Mozilla Launches Persona Identity Bridge For Gmail 114
An anonymous reader writes "Mozilla today announced the Persona Identity Bridge for Gmail users. If you have a Google account, this means you can now sign into Persona-powered websites with your existing credentials. The best part is of course Mozilla's pledge to its users. 'Persona remains committed to privacy: Gmail users can sign into sites with Persona, but Google can't track which sites they sign into,' Mozilla Pesrona engineer Dan Callahan promises."
And this is impressive why? (Score:1, Insightful)
I'm supposed to find it impressive that a website can take my username and password, and present it to another website and confirm its validity?
So I don't tell Google what I'm logging in to, but I instead give you my authentication information for Google?
I don't think so Tim.
Color me unimpressed with Mozilla rehashing something from 40 years ago ... and doing it wrong in the process.
Re: (Score:2, Interesting)
This is news because the browser becomes increasingly biased. First Facebook integration, now a Google identity bridge (or whatever it is called). Firefox increasingly gravitates towards the money and away from the neutral zone. It's about time to switch to Seamonkey or Chromium.
Re: (Score:2)
Re: (Score:1, Insightful)
Re: (Score:3, Interesting)
Uhhhh...you just NOW figured this out?
Sigh, more anti-FOSS fud from somebody who should know better. Plenty of people have explained this to you in past conversations.
In fact, Google is not the default search engine in all the localized versions of Firefox. There's long been a Yandex version of Firefox and Yandex is the default in Russia and Russian speaking countries.
More recently, Mozilla partnered with Microsoft, once its arch nemesis, to offer a Bing-themed version of Firefox. Bing, of course, is a default search option in Firefox.
Now, Microsoft and Mozilla are partnering once again with a MSN-themed version of the browser, for the people that still use MSN for some reason. Probably the same reason why people still use Yahoo Mail.
This version of the browser comes with the standard modifications, Bing as the default search engine, both in the search box and the AwesomeBar, a link to msnNOW in the toolbar and MSN as the homepage.
http://news.softpedia.com/news/MSN-ified-Version-of-Firefox-Dilutes-Mozilla-s-Dependence-on-Google-310533.shtml [softpedia.com]
Re: (Score:1)
Hey don't diss Yahoo! mail. That's what I use to signup to various websites so my regular email is not spammed by websites that I used only once in my life.
Re: (Score:2)
Re: (Score:2, Insightful)
Re: (Score:2)
Lol, comodo what? Go back to the hole you came from troll. Today if you are not using Chrome, Firefox or Safari, I hope you can at least say it is because you are using Icecat.
All of those alternate browser fail because of the add-ons. That's the main thing today with browsers since anybody can build a proper browser using Gecko, Webkit or even Trident.
Re: (Score:2)
Re: (Score:2)
BTW for those that want a different browser, mind a suggestion? Try Comodo Dragon [comodo.com] for those that like the Chromium based and Comodo Ice Dragon [comodo.com] for those that prefer the Gecko way of doing things as not only does it have none of the phone home stuff (any and all extra features are opt in and both ask during install and can be turned on and off in settings if you change your mind) but the extra features are all based around increasing security,
I use Comodo firewall It's been rated the best and it's worked very well for me.
At some point Comodo started pushing this GeekBuddy bullcrap even if you select not to install it, it would install a mini version,
then pop up reminders of it. When Comodo went with a different GUI that was so confusing (more so than normal)
I couldn't trust running it as I wasn't sure of it's configuration -almost like I should start paying for help.
Comodo is now at Version 6.0.260739.2674 I still run 5.3.176757.1236 as it's muc
Re:And this is impressive why? (Score:5, Informative)
1) This is not part of Firefox
2) The first bridge was for Yahoo, not Google, and it's part of an authentication system (Persona) that is actually completely unbiased towards any provider.
Re: (Score:2)
If it was part of Firefox (it isn't) switching to Seamonkey wouldn't get you anything different...
Re:And this is impressive why? (Score:5, Informative)
This is impressive. It's basically separation of powers. Google has your account, but doesn't know what sites you visit. Mozilla doesn't have your account, but knows what websites you visit*. The websites themselves have nothing, except a confirmation that the e-mail address is really yours.
I, for one, trust Mozilla more than Google, and both much more than the average website.
*: I think I read some time ago in the documentation that Mozilla can't see what websites are requesting the auth. I'm not sure I remember it right, and I never checked the claim, and it might have changed since that time. For now, I assume the information is visible.
Re:And this is impressive why? (Score:5, Insightful)
Because "The Government" isn't the only boogeyman in the world.
Re:And this is impressive why? (Score:5, Insightful)
I believe mozilla can see what websites you are requesting, but they claim they do not retain this [thenextweb.com] because they are not required to do so.
That could change I suppose. Clearly they have to have a list of emails that they can process, but not necessarily what sites you can use them for because they can just try to log in, and let it fail. Then go thru the authorization process [mozilla.com].
I like the idea of spreading the knowledge around so that no one source knows everything. This essentially puts a middle-man in the Auth process, but that man knows very little.
But I don't think this will work in the long run because someone will break SSL or demand the keys and the whole thing comes down.
Mozilla is just as much subject to NSA letters as anyone else. And since almost 100% of their funding comes from Google anyway, I can't help but thinking this is a joint project, or at least carried out with Google's full approval. But still it makes it necessary for the NSA to look a lot more places when building a list and checking it twice.
Re:And this is impressive why? (Score:5, Informative)
And since almost 100% of their funding comes from Google anyway, I can't help but thinking this is a joint project, or at least carried out with Google's full approval.
About 85%, and that's from a standard commercial arrangement - eg a fee for a service. It bought Google the default search engine spot, but nothing else.
Microsoft had the opportunity to buy the spot for Bing, but chose not to.
http://www.businessinsider.com/why-did-microsoft-let-google-win-the-firefox-deal-2011-12 [businessinsider.com]
Re: (Score:2)
I hate to break it to you but Firefox has a lot of Google integration without you noticing. Take a system like Safebrowsing for instance, Microsoft developed their own thing and so did a lot of antivirus companies. Firefox's solution? Instead of trying to use something like WOT or even some local replicated list a la DNS, they just send your queries to Google in hash form. Ask yourself if Google is so benevolent why don't they allow a service where those queries are done locally?
Also if you do not install s
Re:And this is impressive why? (Score:5, Informative)
Persona is a reference implementation of the BrowserID protocol, which is fully decentralized.
If your browser and email provider (or your own domain!) support BrowserID / Persona, then Mozilla is completely removed from the login transaction. We don't want to be able to track you, and we've designed a system that automatically removes us from the picture as it gains traction.
Re: (Score:2)
I like the idea of spreading the knowledge around so that no one source knows everything. This essentially puts a middle-man in the Auth process, but that man knows very little.
Why spread that knowledge? OpenID doesn't require you to make any information available to any third party - unless you pick a third party provider, but still, you've a large amount of options from where to pick.
Re: (Score:3, Informative)
It's meaningless when most sites use Google Analytics and you'll be tracked by Google anyway.
Re:And this is impressive why? (Score:4, Insightful)
It's meaningless when most sites use Google Analytics and you'll be tracked by Google anyway.
What, you don't use NoScript?
That reminds me, I should send that guy another donation
Re: (Score:1)
Sure, but the vast majority of web users don't.
Re: (Score:1)
What, you don't use NoScript?
NoScript isn't enough, unless you never enable JS for any sites. In which case - why use NoScript when you could just turn off JS?
Any sites you enable JS for will load Google's JS, even if NoScript prevents them from executing - and that's enough for Google to track you.
To really stop it, you need a proxy like Privoxy or Squid.
Even with that, I'm having a hard time keeping up with all the new ways Google tries to track.
Re: (Score:3, Insightful)
Re: (Score:2)
I think Ghostery does a better job and it is a bit user to use.
Re: (Score:3)
Amen to that. Since using ghostery have less clutter on pages and they load faster as well. Only difficulty is when something on a page isn't working and I don't readily know how to find out what's blocking it - that can get tedious and much of the time I give up.
Re: (Score:2)
Uh, you haven't actually used it, have you? You can enable scripts for the main domain, while keeping Google services blocked.
Re: (Score:2)
Uh, none of those are scripts, which is what NoScript blocks. Whether images are loaded has nothing to do with "Google's JS" being loaded despite NoScript, as it was claimed.
Re: (Score:2)
Sure, but what I was replying to was "Any sites you enable JS for will load Google's JS, even if NoScript prevents them from executing", which is simply not true.
Re: (Score:3)
To really stop it, you need a proxy like Privoxy or Squid.
Try the RequestPolicy plugin. It blocks all 3rd-party requests by default, and you can selectively enable stuff while browsing like you do in NoScript.
Re: (Score:2)
Re: (Score:2, Informative)
You trust Mozilla even though they want to build aggregating and selling [mozilla.org] your browsing history and "interests" (derived from the contents of the pages you visit) into the Firefox browser?
Your statement does not even remotely reflect what Mozilla are saying in the blog postng you linked to.
To quote from your link:
"We recently shared our view that personalization must be handled with respect for the individual user. We want to see even more personalization across the Web from large and small sites, but in a transparent way that retains user control. The team at Mozilla Labs is focused on exploring ways to move the Web forward, and has thought a lot about how the browser could play a role in making useful content personalization a reality."
What is your motivation for making a lying post to show Mozilla in a hostile light, and why do you think you're being moderated up?
Re:And this is impressive why? (Score:5, Insightful)
*: I think I read some time ago in the documentation that Mozilla can't see what websites are requesting the auth. I'm not sure I remember it right, and I never checked the claim, and it might have changed since that time. For now, I assume the information is visible.
This is correct.
The way Persona works:
* browser generates public-private key pair with the e-mail address as an attribute
* you send the public part to Mozilla (or whichever ID provider (IdP) you want) to sign
* the IdP confirms that you have access to said e-mail address, and if so, gives you back the signed data (like a CA) by using the IdP's private key
* you send the signed data to the website
* the website grabs the IdP's public key and verifies the signature
Basically think of it as a decentralized PKI and/or a variant of PGP's web of trust: public-private keys with distributed signing to confirm that you have access to a particular e-mail address account.
All Mozilla (or any IdP) knows is that a web site grabbed it's public key (which can be cached, so traffic analysis isn't useful either). The IdP doesn't know which person's signed data is being checked. Whenever you want to sign in, the website sends your browser a timestamped nonce. The website has your verified public key on file and so can verify the signature of your browser's response.
Each device you have (or web browser you use) has its own private key/s, and so if you lose a smartphone you can revoke the keys on it. You should have a "master password" for your web browser with an auto-logout.
This is similar to a password manager, but you don't have to type anything in, and if a website's database is compromised then the attackers don't actually have anything useful.
You can also use multiple e-mail address, even for the same website.
Re: (Score:1)
For that there is ghostery
Re: (Score:2)
I trust mozilla, but why should I have them in the middle of my authentications? Why would I allow them to know where I'm logging in? Why should anyone else trust them?
I'd much rather use something like OpenID. I don't have to use any intermediate I don't want to. I trust mozilla (today), but I still think it's wrong to have them in the middle when there's no strict need. I also respect that other may wish not to trust mozilla with the mentioned data.
Re: (Score:3)
Persona only needs a "middle man" if the domain you use doesn't support it natively. It's a fallback, not a requirement.
If you used a provider that supported Persona natively, not only you wouldn't need Mozilla as the middle man, as (unlike with OpenID), that same provider wouldn't know where you were logging in to.
Re: (Score:2)
So, how is this an improvement over OpenID?
Re: (Score:2)
Well, as I said, with OpenID the providers knows exactly what sites you logged in to, while with Persona they just sign a certificate your browser gives them, vouching for your identity, without getting the site.
In terms of UI, Persona uses email addresses instead of URLs, which are easier for non-techies to grasp as an authentication identifier.
Re: (Score:2)
Well, as I said, with OpenID the providers knows exactly what sites you logged in to, while with Persona they just sign a certificate your browser gives them, vouching for your identity, without getting the site.
If you care about privacy, you can host your own OpenID provider, otherwise, just use one you trust. What's the issue there?
In terms of UI, Persona uses email addresses instead of URLs, which are easier for non-techies to grasp as an authentication identifier.
Why are they easier? People type URLs every day, what's so hard about them?
Re: (Score:2)
> I, for one, trust Mozilla more than Google, and both much more than the average website.
The point is not whom you trust, the point is that the list of parties having access to the data stored by whom you trust, may change without your/their knowledge and control.
Re:And this is impressive why? (Score:5, Informative)
Re: (Score:2)
Are you kidding? Persona solves a whole raft of super common problems
Well its not totally dissimilar from using your google log in to access any site. That site never knows your google password.
But they do know your email, at a minimum.
This is the same thing, except that Persona will serve as the authentication for your email, and they will in-turn ask Google, and then they will tell you exactly what the target site is requesting from Google, and let you approve it.
But the target site clearly gets your email.
Re: (Score:3)
No, it's not the same thing, because 1) you don't have to use Google to use Persona, and 2) with Persona, Google doesn't know where you're logging in to.
Re: (Score:2)
You CAN run your own identity-provider, but good luck using it anywhere. OpenID and OAuth are federated standards too, but most "relying parties" only accept a handful of major providers.
Re: (Score:2, Informative)
OAuth requires specific providers to individually be enabled by each consuming website, yes.
OpenID does not. If a website implements OpenID properly, any OpenID provider can be used, even if the website owner has never heard of it.
Re: (Score:2)
What about the NSA? (Score:3, Interesting)
Re:What about the NSA? (Score:5, Interesting)
They post exactly what they have on you and how they use the data here. [thenextweb.com]
Basically it keeps Google from snooping, and allows Mozilla still has some records of the sites you access.
All information is transferred by SSL but its highly likely that Mozilla has already been forced to quietly turn over its SSL keys
to the government. (At least Snowden claims this has happened).
So at best you protect yourself from Google, and make the government look in two databases to see where you log in.
Re: (Score:2)
How does the government "force" Mozilla to turn over SSL keys?
Re:What about the NSA? (Score:5, Informative)
NSA letter. Where the hell have you been?
http://news.cnet.com/8301-13578_3-57595202-38/feds-put-heat-on-web-firms-for-master-encryption-keys/ [cnet.com]
http://it.slashdot.org/story/13/07/24/1812227/anonymous-source-claims-feds-demand-private-ssl-keys-from-web-services [slashdot.org]
http://www.digitaljournal.com/article/355146 [digitaljournal.com]
Re: (Score:3)
> NSA letter. Where the hell have you been?
Actually it is an NSL [wikipedia.org] although NSA Letter is a pretty apropos freudian slip.
Re: (Score:2)
FBI/DoJ might show the paperwork, present a contractor for the hardware delivery and any 'help' to slide a new server in, a help number for on going network issues.
A legal and domestic agency with a letter to present and US legal staff knowing they covered.
ie some form of a self issued National Security Letter and a nondisclosure order?
Unconstitutional questions start to surface then.
A splitter later and all http://en.wikipedia.org/wiki/Room_641A [wikipedia.org] good.
Re: (Score:1)
Basically it keeps Google from snooping, and allows Mozilla still has some records of the sites you access.
How exactly does Mozilla have records of where you visit? The way Persona works prevents the ID provider (IdP) from gathering this information.
For every site you create a public-private key pair. You send the public key to your IdP (e.g., Mozilla) for signing with their private key. Once it's signed, you send that signed data to the website you want to log into. They send you a nonce which you sign with your private key.
To verify, the website grabs the IdP's public key and verifies the signature. The IdP do
Re: (Score:2, Informative)
Mozilla can, for now, have records of where you visit because the system is still bootstrapping off their servers. In the common case right now, the site (RP) includes a JavaScript file from Mozilla's servers to do the login; and that uses the Mozilla database for a fallback until your email provider/IdP opts in into supporting Persona. So, right now, Mozilla can see which site you're trying to visit and what your account is because the window you enter your credentials into is all hosted by them. (I hav
Re: (Score:1)
They already know and record every damned site you go to already, and thus also that Persona goes to, and they could, I supposed, trivially correlate that.
They could also gin up one of those unconstitutional blanket orders and force Persona to give them all your other info, and password, though that would largely just be correlating what they know about you already.
Re:What about the NSA? (Score:4, Interesting)
Persona has been designed to be fully decentralized. Mozilla plans to be removed from the equation. So that should really help to up the anonymizability (suck it spell check!) of the system.
Social Networking Button (Score:1)
And no Social Networking button? What wrong with these people!
Google can't track.... (Score:1, Insightful)
Re: (Score:3)
From this identity bridge, Google only gets one authentication request, and it is from Mozilla.
However, considering their yearly donations to Mozilla, they might have other means of accessing it.
Re: (Score:3)
My fantasy is that Mozilla will someday support something like the old Google Sharing Firefox add-on -- run a server that pools all your search requests, mixing your cookies with other users, and replacing your IP. This makes it look like you're running from an organization's NAT'ed local network, with no ability to track your real IP and identity. In addtion, Google Sharing would allow you connect to Google with HTTPS, so that the Google Sharing server can never know what you're searching for, while Goog
Re: (Score:3)
You might like startpage [slashdot.org].
Startpage is run by a British company (same as IxQuick), but seems to use US servers. DuckDuckGo is a US company but its servers are in Singapore.
Take your pick. I'd say there could be a good business opportunity for Iceland to host private cloud servers and search companies if they wanted to go that way.
Re:Lavabit shutdown/snowden story deleted (Score:4, Informative)
Because there was another story on it [slashdot.org] four stories earlier.
Re: (Score:3, Funny)
Damnit, i want a conspiracy theory. Can we delete the other post too...
Seems like a really bad idea (Score:4, Interesting)
If I use this then presumably every website that I sign in to would have my real private Gmail address. As it is now, I use a free forwarding service (Spamgourmet) to create a unique address for everyone I sign up with. That way, if and when the spam starts, I can disable just that one address rather than having to go through the tassel of abandoning my prime email address. And I have been spammed at some of those addresses that I created, both by the people that I signed up with and sometimes even by Chinese malware sent to addresses that only one company had and that should have been keeping their data very secure. So, no thank you, I'll go through the extra hassle of keeping separate names and passwords for all of the sites that I want to sign in to, and be a little less concerned that I opened myself to endless spamming and attacks.
And before anyone questions it, yes, I have had to abandon some email addresses before I started using a forwarding service. In one case that I particularly remember I logged in one day and there was so much duplicate spam in my inbox that it used the mailbox's full quota and was effectively a denial of service attack. The attack lasted longer than the account did.
Re: (Score:3)
Just use a different email address at different places then.
Re:Seems like a really bad idea (Score:4, Informative)
many spam use BCC so that you don't know what email address the spam was sent to...
It is always possible to figure out the delivery address by looking at the raw headers on the email message. The receiving system knows what the address is, else it could not deliver it to you in the first place, and they all record it somewhere, usually in one of the Received: lines.
Address in the Received line (Score:2)
Re: (Score:2)
Under Outlook 2010, open the email, go to File -> Properties and look in the Internet Headers section.
The Problem With Mozilla's Persona (Score:5, Interesting)
For me, the deal-breaker with Persona is that it is tied to my email address and exposes that unique identifier to every website that does Persona.. The pro-persona types argue that is a benefit, that people are used to using their email address as a relatively constant identifier.
My argument is that giving the same email address out to every website makes it super-easy for those websites to cross-reference my web usage. Nowadays your email address is the online equivalent of your social-security number for marketers. It is the most useful key in the cyberstalker/marketing databases. All of the cyberstalker companies like BlueKai, Janrain, Scorecard, Doubeclick, etc create phantom profiles of people on the web that just sit dormant until you give one of their partner websites your email address and then they file all that dormant data in with any other data associated with your address.
Some people say, no problem, just create a different email address for every website you visit. Yeah, right. That's no problem at all. The system isn't designed for that. If there were a way to generate a login credential unique to each website so cross-referencing didn't work and it was easy and automatic, then Persona would be useful. As it is now it is only mis-leading, addressing a privacy problem we had 5 years ago but it does nothing to protect us against the current state of the art in privacy invasion.
Re: (Score:2)
DoubleClick doesn't do that. It's DoubleClick, A Google(tm) Company, so you can expect that to already happen. Probably just visit a Google site while logged in and one using DoubleClick ads and boom. An
Re:Identity Federation? (Score:5, Informative)
The difference between Persona and OpenID is that if/when the email services and browsers (I think I can name at least one browser which is sure to do this) add native support for it, then you can authenticate to your email host once and a private key will be loaded into your browser, and then you can authenticate to sites directly yourself with that key easily, and then no 3rd party (Mozilla, your email provider, etc) knows you've authenticated there. With OpenID, your OpenID service can see everywhere that you log into.
Re: (Score:1)
Persona/BrowserID is a lot closer to OpenID than SAML or OAuth.
Doing SAML federation can be a bit of a nightmare, and AFAIK there's no "standard" way to do sort of on-demand federation between two entities (that is, if user using IdP A wants to visit service X, usually A and X generally need to already know about each other).
OAuth really isn't about *authentication*. It can be used for authn as sort of a side-effect, but it's really not its' intent.
As for OpenID (and OAuth and SAML, too), the big advantage
WIth all the NSA intrusion why would I use this? (Score:3)
across a multitude of sites?
Then new trend will be towards obfuscation, not sharing.
Re:WIth all the NSA intrusion why would I use this (Score:4, Funny)
But ... but ... but ... "Dan Callahan promises."
When'll Firefox launch persona for Gmail (Score:1)
Do not want ... (Score:2)
First off, I have no bloody interest in logging into web sites with my Google credentials. I will log into them (if at all) with the set of credentials I choose, and if the browser is going to thi
Re: (Score:1)