Forgot your password?
typodupeerror
Mozilla Privacy The Internet Your Rights Online

Mozilla BrowserID: Decentralized, Federated Login 179

Posted by Soulskill
from the grand-unified-login dept.
An anonymous reader writes "Mozilla Labs has just launched the prototype of its BrowserID project and the accompanying Verified Email Protocol standard. Basically, BrowserID is a browser-based federated login provider like Facebook Connect, but without the privacy leaks. Fundamentally, BrowserID is public key encryption. You register an email address with your browser, which is then confirmed with a standard 'click here to confirm' email. A public/private key pair is then generated; your browser keeps the private key, and your email provider keeps the public key. Now, when you visit Facebook (or any site that supports BrowserID), your browser gives Facebook your email address and an identity token signed with your private key. Facebook queries your email provider for your public key, decrypts your identity token, and logs you in — voila, secure, private, browser-based logins. Oh, and the prototype is written in HTML and JavaScript — so it works across every modern browser, too."
This discussion has been archived. No new comments can be posted.

Mozilla BrowserID: Decentralized, Federated Login

Comments Filter:
  • yeeeeeeeeeeeeeeeeeeeeeeeeeeessssssss!

    finally. thank the deities.

    • by sirlark (1676276)

      Agreed, it would be a wonderful thing to have, but it still has issues as far as I can see.

      TFS says 'but without the privacy leaks', but really you can still be tracked/followed/denied/fucked with from a single point/service, namely your email provider.

      Also, there's the age old problem of common password for everything, if one is compromised, they all are. Granted in this case, it's a private key and not password, which is slightly harder to acquire though social engineering, mainly because most people aren

      • The issues that you point out already exist with current email-to-reset approaches. What they are suggesting is not a perfect solution to authentication, but after glancing through their spec it seems to be at least as reliable as what we use currently. At the moment your email provider could screw with any account that relies on password confirmation / reset request emails. With this system the provider would only hold your public key, so while it would still be able to track / deny-service it would not ha

      • what keeps this approach from generating a separate key for every site?

      • No, you actually can't be tracked via this system from your email service provider. That was the point of this.

        The system works like this: your browser gets a signed crypto certificate from your email provider (or some other proxy who can confirm you own the email address you claim to own - Mozilla is running their own email verifier already - called "auth party" or AP). Your browser resigns that cert locally and hands that over to the login website ("relying party" or RP). The RP then only has to check the

      • by AdamWill (604569)

        "TFS says 'but without the privacy leaks', but really you can still be tracked/followed/denied/fucked with from a single point/service, namely your email provider."

        Well, with current systems you already can: they all rely on the old 'send a verification email' technique, and whoever provides your email account can obviously read your email. So this system doesn't make things any worse than current systems from a privacy perspective, while adding quite a lot of convenience. The idea that you're already trust

  • by Anonymous Coward

    Ah, so when i have to reinstall my OS due to HDD death or OS death and for whatever reason, can't save my profile app data files (depending on where it stores the key)... then what?

    Will i just be able to do a "Forgot my password" type action to regenerate a private key?

  • by Anonymous Coward on Friday July 15, 2011 @09:06AM (#36774006)

    isn't the browser basically the most targeted piece of software on a computer? if the private key is stored in the browser, doesn't that mean that potentially one successful exploit in the browser would let a hacker log into any website as you?

    • by ArsenneLupin (766289) on Friday July 15, 2011 @09:32AM (#36774300)
      How is that different from now, where you can have the browser autocomplete the password for most login forms anyways? If the browser is hacked, the autologin password db is exposed too.
      • by tftp (111690)

        How is that different from now, where you can have the browser autocomplete the password for most login forms anyways?

        To begin with, my browser saves my password for Slashdot, but not for my bank. I make that decision.

        Secondly, when I connect to something from a remote, possibly untrusted location (like the work computer) I can choose to not store anything at all, and perhaps even run in the "private browsing" mode.

        This system would insist on having a private key, one way or another, for a login into

    • The browser is still less targeted than the login pages of the services one uses online.

    • by Lennie (16154)

      If you know your private key is stolen you just generate a new one and the problem is solved (unless they get access to your email account as well ofcourse).

  • So wait - why doesn't this use the existing PGP web of trust and software?

    And how does it mitigate the MITM/Phishing attacks that plagued OpenID?

    I'm skeptical, but encouraged to see some efforts here...

    • by washort (6555)

      So wait - why doesn't this use the existing PGP web of trust and software?

      Mainly because PGP is only usable by people who are already security wizards.

    • And how does it mitigate the MITM/Phishing attacks that plagued OpenID?

      Phishing only works because the user has to input the password on the provider's website (which is phished). With PKI, the private key is never sent - you just prove you have it by encrypting something with it - so phishing is useless.

  • So where does this leave Internet users whose e-mail providers decline to implement Verified Email Protocol?
    • by tero (39203)

      That's where the secondaries come in. The RP's are asked to implicitly to trust the authentication coming from these "trusted sources".

      Mozilla is proposing making their own browserid.org as one such secondary.

    • by Joce640k (829181)

      The kind of users who use this will be the kind of users who use hotmail/gmail/yahoo/etc.

    • by Lennie (16154)

      I think that is what the BrowserID project is for, see the video.

      They mail you a link just like all these sites currently do, you just need to do it ones to verify your email address instead of for each and every site.

  • by Errol backfiring (1280012) on Friday July 15, 2011 @09:11AM (#36774064) Journal

    My browser will automatically provide my e-mail address? The very thing I do NOT want to provide when signing in with the majority of sites?

    Also, as a web developer, I think it is a real bad design error to use an e-mail address as a login. What happens if you change your provider? Do you log in with your new (thus unknown) e-mail address? Or do you want to send the lost password to the no longer existing one?

    • Re: (Score:2, Insightful)

      by marcosdumay (620877)

      The first issue is fixed simply by the browser asking your permission before it sends your data. The UI can be made in a way that is harder to give permission (at the first login) than just clicking 'Yes'.

      The second issue is real, but is also moot. Everybody uses email for authentication. A few people that can think offer the option of changing your email, others don't. Those same groups would do correclty/incorrectly any authentication method you can think of.

    • by Lennie (16154)

      Not automatically obviously. It still needs user-interaction.

      How do all these other sites currently handle accounts ?

      They use email-addresses and a verification-email and have a profile-page where you can change the email-address.

      This is not that different.

    • by Bengie (1121981)

      "Also, as a web developer, I think it is a real bad design error to use an e-mail address as a login"

      Playing the critic. How does one remember their login for every website?

      Whenever my browser forgets/clears my user/pass cache, I have to request my username to be sent to me and my password reset.

      On almost a daily basis, I'll reply to someone on a forum, it'll request I register, I attempt to register and it'll say that email is in use. I don't remember signing up, so I just do a password reset.

      It's so annoy

    • I think it is a real bad design error to use an e-mail address as a login. What happens if you change your provider? Do you log in with your new (thus unknown) e-mail address? Or do you want to send the lost password to the no longer existing one?

      It's not using an e-mail address as a login. It's using a private-key signed challenge packet as a login. The e-mail address is provided to give the website the location of a reasonably secure version of your public key, so they can validate the challenge packet.

      If you change e-mail hosts, you simply give the new host your original public key. (Which will probably be an automagic one click option by the time this system goes public, given that stupid-ease-of-use is its purpose.) Now when you sign in, your b

  • they get access to all your shiznit.

  • OOoops! too late your browser has already given you up...

    And what if you need to have multiple identities?

    • by jank1887 (815982)

      or what if multiple people use the same web browser? think: family room PC where mom/dad/teenager go and open up a web browser then log into their own facebook account. no, they don't have separate windows profiles and don't bother with addons that let you have multiple firefox profiles, etc, within one windows profile. (how would THAT affect this anyway...)

      • by PhilHibbs (4537)

        Well, you'd have to use multiple profiles. This would require the browser writers to make profile switching much easier than it currently is. The browser would basically take over the "login" function, it decrypts your private key when you launch the browser and throws the key away when you close it or log out of your profile. A good browser would have an option to share bookmarks across profiles, for families that want to bookmark things for each other.

      • by Bengie (1121981)

        don't use a public computer to log into websites

    • by Atzanteol (99067)

      The browser doesn't just automatically log you in. You need to select which email address you want to use. Watch the 'fing video before complaining.

  • I tried the demo at http://myfavoritebeer.org/ [myfavoritebeer.org] and the result was:
    "Error encountered while attempting to confirm your address. please try again. (error message: unknown)"
  • by PopeRatzo (965947) * on Friday July 15, 2011 @09:53AM (#36774556) Homepage Journal

    a browser-based federated login provider

    Got damn Feds is getting involved in everything these days.

    Hell, pretty soon they're gonna be all up in my Social Security and Medicare. That's why I'm a-voting for that pretty Mi-chele Bachmann. And let me tell you, I'd like to show her what a real man is. You know she ain't getting it from that big homo she's married to. And by homo, I mean gay as pink ink. Dude has to tie weights to his shoes so they don't float right out of the closet. He's queerer than a box of monkeys on DMT. Gay cubed.

  • by anom (809433)

    But what exactly does this get me over SSL Client Certificates?

    Frankly, I don't entirely understand why the world hasn't started using SSL Client Certificates, and I wonder what will make people use this scheme, when client certificates have lain unused for so long.

  • I mean, really...with a few hundred million compromised systems, and something on the order of a billion compromised email accounts...what could happen?

    The Mozilla people should have had some very serious conversations with people working in the spam/phish/botnet space before going down this road. It doesn't matter how clever or robust this scheme is, in the contemporary environment it's absolutely worthless.

    In fact: it's worse, because it provides a new attack vector to people who have already demonst

  • It had damn well better be done locally, or you have no guarantee that your private key is actually private. Are they going to write the keygen code in Javascript?

  • by Bengie (1121981)

    I just saw this at the bottom of my /. page

    Get more comments "119 of 118 loaded"

    Race condition or faulty logic? I would prefer a race condition as it makes me feel like I just won the lottery.

  • Sounds interesting, but right now the role of identity provider seems to be limited to (to quote the page itself) "dudes like Yahoo!, Google, Twitter, Facebook, and even github".

    Well, thank you, but I run my own server and I own my own domain and I want to provide my own identity.

    So, call me again when there's a Debian package for that. Until that happens, I'm not interested.

Machines certainly can solve problems, store information, correlate, and play games -- but not with pleasure. -- Leo Rosten

Working...