Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Mozilla Privacy Security IT Technology

Mozilla Offers Alternative To OpenID 105

Orome1 writes "Mozilla has been working for a while now on a new browser-based system for identifying and authenticating users it calls BrowserID, but it's only this month that all of its sites have finally been outfitted with the technology. Mozilla aims for BrowserID to become a more secure alternative to OpenID, the decentralized authentication system offered to users of popular sites such as Google, Yahoo!, PayPal, MySpace and others."
This discussion has been archived. No new comments can be posted.

Mozilla Offers Alternative To OpenID

Comments Filter:
  • Enigform (Score:2, Interesting)

    by Anonymous Coward
    Still more interesting (OpenPGP + HTTP + session management)
    • Simplicity (Score:5, Informative)

      by improfane ( 855034 ) * on Saturday January 21, 2012 @09:00AM (#38773558) Journal

      BrowserID is pretty simple. It's basically a single Javascript function that a website can call in the browser. This example on github [github.com] shows the function that is called. The clientside code is then free to make requests to the server for a specific authentication mechanism, making it very flexible. The Server code [github.com] just validates the username/password.

      Personally, I think it's simpler to understand than things like OpenID which are convoluted and not standardized from the user point of view. Where is the standard account management protocol for OpenID?

      An older Slashdot article on BrowserID for reference: http://www.yro.slashdot.org/story/11/07/15/1216222/Mozilla-BrowserID-Decentralized-Federated-Login [slashdot.org]

      Not heard of Enigform but will look into it!

      • Am I understanding this correctly? The client sends a login request to the server. The server sends an email to another server. If there is a response to the email the user is then approved?

        • If there is a response to the email the user is then approved?

          That's the technique for the "interim"period, in which browserid.org will implement user control verification through an e-mailed link. For each e-mail address that you wish to use as an identifying token you'd have to prove that you control it through that mechanism, until your e-mail provider ( which may also be you ) implements BrowserID.

          Unfortunately the end-state to which we are all supposed to move is to have our e-mail providers act as the Primary Identifying Authorities for us. browserid.org would

          • I hope they are planing PGP (pretty freakin rare) or SMTPS (really freakin rare) to protect the content of emails. It wouldn't be very difficult to snarf "mailto:" out of an email for an ISP, or anyone [cough]NSA[/cough] else managing to get a SPAN port on an ISP's router.

  • by Anonymous Coward

    You should be using Microsoft certified Passport/Windows Live ID for all your cloud authentication needs.

  • by Anonymous Coward on Saturday January 21, 2012 @08:36AM (#38773468)

    I have an RSA SecureID token for logging in to my company VPN and we all know how rock-solid RSA is.

    • What you need to understand, no security is absolutely perfect. There is no such thing, unless you disconnect the computer from all outside sources and influences, and allow no access to the computer, what that breaks down to is, unplug the computer, disconnect it from the internet, and lock it in a vault. And even that's not 100% secure.

      Bottom Line:

      Locks only keep honest people honest.

  • Useful Links (Score:5, Informative)

    by weezel ( 6011 ) on Saturday January 21, 2012 @08:45AM (#38773498)

    This submission looks like typical content farm / blogspam junk so here's some useful links instead:

    • I was going to post something similar but you beat me to it. Many thanks!

  • by brunes69 ( 86786 ) <slashdot@nOSpam.keirstead.org> on Saturday January 21, 2012 @09:05AM (#38773560)

    - It is widely adopted among many providers
    - It does not share any of your information cross-site unless you allow it
    - It works

    Why do we need yet another standard? I do not see anything in this article, on browserid.org, or anywhere else that breaks down why Browser ID is superior.

    Also, I don't see Google Chrome adopting this, since Google backs OpenID, and I don't see Microsoft adopting it either. So really this is going to end up a Firefox only scheme that will never gain enough penetration to make sites want to go to the effort to implement it.

    • Different problems (Score:5, Insightful)

      by improfane ( 855034 ) * on Saturday January 21, 2012 @09:26AM (#38773670) Journal

      I think BrowserID and OpenID solve slightly different problems. BrowserID standardized the process of you logging in through your web browser while OpenID is about authenticating yourself through some authority (be it a server controlled by you or some third party). So that's a user-website interaction for BrowserID or website-website for OpenID.

      They could actually be used together, any service that accepts OpenID logins could expose a BrowserID interface too.

      • OpenID is for logging in too, and BrowserID also authenticates through an authority (the Primary Identity Authorities).

      • by Daengbo ( 523424 )

        Why not use XMPP? See my two-year old sig below.Unfortunately, OWS, a working social network, was run over by Diaspora, which was vaporware at the time. XMPP+ extensions would give you federated social for free.

    • by icebraining ( 1313345 ) on Saturday January 21, 2012 @09:31AM (#38773690) Homepage

      I think the main differences are that it uses email addresses instead of an URL (which people don't "get" as being your identity token) and it doesn't give the authorities full power to access your accounts (since the private key for authentication is stored on the browser).

      • Re: (Score:3, Interesting)

        by cdrnet ( 1582149 )

        An email address is exactly what I do NOT want to provide to every second website where I just need some simple customization/profile. And where I do provide an email address, I always use a unique address (essentially allows me both automatic organization into folders but also to get less than 1-2 spam mail per year, simplify by blacklisting aliases which either leaked or obviously have been sold to some spammer (happens usually about a year after some web service/sites shuts down)). This works very well w

      • since the private key for authentication is stored on the browser

        Sounds like a safe place to keep my one password to everything. [/snark]

      • by tal197 ( 144614 )

        I think the main differences are that it uses email addresses instead of an URL (which people don't "get" as being your identity token)

        Once it's ready (supporting primary IdP's), the ID doesn't need to be an email address (just an ID with an email-like structure).

        and it doesn't give the authorities full power to access your accounts (since the private key for authentication is stored on the browser).

        I don't think so. That key is only accepted because it's signed by your IdP, which can just as easily sign another one if the authorities request it. The main advantages I see are:

        - Verifying a login doesn't tell you're IdP who signed in to the site. The site only requests the IdP certificate, not your personal one.

        - It's designed for browser support, which is necessary to pre

        • by dkf ( 304284 )

          - It's designed for browser support, which is necessary to prevent phishing attacks and improve ease of use. It's hard for your browser to log in to OpenID sites (e.g. the Firefox OpenID plugin(s) fail on several sites which use fancy login UIs).

          Auto-login is always problematic in security terms, even if it is exceptionally convenient.

          - Putting more of the logic in the browser simplifies the protocol (although they seem to be adding extra complexities quite fast).

          It simplifies the code in the part of the implementation of the protocol that is written in Javascript and sent by sites to the browser. The protocol itself is rather complex, as is the parts that are intended to be implemented in the browser's own code. It's also not clear just how much effort has been put into making things easy for the other parties in the action: if it's not easy for sites to implement, it won't g

          • by tal197 ( 144614 )

            - It's designed for browser support, which is necessary to prevent phishing attacks and improve ease of use. It's hard for your browser to log in to OpenID sites (e.g. the Firefox OpenID plugin(s) fail on several sites which use fancy login UIs).

            Auto-login is always problematic in security terms, even if it is exceptionally convenient.

            I don't think anyone is suggesting auto-login (the browser logs the user in without action from the user). The issue is whether the browser can provide a login button in the chrome which, when clicked, allows the browser to handle the rest of the process securely (e.g. not displaying any random phishing site that the web-page tries to send you to). If you need to authenticate, the browser needs to ask for the password in a way that clearly shows it's OK to enter it (e.g. in a clearly-marked popup).

      • by dog77 ( 1005249 )
        Are you sure your are correct in saying Browser ID "doesn't give the authorities full power to access your accounts"? Your email authority has your email password, which is what you use to setup the certificate and keys. What information does it lack to prevent it from setting up its own keys and establishing a connection and logging into to one of your accounts?
    • by Surt ( 22457 )

      I think you spotted what's wrong with openId with item #2, at least as far as big corporations like mozilla are concerned.

    • Why do we need yet another standard?

      We don't have a standard for signing in, yet. OpenID is certainly not universal. BrowserID is yet another option, and a pretty good one, IMHO. Let them compete.

    • It all depends on the user experience. From the users point of view, they click a link, and may be prompted to enter their email provider, username and password. How can you guarantee that the web page you clicked on to start this process isn't providing their own form to fool the user and capture their password?
    • Two things wrong with OpenID --

      1) It was a pain to implement. It is not widely adopted among sites I want to log in to.

      2) It tells my OpenID provider (say, Google) every site I log in to. This is unacceptable to me as a solution. BrowserID only let's Google know that SOME Google user is logging in.

    • by BZ ( 40346 )

      Google and Microsoft don't have to adopt this. The system is designed such that browsers that have no native support can still work with it via a JS polyfill. So sites can deploy this right this second, even though no browser (and that includes Firefox) has native support yet.

  • by AbRASiON ( 589899 ) * on Saturday January 21, 2012 @09:07AM (#38773566) Journal

    I'll wait for BrowserID v9 in 6 months

  • It is easy to implement, with your own provider if you want.
    It is not cross browser nor noscript friendly so the usual login methods will have to be kept, but that's not a big problem, one is offering a shortcut, just like openID or logins through FB, openID...

    OTOH the browser acquires new functionality and an internet world ruled by a bunch of www browsers, instead of the multitude of clients of the internet 1.0, means that security issues will turn into catastrophes, like it happened with a windows monoc

  • The official site just says "you choose your email-adress to use and you're logged in". So, now assume i am a attacker, and i choose YOUR e-mail address ... i am logged in?!

    so please some good links to the techniques behind it, especially:
    - why it is decentral (is it?)
    - how it is secure (is it?)
    - how to set up my own server to use for myself (can i?)
    - why not use openid (why?)

    • by icebraining ( 1313345 ) on Saturday January 21, 2012 @09:35AM (#38773718) Homepage

      It stores a private key in your browser that you need to auth yourself (transparently to the user).

      • by allo ( 1728082 )

        okay, so its one of the solutions, i cannot use when using multiple computers/devices/browsers. Lets wait for the next solution, if its any better.

        • by Tacvek ( 948259 )

          Actually it works fine with multiple devices/compters/browsers.

          One finished it will work like this:
          You click login. The website calls a javascript function provided by your browser. If you pick/enter an email adress.

          If you have not used the adress before the browser generates a cryptographic key pair. It contacts your email provider. If you are already signed in the provider simply signs the browser's generated public key (which includes the email address). A signed public key is also known as a certificate

      • Cool, so now it impossible to access the websites from any other computer. With OpenID you can set up sms, e-mail, password, browser certificate (same as browserID appears to do), or even having a special usb button next to your home server connected to a serial port to authenticate you.
  • The bigger issue today is how not to be ID'd on the internet. This is where I feel Google crossed the line to the darkside with their insistent request for phone numbers and attempts to force their "new and improved" UIs on people. Everybody and their brothers are working on getting identifying information from users. Google used to be different before they switched from focusing on aggregating "anonomys" data to gathering personal information.

    • by tftp ( 111690 )

      Everybody and their brothers are working on getting identifying information from users.

      This is probably related to the US government starting to monitor [theblaze.com] what you are saying on the Internet.

      In such conditions the only prudent thing to do is to use many different logins, and use one login for one site only. This still allows an observer to use your unique writing style to suspect authorship - but that would be far weaker than the certain knowledge that all these @posts are written by the same individual.

  • Obligatory xkcd (Score:1, Insightful)

    by mattgoldey ( 753976 )
  • by Anonymous Coward

    There really isn't any new news about this. [slashdot.org]

    I would have thought the more appropriate Mozilla news is that they have released Rust 0.1 [mozilla.com] or general browser news that natively supported WebM browser share exceeds natively supported H.264 share [hsivonen.iki.fi]

    • by Goaway ( 82658 )

      natively supported WebM browser share exceeds natively supported H.264 share

      Which matters not one bit, as long as Flash exists and supports H.264.

  • Seriously, what are they thinking? HTML5 support in FF is absymal (how hard is it to implement sliders a.k.a. input type=range?), memory consumption is ridiculously high (despite all claims to the contrary), who cares about the Nth alternative for a solved problem? After they retardedly jumped 5 major version numbers in 6 months without any important changes and lost a big chunk of the market, they should slowly get their act together...
  • by shish ( 588640 ) on Saturday January 21, 2012 @11:31AM (#38774418) Homepage

    a new browser-based system

    The only problem I have with OpenID is that it's so web-centric it's a pain in the ass to implement for native apps. Could we please have a distributed ID system that *can* use a web browser, but doesn't *require* one?

    • If only Mozilla Foundation had some sway with browser makers... wait... they are a browser maker.

      BrowserID is being user tested as a standalone, but incorporating it directly into Firefox is explicitly their end game. Once there, others will follow.

    • I'm pretty sure SAML can be used in native apps - just that almost no-one does. Ditto for OAuth (the problem with OAuth is that although it can be used for native apps, the OAuth-using services all seem to demand you open a web page so they can display their pretty auth UI).

    • by Lennie ( 16154 )

      Mozilla actually wants to solve that problem I hear. They are exploring ideas and haven't created a framework for it.

    • The fundamental problem is that the user needs a trusted channel between themselves and the authentication provider. The only common & cross platform communication channel is a web browser. Native apps work around this by embedding a web browser, which is insecure in that they might be stealing your password. But the user experience is sucky, and most opinions seem to be that the existing systems have sacrificed too much usability for security.

      Now it is supported by Google & Facebook, XMPP might be

In the long run, every program becomes rococco, and then rubble. -- Alan Perlis

Working...