Mozilla Offers Alternative To OpenID 105
Orome1 writes "Mozilla has been working for a while now on a new browser-based system for identifying and authenticating users it calls BrowserID, but it's only this month that all of its sites have finally been outfitted with the technology. Mozilla aims for BrowserID to become a more secure alternative to OpenID, the decentralized authentication system offered to users of popular sites such as Google, Yahoo!, PayPal, MySpace and others."
Useful Links (Score:5, Informative)
This submission looks like typical content farm / blogspam junk so here's some useful links instead:
Simplicity (Score:5, Informative)
BrowserID is pretty simple. It's basically a single Javascript function that a website can call in the browser. This example on github [github.com] shows the function that is called. The clientside code is then free to make requests to the server for a specific authentication mechanism, making it very flexible. The Server code [github.com] just validates the username/password.
Personally, I think it's simpler to understand than things like OpenID which are convoluted and not standardized from the user point of view. Where is the standard account management protocol for OpenID?
An older Slashdot article on BrowserID for reference: http://www.yro.slashdot.org/story/11/07/15/1216222/Mozilla-BrowserID-Decentralized-Federated-Login [slashdot.org]
Not heard of Enigform but will look into it!
Re:Useful Links (Score:5, Informative)
I think the JS part is true, but the centralization is only temporary until there are Primary Identity Authorities (which would be mostly email providers, from what I can tell).
http://lloyd.io/how-browserid-works [lloyd.io]
Re:What is wrong with OpenID? (Score:5, Informative)
I think the main differences are that it uses email addresses instead of an URL (which people don't "get" as being your identity token) and it doesn't give the authorities full power to access your accounts (since the private key for authentication is stored on the browser).
Re:and how does it work? (Score:4, Informative)
It stores a private key in your browser that you need to auth yourself (transparently to the user).
Re:Simplicity = BAD (Score:4, Informative)
https://www.browserid.org/about
No password?? Are you kidding me??
The moment I saw that 3rd step, I just.... I'm speechless. What the fuck?
When you dig into the details past all the JS crap, it's actually just a variation on client-authenticated SSL. I'm not 100% sure what exactly is being asserted in the client's identity (before checking back with the issuer) but it most certainly does work, and it should be fine provided the private keys remain locked outside of the grasp of even the browser JS. That is, the private key must provably not ever leave the browser; if anything can make that happen, it's insecure whatever the developers think.
Re:Useful Links (Score:5, Informative)
The way it is supposed to work (eventually)
1. User clicks sing-in link on website.
2. Website calls a Javascript function that is implemented by the browser. They pass in a callback function that takes one argument (described later).
3. The user selects an email address from a list in the browser, or chooses to add a new email address.
4. The browser checks a with the email provider (via http, and a well known location (like robots.txt or favicon.ico)) to verify that they support BrowserID. We will assume the email provider does support BrowserID. The response includes a public key for the Provider, and a provisioning url.
5. The browser opens the provisioning URL in a hidden iframe.
6. The provisioning page requests the email address from the browser.
7. If the user is already signed in goto step 10.
8. The provider indicates that the user is not signed in, and tell the browser the URL of the sign in-page, which the browser shows to the user.
9. The user signs in as normal.
10. The provisioning page asks the browser to generate a cryptographic key pair.
11. The browser passes the public key to the provisioning page, which passes it to the provider's server, which signs it (with a short expiration time) , replies with the signature , which is passed back to the browser.
12. The browser creates an assertion, which is the domain name of the site the user is trying to sign into, the email address, and a short expiration time, signed with the browser-generated private key. The assertion also includes the signed public key.
13. The browser passes the assertion into the callback, which passes it to the website's server.
14. The website's server extracts the email, fetches the provider's public key, much like the browser did. The server validates the assertion includes its domain name, and is not expired, and was signed by the included public key. It also verifies that the public key is not expired. If so, it extracts the email address, and uses it to fetch the email provider's public key. It uses that to verify that the email provider signed the public key found in the assertion.
15. The user is considered signed in by the website.
How this looks to the user
In the most common case, the user is already signed in with their email provider, so the user sees themselves clicking on the login link, picking their email adress, and that's it. They are signed in.
How this currently works
Currently there is no browser support. There is a centralized location that provides a JavaScript polyfill and associated website allowing the system to be used without browser support. Both the provider's provisioning page, and the Relying website's page must use this polyfill, and this must be one one centralized location, since both would need to use the script from the same site in order for this to work.
Currently there are also no email providers that provide this support, so a central provider is used as a fallback. This provider must be in a centralized location, since both the browser/polyfill-site and the relying party must agree on the fallback provider. This provider does the only thing it can to verify ownership of a third party email address, which is sending a standard challange email to the address, which the user will access and reply to.