Mozilla BrowserID: Decentralized, Federated Login 179
An anonymous reader writes "Mozilla Labs has just launched the prototype of its BrowserID project and the accompanying Verified Email Protocol standard. Basically, BrowserID is a browser-based federated login provider like Facebook Connect, but without the privacy leaks. Fundamentally, BrowserID is public key encryption. You register an email address with your browser, which is then confirmed with a standard 'click here to confirm' email. A public/private key pair is then generated; your browser keeps the private key, and your email provider keeps the public key. Now, when you visit Facebook (or any site that supports BrowserID), your browser gives Facebook your email address and an identity token signed with your private key. Facebook queries your email provider for your public key, decrypts your identity token, and logs you in — voila, secure, private, browser-based logins. Oh, and the prototype is written in HTML and JavaScript — so it works across every modern browser, too."
I'd just like to say (Score:2)
yeeeeeeeeeeeeeeeeeeeeeeeeeeessssssss!
finally. thank the deities.
Re: (Score:2)
Agreed, it would be a wonderful thing to have, but it still has issues as far as I can see.
TFS says 'but without the privacy leaks', but really you can still be tracked/followed/denied/fucked with from a single point/service, namely your email provider.
Also, there's the age old problem of common password for everything, if one is compromised, they all are. Granted in this case, it's a private key and not password, which is slightly harder to acquire though social engineering, mainly because most people aren
Re: (Score:3)
The issues that you point out already exist with current email-to-reset approaches. What they are suggesting is not a perfect solution to authentication, but after glancing through their spec it seems to be at least as reliable as what we use currently. At the moment your email provider could screw with any account that relies on password confirmation / reset request emails. With this system the provider would only hold your public key, so while it would still be able to track / deny-service it would not ha
Re: (Score:2)
what keeps this approach from generating a separate key for every site?
Re: (Score:2)
No, you actually can't be tracked via this system from your email service provider. That was the point of this.
The system works like this: your browser gets a signed crypto certificate from your email provider (or some other proxy who can confirm you own the email address you claim to own - Mozilla is running their own email verifier already - called "auth party" or AP). Your browser resigns that cert locally and hands that over to the login website ("relying party" or RP). The RP then only has to check the
Re: (Score:2)
"TFS says 'but without the privacy leaks', but really you can still be tracked/followed/denied/fucked with from a single point/service, namely your email provider."
Well, with current systems you already can: they all rely on the old 'send a verification email' technique, and whoever provides your email account can obviously read your email. So this system doesn't make things any worse than current systems from a privacy perspective, while adding quite a lot of convenience. The idea that you're already trust
Browser keeps the private key? (Score:2, Insightful)
Ah, so when i have to reinstall my OS due to HDD death or OS death and for whatever reason, can't save my profile app data files (depending on where it stores the key)... then what?
Will i just be able to do a "Forgot my password" type action to regenerate a private key?
Re:Browser keeps the private key? (Score:4, Informative)
It's still one of those minor issues that is not "entirely ready" yet.
https://github.com/mozilla/browserid/issues/17 [github.com]
Re:Browser keeps the private key? (Score:4, Funny)
Even better! Thanks to our convenient, safe and secure process, the private key will be calculated from your public key and sent back to you via email for you to store on your new computer!
Re: (Score:3)
Re: (Score:2)
No doubt! Letting your browser save passwords is stupid. Letting your browser store keys is insane! I like single sign on tech for internal low security stuff as much as the next guy, but global? sigh.
Re: (Score:2)
I don't think the browser would ever need to transmit the private key in this scenario. However, yes: if the user or browser was some how tricked into uploading it -- you are compromised. This is still better than passwords, which are easy to attack with dictionaries and rainbow tables.
Re: (Score:2)
You mean like now?
Back up your profile (Score:2)
Re: (Score:2)
Re: (Score:2)
Yes, it supports multiple keys on multiple devices.
Re: (Score:2)
https://wiki.mozilla.org/Labs/Identity/VerifiedEmailProtocol#Synchronization_of_keys [mozilla.org]
yup. You can have multiple keys for one email address, or you can sync one key across multiple browser profiles.
Re: (Score:2)
Maybe this is what you would use Mozilla Sync for? (At the risk of keeping your internet life at a single provider.)
Of course you backup your Mozilla profile*, don't you?
* That directory that keeps all your bookmarks, history and saved passwords.
Re: (Score:2)
Also, what do I do when I want to use an internet cafe to log into a BrowserID site?
Re: (Score:2)
I've heard people talk about this "internet cafe" thing, mostly in exactly these sorts of hypothetical questions, but I've never actually seen one. The closest I've come is the row of computers at the library, and, well, if you're doing anything involving authentication on a computer at the library, you're doing it very, very wrong.
i'm no security expert (Score:5, Insightful)
isn't the browser basically the most targeted piece of software on a computer? if the private key is stored in the browser, doesn't that mean that potentially one successful exploit in the browser would let a hacker log into any website as you?
Re:i'm no security expert (Score:4, Insightful)
Re: (Score:3)
How is that different from now, where you can have the browser autocomplete the password for most login forms anyways?
To begin with, my browser saves my password for Slashdot, but not for my bank. I make that decision.
Secondly, when I connect to something from a remote, possibly untrusted location (like the work computer) I can choose to not store anything at all, and perhaps even run in the "private browsing" mode.
This system would insist on having a private key, one way or another, for a login into
Re: (Score:2)
The browser is still less targeted than the login pages of the services one uses online.
Re: (Score:2)
If you know your private key is stolen you just generate a new one and the problem is solved (unless they get access to your email account as well ofcourse).
Re: (Score:2)
you might assume that, but it isn't. The current implementation does not ask you to put a passphrase on the key by default, nor apparently even make this possible. To me that's the biggest flaw with it. I raised a bug on this: https://github.com/mozilla/browserid/issues/61 [github.com] .
Skeptical but encouraged (Score:2)
So wait - why doesn't this use the existing PGP web of trust and software?
And how does it mitigate the MITM/Phishing attacks that plagued OpenID?
I'm skeptical, but encouraged to see some efforts here...
Re: (Score:2)
Mainly because PGP is only usable by people who are already security wizards.
Re: (Score:2)
And how does it mitigate the MITM/Phishing attacks that plagued OpenID?
Phishing only works because the user has to input the password on the provider's website (which is phished). With PKI, the private key is never sent - you just prove you have it by encrypting something with it - so phishing is useless.
E-mail providers that don't opt in (Score:2)
Re: (Score:2)
That's where the secondaries come in. The RP's are asked to implicitly to trust the authentication coming from these "trusted sources".
Mozilla is proposing making their own browserid.org as one such secondary.
Re: (Score:2)
The kind of users who use this will be the kind of users who use hotmail/gmail/yahoo/etc.
Re: (Score:2)
I think that is what the BrowserID project is for, see the video.
They mail you a link just like all these sites currently do, you just need to do it ones to verify your email address instead of for each and every site.
Let me get this straight (Score:5, Insightful)
My browser will automatically provide my e-mail address? The very thing I do NOT want to provide when signing in with the majority of sites?
Also, as a web developer, I think it is a real bad design error to use an e-mail address as a login. What happens if you change your provider? Do you log in with your new (thus unknown) e-mail address? Or do you want to send the lost password to the no longer existing one?
Re: (Score:2, Insightful)
The first issue is fixed simply by the browser asking your permission before it sends your data. The UI can be made in a way that is harder to give permission (at the first login) than just clicking 'Yes'.
The second issue is real, but is also moot. Everybody uses email for authentication. A few people that can think offer the option of changing your email, others don't. Those same groups would do correclty/incorrectly any authentication method you can think of.
Re: (Score:2)
Not automatically obviously. It still needs user-interaction.
How do all these other sites currently handle accounts ?
They use email-addresses and a verification-email and have a profile-page where you can change the email-address.
This is not that different.
Re: (Score:2)
"Also, as a web developer, I think it is a real bad design error to use an e-mail address as a login"
Playing the critic. How does one remember their login for every website?
Whenever my browser forgets/clears my user/pass cache, I have to request my username to be sent to me and my password reset.
On almost a daily basis, I'll reply to someone on a forum, it'll request I register, I attempt to register and it'll say that email is in use. I don't remember signing up, so I just do a password reset.
It's so annoy
Re: (Score:2)
I think it is a real bad design error to use an e-mail address as a login. What happens if you change your provider? Do you log in with your new (thus unknown) e-mail address? Or do you want to send the lost password to the no longer existing one?
It's not using an e-mail address as a login. It's using a private-key signed challenge packet as a login. The e-mail address is provided to give the website the location of a reasonably secure version of your public key, so they can validate the challenge packet.
If you change e-mail hosts, you simply give the new host your original public key. (Which will probably be an automagic one click option by the time this system goes public, given that stupid-ease-of-use is its purpose.) Now when you sign in, your b
Re: (Score:2)
... And if you lose your domain?
Re: (Score:2)
.... And if you lose your domain?
Then it wasn't worth $7 for you to keep it. The GP's suggestion takes care of three nines of the problem, which is a great start.
Re: (Score:2)
or you faced bankruptcy and no longer had a credit card
Use a debit account or a pre-paid card.
or didn't have auto-renew enabled
or you just plain forgot to renew it
Set a damn reminder.
or it was taken away by the US government just because
Less than 0.07% of all registered domain. And you don't have to get a domain controlled by the US - get a Swiss domain or so.
or you grew out of your "anarchy-rules.com" or "whorepresents.com" domain name and wanted something more current
Register another, redirect the old to it.
or your email was with a company that rebranded
You can change your email provider without affecting your domain...
so if someone steals your laptop (Score:2)
they get access to all your shiznit.
Re: (Score:2)
I assume you would have the ability to issue a revocation certificate.
And what if you want to be anonymous? (Score:2)
OOoops! too late your browser has already given you up...
And what if you need to have multiple identities?
Re: (Score:2)
or what if multiple people use the same web browser? think: family room PC where mom/dad/teenager go and open up a web browser then log into their own facebook account. no, they don't have separate windows profiles and don't bother with addons that let you have multiple firefox profiles, etc, within one windows profile. (how would THAT affect this anyway...)
Re: (Score:2)
Well, you'd have to use multiple profiles. This would require the browser writers to make profile switching much easier than it currently is. The browser would basically take over the "login" function, it decrypts your private key when you launch the browser and throws the key away when you close it or log out of your profile. A good browser would have an option to share bookmarks across profiles, for families that want to bookmark things for each other.
Re: (Score:2)
or you could watch TFV (the video) to find out how this is addressed.
Re: (Score:2)
don't use a public computer to log into websites
Re: (Score:2)
A public computer is a computer that is not personal. A family computer is not personal. You should treat the family computer like any other public kiosk.
Otherwise, create several accounts, then when someone wants to load up a browser from a guest account, right-click and runas their user.
Re: (Score:2)
The browser doesn't just automatically log you in. You need to select which email address you want to use. Watch the 'fing video before complaining.
not yet ready for Slashdot(ting) (Score:2)
"Error encountered while attempting to confirm your address. please try again. (error message: unknown)"
Damn government (Score:5, Funny)
Got damn Feds is getting involved in everything these days.
Hell, pretty soon they're gonna be all up in my Social Security and Medicare. That's why I'm a-voting for that pretty Mi-chele Bachmann. And let me tell you, I'd like to show her what a real man is. You know she ain't getting it from that big homo she's married to. And by homo, I mean gay as pink ink. Dude has to tie weights to his shoes so they don't float right out of the closet. He's queerer than a box of monkeys on DMT. Gay cubed.
Okay... (Score:2)
But what exactly does this get me over SSL Client Certificates?
Frankly, I don't entirely understand why the world hasn't started using SSL Client Certificates, and I wonder what will make people use this scheme, when client certificates have lain unused for so long.
What could possibly go wrong? (Score:2)
The Mozilla people should have had some very serious conversations with people working in the spam/phish/botnet space before going down this road. It doesn't matter how clever or robust this scheme is, in the contemporary environment it's absolutely worthless.
In fact: it's worse, because it provides a new attack vector to people who have already demonst
Who generates the keypair? (Score:2)
It had damn well better be done locally, or you have no guarantee that your private key is actually private. Are they going to write the keygen code in Javascript?
Hmm (Score:2)
I just saw this at the bottom of my /. page
Get more comments "119 of 118 loaded"
Race condition or faulty logic? I would prefer a race condition as it makes me feel like I just won the lottery.
identity providers (Score:2)
Sounds interesting, but right now the role of identity provider seems to be limited to (to quote the page itself) "dudes like Yahoo!, Google, Twitter, Facebook, and even github".
Well, thank you, but I run my own server and I own my own domain and I want to provide my own identity.
So, call me again when there's a Debian package for that. Until that happens, I'm not interested.
Re: (Score:3)
Nor does logging into your online bank account with a normal username / password. This looks to just be a wrapper for a more secure, trusted identity.
Re:Yeah but... (Score:4, Insightful)
But it doesn't.
It is just a way to verify the the email-address you already own, but without waiting for the email to arrive (or having it getting stuck in spamfilters) and clicking a link.
Now you click a link only ones to connect your browser to your email address (and obviously you only share the email-address information to site the sites you want).
This allows for a lot more interresting UI changes to make it easier for users to do so:
https://wiki.mozilla.org/images/4/4c/IdentityInTheBrowser.png [mozilla.org]
Also it prevents Facebook from tracking you all over the web, like they currently do with the Facebook Connect-button (!)
Re: (Score:2)
Except who uses the same email for all logins? I have one for professional use, one for personal use, one for sites I don't know if I can trust, and at least 2 alternates for different ids. I'm not going to setup 6 profiles and open close the browser depending on which one I need. Worse yet it means others using my computer can authenticate themselves as me.
It's just a bad idea all round.
Re: (Score:2)
You don't need to open/close the browser.
There will be a UI for that, where you choose what identity you want to use for the site you are looking at.
Can I Make This Work in REVERSE (Score:2)
Where Facebook rejects ALL traffic associated with a browser I am using?
Re: (Score:2)
The image linked by Lennie shows multiple profiles that you can choose from on the fly. The last image has "Anonymous", "You" and "Create", which implies that you can have how many profiles you want.
Re: (Score:2)
I wonder how hard this is to set up if you run your own email servers. I like postfix on linux...would it be something in coordination with that, or just another stand alone app that I'd run on a server I have from my domain?
Re: (Score:2)
You need:
* the normal stuff to handle email:
- like a domain
- like an incoming/outgoing mail server, probably spamfiltering
- probably a IMAP/POP-server
- or maybe a webserver for webmail
- and the a webmail program
If you want to implement the Verified Email Protocol, this adds:
You need a webserver for your domain which has a http://example.com/.well-known/host-meta [example.com] file which points to an URL where the public-key-information can be queried.
That is all this adds.
If you want to set this up for users, you probabl
Re: (Score:2)
You need a webserver for your domain which has a http://example.com/.well-known/host-meta [example.com] file which points to an URL where the public-key-information can be queried.
So, if you have only an e-mail domain (e.g., a domain purchased solely to allow you to have your own GMail domain), then you can't use this service.
There are also a lot of people who have e-mail through an ISP which either won't do this at all, or would screw it up in some way that your login wouldn't work (Verizon, Comcast, etc.). I don't even know if Google would support this, as all HTTP requests to gmail.com seem to redirect to google.com/mail.
Re: (Score:2)
Secondary Authorities
As noted above, it is unrealistic to expect every mail host on the internet to adopt this protocol. A secondary authority is a trusted intermediary who verifies an email address on behalf of a relying party. Secondary authorities could be operated by entities that make strong guarantees about user privacy and authentication accuracy, and are perceived by users and developers to be both technically competent and commercially disinterested.
A secondary authority could verify an identity in whatever way it sees fit, but in one scenario, the user would simply provide their email address to the authority in a web page. The authority would then engage in a multi-stage authentication process, where it stores a cookie in the user's browser, sends a message to the provided email address, and, when the user clicks a link in the provided email message, establishes that this browser is being used by a user who controls that email address.
Re: (Score:2)
I've never heard of an email only domain..?
I think a domain is a domain is a domain. Just associating basically a name with an IP address....who is imposing this 'limit' on you for a domain you purchased? I've never seen this at place you buy domains at like GoDaddy...etc. You purchase the name, it is yours to do, or not do as you wish...?
Re: (Score:2)
I've never heard of an email only domain..?
I suspect that there are a lot of people who purchase domains to have a fixed e-mail address but don't set up a web server at that domain, especially now that you can use sites like Facebook to post the kinds of things that most people would put on their personal website.
Re: (Score:3)
Re: (Score:3)
Or...set up a real anonymous email account with a nym [iusmentis.com] server...?
Set up this account that bounces through a few remailers....will be a real email account, but virtually untraceable.
Re: (Score:2)
according to this wiki entry [mozilla.org] it is possible to create multiple key pairs for one address, so public keys are not compulsorily unique identifiers.
Re: (Score:2)
This does nothing to protect my anonymity.
I didn't know Facebook allowed anonymous logins.
Re:Bad idea idiots (Score:4, Insightful)
Not sure if you're trolling or not (you probably are), but in 2nd and 3rd world countries Internet Cafes and cellphones are the primary means of Internet access...
Re: (Score:2)
Re: (Score:3, Insightful)
Re: (Score:2)
Erm... Is this an advertisement/spam or a legit post? I can't quite tell...
On the one hand, it's well written, unlike most ads. On the other, it has the same one-link-to-paragraph-of-information I've seen several times before.
If it had been written by AC, I'd have considered it spam, but...
Re: (Score:2)
The same way nearly all signup forms request your email in order to be able to recover your account if you forget your password. Oh I forgot people create fake emails if they do not trust the site
Re: (Score:2)
I create fake emails even when I trust the site !
Re: (Score:2)
The spec actually explicitly envisages this:
https://wiki.mozilla.org/Labs/Identity/VerifiedEmailProtocol#Scope_of_the_system [mozilla.org]
"With some additional work, to create pseudonymous identities that allow a user to provide a different address per relying site"
Re: (Score:2)
Not just that, but now you have to remember to back up your browsers private key, and have them synced across different browser installs...
Re: (Score:2)
Yes, Mozilla created a seperate specification that others can implement.
BrowserID is the Mozilla project and Verified Email Protocol is the specification they created.
It should be really easy for a large mail provider like GMail to provide this and it needs to have is to store a public key and have it available to anyone who would want to check it.
Re: (Score:2)
So this system just gives your verified email address to whatever site wants to have it?
One verified address. So just set up the system so that the browser can manage more than one such id. For most sites, you'd then use the id tied to a throwaway hotmail address. Or to a specialized server that only generates email lookalikes which you cannot actually deliver to.
Re: (Score:2)
To whatever site you decide to give it to. User intervention (at least one click in the browser chrome) is required.
(This is obvious, why do people assume that new systems do the dumbest thing possible and not even bother to check?)
Re: (Score:2)
(This is obvious, why do people assume that new systems do the dumbest thing possible and not even bother to check?)
Because setting up that click event to be the close box on a pop up is beyond simple.
Re: (Score:2)
To whatever site you decide to give it to. User intervention (at least one click in the browser chrome) is required.
(This is obvious, why do people assume that new systems do the dumbest thing possible and not even bother to check?)
Because on slashdot, naming the most obvious flaws in a new idea is what passes for insightful. I'm starting to think the between-the
-lines subtext is, "I did not think of this cool idea and am slightly envious, therefore it must be fatally flawed." because surely the people who come up with new ideas are incapable of thinking of these obvious and sometimes crippling flaws on their own.
Re: (Score:2)
It doesn't improve security on the client's side, but it does on the server; if Sony had implemented this (or OpenID, or any of those) they wouldn't have a database full of clear-text passwords delivered on a silver plate to any attacker.
Re: (Score:3)
If you've got malware then you're screwed anyway....
Re: (Score:2)
"is there a passphrase you'll use to open it each time you launch the browser?"
That depends on the browser implementation, but I'm sure many will do so.
A new form of "Single Sign-On" ?
Re: (Score:3)
What I'd like to have is something simpler, and this was suggested by another /. person:
Go to a site. Type in your username. It will have a string of random character (or perhaps a timestamp + some random characters) that is copy/pastable. Copy this text. Sign it with your PGP/gpg private key. Paste the result back, and log in.
The advantage of this is that PGP/gpg is pretty much platform agnostic, the keys can be stored in secure locations such as smart cards, or TPMs, PGP has proven itself and stood t
Re: (Score:2)
Yes, they tried to levarage OpenID a few years ago, it didn't work out.
So now they created this.
And good thing is, a lot of proven technology already (client cert).
Re: (Score:2)
Why didn't it work out? (I don't know much about OpenID.)
Re: (Score:2)
Encrypt all the passwords and keys before storing them on disk and have the user provide a passprase before using the browser.
I expect that is how it will work.
Re: (Score:2)
Which is depends on a whole lot of big protocols which are much more complicated than need be.
Have a look at the specification:
https://wiki.mozilla.org/Labs/Identity/VerifiedEmailProtocol [mozilla.org]
https://wiki.mozilla.org/Identity/Verified_Email_Protocol/Latest [mozilla.org]
Re: (Score:2)
I think the private key in the browser is used to generate a key per site, which can be used to verify you own the public key which is related to your email-address.
But I could be wrong. :-)
Re: (Score:2)
The 'one global password' is an RSA key pair, which is a substantial improvement on a user-generated (and hence usually weak) password.
Re: (Score:2)
I may have some data about your theory. For quite some time now (a few years), I have a catch-all on my domain, so I can basically use any address I want. When some site wants my email, I give it firstname.@mydomain.de. Now, from time to time, I look through my spam folder to do a bit of research. Turns out, most of the spam goes to an adress I have used in the far past on usenet or variations of it. Second in rank is a random string as username (comes naturally with a catch-all) and right after that is my
Re: (Score:2)
Just to ensure there are no illusions that should read, "I am part of the product google sells to its advertisers."
From,
A fellow product.
Re: (Score:2)
Yes and no. This project has been in the works for over 2 years at Mozilla in different forms, among being based around OpenID and other systems.
The Verified Email Protocol specification has been in the works for a while now too.
The biggest problem was, I think, that they still needed to solve that not all email-providers would (immediately) implement this, so that is what the BrowserID project is for.
Re: (Score:2)
To be honest, I'd be more happy if they'd finish implementing their ideas. It's been how long now and Jetpack still isn't ready for prime time?