enable scripts for the main domain, while keeping Google services blocked.

Re:And this is impressive why? (0)

Anonymous Coward | 1 year,19 days | (#44520059)

Run Firebug with NoScript.

For example, lets look at Newegg:
http://www.googleadservices.com/pagead/conversion/1004977346/?label=HC8WCLbZ7wIQwvma3wM&guid=ON&script=0
http://fls.doubleclick.net/activityi;src=1435575;type=neweg420;cat=click952;ord=1;num=1246920481621.15?
http://ad.doubleclick.net/activity;src=1435575;dcnet=4581;boom=42878;sz=1x1;ord=4804992779649233?

All three of those requests make it to my proxy (which then blocks them) in spite of NoScript disallowing *doubleclick.net and *googladservices.com

Re:And this is impressive why? (1)

icebraining (1313345) | 1 year,19 days | (#44524631)

Uh, none of those are scripts, which is what NoScript blocks. Whether images are loaded has nothing to do with "Google's JS" being loaded despite NoScript, as it was claimed.

Re:And this is impressive why? (1)

hawkinspeter (831501) | 1 year,19 days | (#44518013)

A combination of Ghostery and NoScript fixes that.

Re:And this is impressive why? (0)

Anonymous Coward | 1 year,19 days | (#44518947)

Ghostery blocks Google Analytics (as does Adblock. I use both).

Re: And this is impressive why? (0, Interesting)

Anonymous Coward | 1 year,20 days | (#44516581)

You trust Mozilla even though they want to build aggregating and selling [mozilla.org] your browsing history and "interests" (derived from the contents of the pages you visit) into the Firefox browser?

Re: And this is impressive why? (2, Informative)

Anonymous Coward | 1 year,20 days | (#44517137)

You trust Mozilla even though they want to build aggregating and selling [mozilla.org] your browsing history and "interests" (derived from the contents of the pages you visit) into the Firefox browser?

Your statement does not even remotely reflect what Mozilla are saying in the blog postng you linked to.

To quote from your link:

"We recently shared our view that personalization must be handled with respect for the individual user. We want to see even more personalization across the Web from large and small sites, but in a transparent way that retains user control. The team at Mozilla Labs is focused on exploring ways to move the Web forward, and has thought a lot about how the browser could play a role in making useful content personalization a reality."

What is your motivation for making a lying post to show Mozilla in a hostile light, and why do you think you're being moderated up?

Re: And this is impressive why? (0)

Anonymous Coward | 1 year,19 days | (#44517817)

my motivation is i'm a douchebag with mommy issues. there, i said it, are you happy now?

Re:And this is impressive why? (5, Insightful)

Anonymous Coward | 1 year,20 days | (#44516645)

*: I think I read some time ago in the documentation that Mozilla can't see what websites are requesting the auth. I'm not sure I remember it right, and I never checked the claim, and it might have changed since that time. For now, I assume the information is visible.

This is correct.

The way Persona works:
* browser generates public-private key pair with the e-mail address as an attribute
* you send the public part to Mozilla (or whichever ID provider (IdP) you want) to sign
* the IdP confirms that you have access to said e-mail address, and if so, gives you back the signed data (like a CA) by using the IdP's private key
* you send the signed data to the website
* the website grabs the IdP's public key and verifies the signature

Basically think of it as a decentralized PKI and/or a variant of PGP's web of trust: public-private keys with distributed signing to confirm that you have access to a particular e-mail address account.

All Mozilla (or any IdP) knows is that a web site grabbed it's public key (which can be cached, so traffic analysis isn't useful either). The IdP doesn't know which person's signed data is being checked. Whenever you want to sign in, the website sends your browser a timestamped nonce. The website has your verified public key on file and so can verify the signature of your browser's response.

Each device you have (or web browser you use) has its own private key/s, and so if you lose a smartphone you can revoke the keys on it. You should have a "master password" for your web browser with an auto-logout.

This is similar to a password manager, but you don't have to type anything in, and if a website's database is compromised then the attackers don't actually have anything useful.

You can also use multiple e-mail address, even for the same website.

Re:And this is impressive why? (0)

Anonymous Coward | 1 year,20 days | (#44516717)

Google [...] doesn't know what sites you visit

Really? [google-analytics.com]

Between Double-click, apis.google.com, Google-Analytics, and ads.google.com I'm pretty sure Google knows exactly what sites you visit.

Re:And this is impressive why? (1)

Anonymous Coward | 1 year,20 days | (#44517039)

For that there is ghostery

Re:And this is impressive why? (1)

hobarrera (2008506) | 1 year,19 days | (#44518157)

I trust mozilla, but why should I have them in the middle of my authentications? Why would I allow them to know where I'm logging in? Why should anyone else trust them?

I'd much rather use something like OpenID. I don't have to use any intermediate I don't want to. I trust mozilla (today), but I still think it's wrong to have them in the middle when there's no strict need. I also respect that other may wish not to trust mozilla with the mentioned data.

Re:And this is impressive why? (2)

icebraining (1313345) | 1 year,19 days | (#44518261)

Persona only needs a "middle man" if the domain you use doesn't support it natively. It's a fallback, not a requirement.

If you used a provider that supported Persona natively, not only you wouldn't need Mozilla as the middle man, as (unlike with OpenID), that same provider wouldn't know where you were logging in to.

Re:And this is impressive why? (1)

2fuf (993808) | 1 year,19 days | (#44518277)

> I, for one, trust Mozilla more than Google, and both much more than the average website.

The point is not whom you trust, the point is that the list of parties having access to the data stored by whom you trust, may change without your/their knowledge and control.

Re:And this is impressive why? (5, Informative)

icknay (96963) | 1 year,20 days | (#44515839)

Are you kidding? Persona solves a whole raft of super common problems
  • -Say for example kittens.com site you post on is hacked. With Persona the bad guys don't get anything. There is no password stored on kittens.com. It's more akin to certs. That alone will eliminate a whole class of internet disasters that we read about every week on slashdot.
  • -I don't want to make up yet another stupid username/password recovery question for every site. Now I can just use one of the Persona identities I already have, and I'm done. I also trust Mozilla or Google a lot more to be on top of security than kittens.com
  • -Unlike, say, facebook connect, this is a federated standard, not dependent on any org. You can run your own identity-provider if you like, not that most people would care to.

Re:And this is impressive why? (1)

icebike (68054) | 1 year,20 days | (#44516043)

Are you kidding? Persona solves a whole raft of super common problems

  • -Say for example kittens.com site you post on is hacked. With Persona the bad guys don't get anything. There is no password stored on kittens.com. It's more akin to certs. That alone will eliminate a whole class of internet disasters that we read about every week on slashdot.
  • -I don't want to make up yet another stupid username/password recovery question for every site. Now I can just use one of the Persona identities I already have, and I'm done. I also trust Mozilla or Google a lot more to be on top of security than kittens.com
  • -Unlike, say, facebook connect, this is a federated standard, not dependent on any org. You can run your own identity-provider if you like, not that most people would care to.

Well its not totally dissimilar from using your google log in to access any site. That site never knows your google password.
But they do know your email, at a minimum.

This is the same thing, except that Persona will serve as the authentication for your email, and they will in-turn ask Google, and then they will tell you exactly what the target site is requesting from Google, and let you approve it.

But the target site clearly gets your email.

Re:And this is impressive why? (2)

icebraining (1313345) | 1 year,19 days | (#44518263)

No, it's not the same thing, because 1) you don't have to use Google to use Persona, and 2) with Persona, Google doesn't know where you're logging in to.

Re:And this is impressive why? (1)

pathological liar (659969) | 1 year,19 days | (#44517797)

You CAN run your own identity-provider, but good luck using it anywhere. OpenID and OAuth are federated standards too, but most "relying parties" only accept a handful of major providers.

Re:And this is impressive why? (2, Informative)

Anonymous Coward | 1 year,19 days | (#44517901)

OAuth requires specific providers to individually be enabled by each consuming website, yes.
OpenID does not. If a website implements OpenID properly, any OpenID provider can be used, even if the website owner has never heard of it.

Re:And this is impressive why? (0)

Anonymous Coward | 1 year,19 days | (#44519551)

So it's OpenID? The great thing about standards is that there's so many of them.

Re:And this is impressive why? (0)

Anonymous Coward | 1 year,20 days | (#44516579)

According to the what-is-an-identity-bridge [mozilla.com] :

With Identity Bridging, Persona learned a new trick; instead of sending confirmation emails, Persona can ask you to verify your identity via your email provider’s existing OpenID or OAuth gateway.

In other words, it's just a way to make OpenID even easier to use.

Re:And this is impressive why? (1)

TheLink (130905) | 1 year,19 days | (#44517869)

Maybe they're trying get some money from the NSA too ;)

What about the NSA? (2, Interesting)

runeghost (2509522) | 1 year,20 days | (#44515555)

Can the government track what sites I sign into with Persona? And if they can't, can they do so once they serve the Mozilla Foundation with a Writ of Assistance ^W^W^W National Security Letter.

Re:What about the NSA? (5, Interesting)

icebike (68054) | 1 year,20 days | (#44515649)

They post exactly what they have on you and how they use the data here. [thenextweb.com]

Basically it keeps Google from snooping, and allows Mozilla still has some records of the sites you access.
All information is transferred by SSL but its highly likely that Mozilla has already been forced to quietly turn over its SSL keys
to the government. (At least Snowden claims this has happened).

So at best you protect yourself from Google, and make the government look in two databases to see where you log in.

Re:What about the NSA? (1)

murdocj (543661) | 1 year,20 days | (#44515879)

How does the government "force" Mozilla to turn over SSL keys?

Re:What about the NSA? (5, Informative)

icebike (68054) | 1 year,20 days | (#44516065)

Re:What about the NSA? (2)

Jah-Wren Ryel (80510) | 1 year,20 days | (#44516569)

> NSA letter. Where the hell have you been?

Actually it is an NSL [wikipedia.org] although NSA Letter is a pretty apropos freudian slip.

Re:What about the NSA? (1)

AHuxley (892839) | 1 year,20 days | (#44516367)

Mozilla to turn over SSL keys?
FBI/DoJ might show the paperwork, present a contractor for the hardware delivery and any 'help' to slide a new server in, a help number for on going network issues.
A legal and domestic agency with a letter to present and US legal staff knowing they covered.
ie some form of a self issued National Security Letter and a nondisclosure order?
Unconstitutional questions start to surface then.
A splitter later and all http://en.wikipedia.org/wiki/Room_641A [wikipedia.org] good.

Re:What about the NSA? (1)

Anonymous Coward | 1 year,20 days | (#44516689)

Basically it keeps Google from snooping, and allows Mozilla still has some records of the sites you access.

How exactly does Mozilla have records of where you visit? The way Persona works prevents the ID provider (IdP) from gathering this information.

For every site you create a public-private key pair. You send the public key to your IdP (e.g., Mozilla) for signing with their private key. Once it's signed, you send that signed data to the website you want to log into. They send you a nonce which you sign with your private key.

To verify, the website grabs the IdP's public key and verifies the signature. The IdP does not know who the website is trying to verify, all it knows is that some website grabbed its public key. And the pub key is cacheable, so the IdP can't even to traffic analysis if the TTL is a decent amount of length.

At no point should the website say to the IdP "I'm try to verify person X". When the public key is fetched (assuming the cache has been flushed), the IdP simply knows that the website is verifying A person, and not which particular person. Or the website could simply request the IdP's public key at random intervals to mess around with any possible traffic analysis.

The IdP does not at any time received information on which websites you're logging into, and so Mozilla (or any other IdP) cannot provide that information to any third party.

Re:What about the NSA? (2, Informative)

Anonymous Coward | 1 year,20 days | (#44517125)

Mozilla can, for now, have records of where you visit because the system is still bootstrapping off their servers. In the common case right now, the site (RP) includes a JavaScript file from Mozilla's servers to do the login; and that uses the Mozilla database for a fallback until your email provider/IdP opts in into supporting Persona. So, right now, Mozilla can see which site you're trying to visit and what your account is because the window you enter your credentials into is all hosted by them. (I have no particular reason to believe that they're actually recording any of this, but they are capable of doing so if they really wanted to.)

In the future, once the adoption of the whole system has gone up, this will no longer be true. In that hypothetical future, the RP will have all the verification stuff locally, and the IdP is your email provider, and nothing ever gets sent to Mozilla. That future is not yet here.

Re:What about the NSA? (1)

Impy the Impiuos Imp (442658) | 1 year,20 days | (#44516079)

They already know and record every damned site you go to already, and thus also that Persona goes to, and they could, I supposed, trivially correlate that.

They could also gin up one of those unconstitutional blanket orders and force Persona to give them all your other info, and password, though that would largely just be correlating what they know about you already.

Re:What about the NSA? (3, Interesting)

caspy7 (117545) | 1 year,20 days | (#44516955)

Persona has been designed to be fully decentralized. Mozilla plans to be removed from the equation. So that should really help to up the anonymizability (suck it spell check!) of the system.

Re:What about the NSA? (0)

Anonymous Coward | 1 year,19 days | (#44519271)

I'll help ya.

Persona has been designed to be fully decentralized. Mozilla plans to be removed from the equation. So that should really help to up the anonymizability (suck it spell check!) of the system.


Persona has been designed to be fully decentralized. Mozilla plans to be removed from the equation. this move should help system anonymity.

Social Networking Button (1)

Anonymous Coward | 1 year,20 days | (#44515579)

And no Social Networking button? What wrong with these people!

Google can't track.... (1, Insightful)

dnadoc (3013299) | 1 year,20 days | (#44515623)

Google can't track Somehow, I'm suspicious of this claim.

Re:Google can't track.... (2)

Noughmad (1044096) | 1 year,20 days | (#44515641)

From this identity bridge, Google only gets one authentication request, and it is from Mozilla.

However, considering their yearly donations to Mozilla, they might have other means of accessing it.

Re:Google can't track.... (0)

Anonymous Coward | 1 year,20 days | (#44515757)

They still get your IP address and the ability to associate it with other requests originating from the same IP, many of which may be static, even if they can't directly associate it with a person, they'll still track it in some fashion.

Re: Google can't track.... (0)

Anonymous Coward | 1 year,20 days | (#44515843)

...and if the site is using google analytics they could send anything back ... but it's a step in the right direction perhaps.

Re:Google can't track.... (2)

markjhood2003 (779923) | 1 year,20 days | (#44515929)

My fantasy is that Mozilla will someday support something like the old Google Sharing Firefox add-on -- run a server that pools all your search requests, mixing your cookies with other users, and replacing your IP. This makes it look like you're running from an organization's NAT'ed local network, with no ability to track your real IP and identity. In addtion, Google Sharing would allow you connect to Google with HTTPS, so that the Google Sharing server can never know what you're searching for, while Google can't find out your identity.

The original Google Sharing was implemented by Moxie Marlinspike and was then taken over by Abine.com in some transaction that I don't understand. Since then Google Sharing has become very unstable and pretty much unusable, and Abine makes no mention of it on their web site. Anybody know what happened?

Re:Google can't track.... (0)

Anonymous Coward | 1 year,20 days | (#44516199)

You might like startpage [slashdot.org] .

Re:Google can't track.... (2)

godel_56 (1287256) | 1 year,20 days | (#44516327)

You might like startpage [slashdot.org] .

Startpage is run by a British company (same as IxQuick), but seems to use US servers. DuckDuckGo is a US company but its servers are in Singapore.

Take your pick. I'd say there could be a good business opportunity for Iceland to host private cloud servers and search companies if they wanted to go that way.

Lavabit shutdown/snowden story deleted (0)

Anonymous Coward | 1 year,20 days | (#44516293)

Why was the following story just deleted ?
First time accepted submitter bazmail writes "Remember when word circulated that Edward Snowden was using Lavabit, an email service that purports to provide better privacy and security for users than popular web-based free services like Gmail? Lavabit's owner has shut down service, with a mysterious message posted on the lavabit.com home page today. The message reads in part: 'I have been forced to make a difficult decision: to become complicit in crimes against the American people or walk away from nearly ten years of hard work by shutting down Lavabit. After significant soul searching, I have decided to suspend operations. I wish that I could legally share with you the events that led to my decision. I cannot. I feel you deserve to know whatâ(TM)s going on--the first amendment is supposed to guarantee me the freedom to speak out in situations like this. Unfortunately, Congress has passed laws that say otherwise. As things currently stand, I cannot share my experiences over the last six weeks, even though I have twice made the appropriate requests.'"

Re:Lavabit shutdown/snowden story deleted (4, Informative)

EvanED (569694) | 1 year,20 days | (#44516311)

Because there was another story on it [slashdot.org] four stories earlier.

Re:Lavabit shutdown/snowden story deleted (3, Funny)

Anonymous Coward | 1 year,20 days | (#44516323)

Damnit, i want a conspiracy theory. Can we delete the other post too...

Seems like a really bad idea (3, Interesting)

frovingslosh (582462) | 1 year,20 days | (#44516347)

If I use this then presumably every website that I sign in to would have my real private Gmail address. As it is now, I use a free forwarding service (Spamgourmet) to create a unique address for everyone I sign up with. That way, if and when the spam starts, I can disable just that one address rather than having to go through the tassel of abandoning my prime email address. And I have been spammed at some of those addresses that I created, both by the people that I signed up with and sometimes even by Chinese malware sent to addresses that only one company had and that should have been keeping their data very secure. So, no thank you, I'll go through the extra hassle of keeping separate names and passwords for all of the sites that I want to sign in to, and be a little less concerned that I opened myself to endless spamming and attacks.

And before anyone questions it, yes, I have had to abandon some email addresses before I started using a forwarding service. In one case that I particularly remember I logged in one day and there was so much duplicate spam in my inbox that it used the mailbox's full quota and was effectively a denial of service attack. The attack lasted longer than the account did.

Re:Seems like a really bad idea (2)

Agent ME (1411269) | 1 year,20 days | (#44516549)

Just use a different email address at different places then.

Re:Seems like a really bad idea (0)

Anonymous Coward | 1 year,20 days | (#44516693)

many spam use BCC so that you don't know what email address the spam was sent to... so it you forward many addresses to your primary email, you can't know where the spam comes from

Re:Seems like a really bad idea (3, Informative)

Jah-Wren Ryel (80510) | 1 year,20 days | (#44516809)

many spam use BCC so that you don't know what email address the spam was sent to...

It is always possible to figure out the delivery address by looking at the raw headers on the email message. The receiving system knows what the address is, else it could not deliver it to you in the first place, and they all record it somewhere, usually in one of the Received: lines.

Re:Seems like a really bad idea (0)

Anonymous Coward | 1 year,19 days | (#44518051)

Are you new to this "Internet" thing?
PROTIP: E-mail headers for spam are ALWAYS spoofed. E.g. by saying it went through more relays than it did. All of which, made-up. Everything earlier than your own e-mail provider's servers is a LIE.

Address in the Received line (1)

tepples (727027) | 1 year,19 days | (#44519417)

In order to deliver the message, your own mail server needs to know the correct address. Ideally, it should include the destination address in this line. I don't know the correct syntax but it's something like Received: from 98.76.xx.xx by 123.45.xx.xx for chester@example.com

Re:Seems like a really bad idea (0)

Anonymous Coward | 1 year,19 days | (#44518211)

Good luck with that if your using outlook. I can't figure out how to see the raw message.

Re:Seems like a really bad idea (1)

aok (5389) | 1 year,19 days | (#44520169)

Under Outlook 2010, open the email, go to File -> Properties and look in the Internet Headers section.

The Problem With Mozilla's Persona (5, Interesting)

Jherek Carnelian (831679) | 1 year,20 days | (#44516417)

For me, the deal-breaker with Persona is that it is tied to my email address and exposes that unique identifier to every website that does Persona.. The pro-persona types argue that is a benefit, that people are used to using their email address as a relatively constant identifier.

My argument is that giving the same email address out to every website makes it super-easy for those websites to cross-reference my web usage. Nowadays your email address is the online equivalent of your social-security number for marketers. It is the most useful key in the cyberstalker/marketing databases. All of the cyberstalker companies like BlueKai, Janrain, Scorecard, Doubeclick, etc create phantom profiles of people on the web that just sit dormant until you give one of their partner websites your email address and then they file all that dormant data in with any other data associated with your address.

Some people say, no problem, just create a different email address for every website you visit. Yeah, right. That's no problem at all. The system isn't designed for that. If there were a way to generate a login credential unique to each website so cross-referencing didn't work and it was easy and automatic, then Persona would be useful. As it is now it is only mis-leading, addressing a privacy problem we had 5 years ago but it does nothing to protect us against the current state of the art in privacy invasion.

Re:The Problem With Mozilla's Persona (1)

tlhIngan (30335) | 1 year,19 days | (#44517553)

All of the cyberstalker companies like BlueKai, Janrain, Scorecard, Doubeclick, etc create phantom profiles of people on the web that just sit dormant until you give one of their partner websites your email address and then they file all that dormant data in with any other data associated with your address.

DoubleClick doesn't do that. It's DoubleClick, A Google(tm) Company, so you can expect that to already happen. Probably just visit a Google site while logged in and one using DoubleClick ads and boom. And a lot of people do both, given how big DoubleClick is and Google account logins. (Especially now that Google unified their privacy policy).

Re:The Problem With Mozilla's Persona (0)

Anonymous Coward | 1 year,19 days | (#44517855)

Persona isn't designed to force you to use *valid* email accounts. You can easily use an identity provider that will verify any email account, like mockmyid.com. It's the site that you log on into that may require email validation.

Re:The Problem With Mozilla's Persona (0)

Anonymous Coward | 1 year,19 days | (#44518069)

Part of that can be solved, by having a dedicated log-in-only e-mail address that you never use, apart from for log-in purposes.

Of course you are still right that it provides a *very* reliable unique ID for tracking purposes.

It should give them an individual ID. I don't know why that's apparently so hard....

Identity Federation? (0)

Anonymous Coward | 1 year,20 days | (#44516491)

How is this different from current identity federation methods like SAML, OAUTH and OpenID ?

Why should someone implement Persona instead of the already existing standards?

Re:Identity Federation? (4, Informative)

Agent ME (1411269) | 1 year,20 days | (#44516575)

The difference between Persona and OpenID is that if/when the email services and browsers (I think I can name at least one browser which is sure to do this) add native support for it, then you can authenticate to your email host once and a private key will be loaded into your browser, and then you can authenticate to sites directly yourself with that key easily, and then no 3rd party (Mozilla, your email provider, etc) knows you've authenticated there. With OpenID, your OpenID service can see everywhere that you log into.

Re:Identity Federation? (0)

Anonymous Coward | 1 year,20 days | (#44516825)

You're assuming that the websites won't start tattling on you to to the OpenID service as "payment" for providing the auth service.

Once OpenID providers lose the ad-revenue from tracking you, they'll find some way to make up the difference. If a site is free, YOU are the product. That means they'll find some way to monetize your privacy.

Re:Identity Federation? (0)

Anonymous Coward | 1 year,19 days | (#44519587)

Just run your own OpenID provider. It isn't hard,

Re:Identity Federation? (1)

thelovebus (264467) | 1 year,20 days | (#44517191)

Persona/BrowserID is a lot closer to OpenID than SAML or OAuth.

Doing SAML federation can be a bit of a nightmare, and AFAIK there's no "standard" way to do sort of on-demand federation between two entities (that is, if user using IdP A wants to visit service X, usually A and X generally need to already know about each other).

OAuth really isn't about *authentication*. It can be used for authn as sort of a side-effect, but it's really not its' intent.

As for OpenID (and OAuth and SAML, too), the big advantage of Persona/BrowserID is that your IdP doesn't actually know what sites you're visiting. If you take the additional step of using unique email addresses to sign in to each different site you visit, there's also no way for two different sites to know you're the same user (at least, based on your BrowserID "identity"... obviously there's other tricks they can employ).

WIth all the NSA intrusion why would I use this? (2)

assemblerex (1275164) | 1 year,20 days | (#44516675)

With the assault on privacy and human rights, why would I ever want to have my credentials
across a multitude of sites?

Then new trend will be towards obfuscation, not sharing.

Re:WIth all the NSA intrusion why would I use this (3, Funny)

MadMaverick9 (1470565) | 1 year,20 days | (#44516723)

But ... but ... but ... "Dan Callahan promises."

Re:WIth all the NSA intrusion why would I use this (0)

Anonymous Coward | 1 year,19 days | (#44518091)

yeah everyone is committed to privacy, just like fair use laws are committed to fair use

When'll Firefox launch persona for Gmail (1)

Ajay Anand (2838487) | 1 year,19 days | (#44517475)

Given the pathetic interface of Gmail and ever more frustrating themes, I wish Gmail integrated more closely with browser persona.

Do not want ... (1)

gstoddart (321705) | 1 year,19 days | (#44519081)

If you have a Google account, this means you can now sign into Persona-powered websites with your existing credentials. The best part is of course Mozilla's pledge to its users. 'Persona remains committed to privacy: Gmail users can sign into sites with Persona, but Google can't track which sites they sign into,'

First off, I have no bloody interest in logging into web sites with my Google credentials. I will log into them (if at all) with the set of credentials I choose, and if the browser is going to think "hey, I see you're logged into Google, so I'll just log you into this site" -- then I'm going to have to either disable that, or stop using the browser. I have no interest in being automatically logged in with my Google credentials.

And second, I don't believe that you can log into a site using Google credentials and not have Google know it. How the hell do you have my credentials, and if you're verifying them with Google, how the hell can they not know? If you're not verifying them with Google, why is it I'm trusting you with them?

This sounds like something which is going to want to wave around your credentials all over the place, and it sure as hell isn't something I want -- I sincerely hope that if I haven't signed up for whatever the hell this Persona thing is nothing happens. Just because I visit randomwebsite.com doesn't mean I have any interest in randomwebsite.com knowing who the hell I am or that I even have a Google account or that I'm currently logged into it.

I disagree with this whole cross-site credentials thing, because it's way too much information that is potentially going to places without me realizing it. I don't want to hit some random web site and have it know my identify and automatically log me in and let the marketing douchebags know I was there.

Now get off my damned lawn.

Re:Do not want ... (0)

Anonymous Coward | 1 year,19 days | (#44523687)

Please look a little bit deeper: Persona is precisely the sort of credentials thing that is built for curmudgeons like you (and me).

Persona isn't really cross-site credentials: it's decentralized web of trust certificate exchange masquerading as cross-site credentials. Essentially it boils down to website asks user for an email address they feel identify themselves (any email at all, including "fake" and one-off addresses) and Persona is the handshake system to ask that address' email provider (in the role of an identity provider similar to OpenID and other federated ID systems, but drastically simplified and further decentralized) to sign a private key for that user, for that browser/session. Once the user's browser has a signed, private certificate everything is fully decentralized certificate-based security.

The article here points out that because Google hasn't yet built their own public key/private key system for their users in a way that interoperates with the Persona model, Persona can use the OpenID/OAuth-based system they do provide to bootstrap that infrastructure for them and thus bridge the old your-credential-site-knows every-site-you-login-to world with the (eventually) much more decentralized Persona world. (In a way, this is a sort of delegation from Persona proper to an intermediate credential provider.)

From the standpoint of Google, all they will ever see is that from time to time its users, those which decide to use their Google credentials as Persona logins, may log in to http://login.persona.org/. They have no way to track the private keys that login.persona.org is signing and login.persona.org has no way of tracking what the user's browser does with those certificates after they've been signed...

Meanwhile, as a user, you get single sign-on tied to whichever of your email addresses that YOU decide to use. If you want to use a Google credential, login.persona.org will happily mediate that to make sure your @gmail.com address is valid before helping your browser bootstrap a private key authenticated to be that gmail.com address. Don't want to use @gmail.com? Use a different address. Don't want even login.persona.org involved? Implement your own identity provider at a domain name you control.

compartmentalize your information (0)

Anonymous Coward | 1 year,19 days | (#44519473)

Categorize the websites that require credentials

1. websites that are vital - google, amazon, ebay, paypal, (ugh) facebook, sneakemail
2. websites that you want to maintain a relationship with but wouldn't disrupt your life if you lost access to - slashdot, fark, reddit, online games, forums
3. websites that you don't give a shit about but require an email verification to make an account

Use a service like SneakEmail (or your own domain) to create unique email addresses for each site. But DONT use the notes section of the sneakemail address to list which aliases go to which site (in case sneakemail gets compromised).

For sites in category 1 you use a secure password, ideally unique to each site but realistically you can reuse the same secure password for your handful of "top" site.
For sites in category 2 and 3 you can re-use the same unsecure password because it doesn't really matter if they get compromised since you use a unique email for each site.

When you have a username like for forums use a common pop culture reference, that way if someone searches for your alias they get tons of hits with no way of knowing who is actually you.

With a minimal effort you can almost completely mitigate the effects of data breaches.

so an online password manager? (0)

Anonymous Coward | 1 year,19 days | (#44520391)

not impress'd

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>