Welcome Guest.   Make a donation to an author on the site October 31, 2014, 06:04:02 PM  *

Please login or register.
Or did you miss your validation email?


Login with username and password (forgot your password?)
Why not become a lifetime supporting member of the site with a one-time donation of any amount? Your donation entitles you to a ton of additional benefits, including access to exclusive discounts and downloads, the ability to enter monthly free software drawings, and a single non-expiring license key for all of our programs.


You must sign up here before you can post and access some areas of the site. Registration is totally free and confidential.
 
Your Support Funds this Site: View the Supporter Yearbook.
   
   Forum Home   Thread Marks Chat! Downloads Search Login Register  
Pages: [1] 2 Next   Go Down
  Reply  |  New Topic  |  Print  
Author Topic: BrowserID - Mozilla's solution to the password problem  (Read 6433 times)
Lashiec
Member
**
Posts: 2,374


see users location on a map View Profile Give some DonationCredits to this forum member
« on: July 15, 2011, 04:52:35 PM »

The guys at the Mozilla Foundation unveiled today a clever solution to the problem posed by maintaining several different accounts for all the Internet services the average Internet user handles daily. The solution is called BrowserID, and it combines your e-mail address and browser client to identify yourself in the Internet, effectively eliminating the need to juggle several different identities and all the passwords associated to them. This is an idea that Mozilla has been working on for a few years, but only now we're able to see the first results yielded by the research.


While it certainly improves usability, specially for those less technically inclined, there are potential security concerns that Mozilla isn't clearing at the moment. For starters, this method would transform your e-mail account into the sole point of failure, which if compromised, could jeopardize your entire digital identity.

More information, including an interactive demonstration, is available at the link above. Documentation and technical details are on a separate blog post.

via Slashdot
« Last Edit: July 15, 2011, 05:12:02 PM by Lashiec; Reason: Proofreading, added link to documentation found on page footer » Logged
cyberdiva
Supporting Member
**
Posts: 908


see users location on a map View Profile Give some DonationCredits to this forum member
« Reply #1 on: July 15, 2011, 06:41:04 PM »

I'm somewhat confused.  Does BrowserID assume that I always use the same browser?  Or the same computer?  I also use a variety of email addresses.  I'm not eager to have these addresses brought together by BrowserID.  Nor do I want to be identified by my email address rather than by a username I choose.  I realize that BrowserID is in an early stage, but from what I've seen I wouldn't dream of using it. 

In addition to the privacy concerns I've raised, I'm also in agreement with Lashiec's point about the security risk of having one's email account as the sole point of failure.
Logged
40hz
Supporting Member
**
Posts: 10,770



see users location on a map View Profile Read user's biography. Give some DonationCredits to this forum member
« Reply #2 on: July 15, 2011, 06:49:01 PM »

Strikes me as somewhat akin to bringing in Manchu scorpions to get rid of ants.  tongue

Logged

Don't you see? It's turtles all the way down!
wraith808
Supporting Member
**
Posts: 6,446



"In my dreams, I always do it right."

see users location on a map View Profile WWW Read user's biography. Give some DonationCredits to this forum member
« Reply #3 on: July 15, 2011, 06:53:30 PM »

Personally, I like the idea of OpenID.  I just wish more sites would support it.  undecided
Logged

Lashiec
Member
**
Posts: 2,374


see users location on a map View Profile Give some DonationCredits to this forum member
« Reply #4 on: July 15, 2011, 07:30:27 PM »

I'm somewhat confused.  Does BrowserID assume that I always use the same browser?  Or the same computer?  I also use a variety of email addresses.  I'm not eager to have these addresses brought together by BrowserID.  Nor do I want to be identified by my email address rather than by a username I choose.  I realize that BrowserID is in an early stage, but from what I've seen I wouldn't dream of using it.

Well, no. As I understand, you can use as many browsers and devices as you like, as long as they're linked to any e-mail address you use with any given Internet service, and has been previously authorized by you. BrowserID is just a proof of concept, the functionality outlined by the proposal would be integrated into Firefox and other browsers, so the application is the one handling the e-mail addresses, not an external web service.  As for being identified by an username, one way or another you're also identified by a e-mail address (i.e., when you activate your account), and usernames are probably not going away, since they're a convenient way of differentiating users of the same service.

Quote
In addition to the privacy concerns I've raised, I'm also in agreement with Lashiec's point about the security risk of having one's email account as the sole point of failure.

I pondered over this for a while, and I realized the same problem exists with the current identification system, as darkskiez points at lloyd.io. Of course, the attacker would have to find out which Internet services do you use in order to take over your identity, but he would at least take hold off your account in the most popular ones. That's why it's important to have other measures of protection in place, like double factor identification systems and various e-mail accounts with strong passwords to recover any stolen one.

Another potential security problem is the apparent lack of a way to deauthorize a browser or device, which means if someone steals your laptop or phone, you're in deep trouble. Again, that's something it could be alleviated by the use of a secondary identification method.

In any case, this would be an alternative identification method, there's no reason why sites can't keep the good 'ol username + password system. And it's a better privacy proposition than Facebook Connect, that's for sure.
« Last Edit: July 15, 2011, 07:35:38 PM by Lashiec » Logged
cyberdiva
Supporting Member
**
Posts: 908


see users location on a map View Profile Give some DonationCredits to this forum member
« Reply #5 on: July 15, 2011, 10:02:11 PM »

As I understand, you can use as many browsers and devices as you like, as long as they're linked to any e-mail address you use with any given Internet service, and has been previously authorized by you. BrowserID is just a proof of concept, the functionality outlined by the proposal would be integrated into Firefox and other browsers, so the application is the one handling the e-mail addresses, not an external web service.
Well, what happens if I'm at a friend's house and want to use her computer, or I'm at an Internet cafe?  And what happens when I move from, say, Firefox 5 to Firefox 6?  Will I have to re-establish all the browsers each time there's a new version in the same way that I've had to upgrade many of my extensions? 

There's simply nothing about BrowserID that appeals to me, and a lot that does not. 
Logged
Lashiec
Member
**
Posts: 2,374


see users location on a map View Profile Give some DonationCredits to this forum member
« Reply #6 on: July 16, 2011, 06:21:46 AM »

Well, what happens if I'm at a friend's house and want to use her computer, or I'm at an Internet cafe?

Yep, that's another problem without a clear solution. I guess you could grant a temporary authorization to your friend's browser, but it's a bit cumbersome anyway.

Quote
And what happens when I move from, say, Firefox 5 to Firefox 6?  Will I have to re-establish all the browsers each time there's a new version in the same way that I've had to upgrade many of my extensions? 

Nothing. The same way Firefox preserves your history, bookmarks or saved passwords, it will also preserve the file that deems the browser as authorized. On a clean installation, you can move that file to the new profile.
Logged
wraith808
Supporting Member
**
Posts: 6,446



"In my dreams, I always do it right."

see users location on a map View Profile WWW Read user's biography. Give some DonationCredits to this forum member
« Reply #7 on: July 16, 2011, 07:12:14 AM »

What is the advantage of BrowserID over OpenID?
Logged

Ath
Supporting Member
**
Posts: 2,241



see users location on a map View Profile WWW Give some DonationCredits to this forum member
« Reply #8 on: July 16, 2011, 07:13:54 AM »

What it this better then, say, a hotmail account, or OpenID? and adding an extra annoyance of having to verify the current browser as being allowed to access the service credentials.

Sounds like a solution looking for a problem ohmy
Logged

Lashiec
Member
**
Posts: 2,374


see users location on a map View Profile Give some DonationCredits to this forum member
« Reply #9 on: July 16, 2011, 07:41:15 AM »

What is the advantage of BrowserID over OpenID?

OpenID has been criticized in the past for its failure in solving certain security as well as privacy problems. For example, your OpenID provider tracks your activity every time you use its identity to log in any site. Supposedly, BrowserID solves this, but this is a new standard that has not been subjected to a thorough analysis, so the advantages may be a moot point.
Logged
cyberdiva
Supporting Member
**
Posts: 908


see users location on a map View Profile Give some DonationCredits to this forum member
« Reply #10 on: July 16, 2011, 09:10:33 AM »

The same way Firefox preserves your history, bookmarks or saved passwords, it will also preserve the file that deems the browser as authorized. On a clean installation, you can move that file to the new profile.

I don't store bookmarks or passwords on any browser, so I'm less familiar with how well Firefox manages this.  (I have a password manager and a bookmark manager that work with all my computers.) Be that as it may, since I currently use several computers and several browsers on each computer, having to make and keep each one validated for BrowserID sounds like more trouble than it's worth.  At least for me. 
Logged
Lashiec
Member
**
Posts: 2,374


see users location on a map View Profile Give some DonationCredits to this forum member
« Reply #11 on: July 16, 2011, 09:44:02 AM »

In addition to that, I expect Firefox Sync will backup the file to the cloud, so it will be synchronized across all your computers. And whenever other browsers adopt the system, their sync systems will do the same.
Logged
worstje
Honorary Member
**
Posts: 555



The Gent with the White Hat

View Profile Give some DonationCredits to this forum member
« Reply #12 on: July 16, 2011, 09:57:21 AM »

Anything that makes it too easy to store and use my passwords with some service, I do not use. I use Keepass v2 right now and it works just great. Sure, it is a huge bother to stick the thing into my PC, and to type my master key... but it feels way more secure.

I have (some) control over my USB stick being stolen. I have the same control over where I plug it in, and what PCs I trust not to have keyloggers or other malware installed. However, I do not have control over the Cloud and their leaks and the big targets they make for 'hackers'. I feel similarly over biometric security: fingerpad scanners are technically very unsound, and matches are easy to create (for anyone with a bit of determination) so they can get access to whatever they want.

So yeah, I'm not trusting something as fickle as a browser that needs upgrading every week to protect my data. They are more interested in version numbers than a stable product, which speaks volumes by my book. smiley
Logged
mahesh2k
Supporting Member
**
Posts: 1,408



see users location on a map View Profile WWW Give some DonationCredits to this forum member
« Reply #13 on: July 16, 2011, 11:48:12 AM »

Flaw : Even if we use 'Do not Track' feature then using BrowserID will make geo-targeting/cookie behavior for ad networks simple. They don't even need IP of the computer because it is like SSN no matter where person moves he/she is identifiable for the advertising+browsing behavior based on browserID.  thumb down I don't know if browserID expects personal information name/age/gender in their profiles or account but if they do then chances are there that the flaw which i mentioned is going to pop up in future.
Logged
justice
Supporting Member
**
Posts: 1,889



Solve issues simply.

View Profile WWW Give some DonationCredits to this forum member
« Reply #14 on: July 17, 2011, 06:26:12 AM »

Flaw : Even if we use 'Do not Track' feature then using BrowserID will make geo-targeting/cookie behavior for ad networks simple. They don't even need IP of the computer because it is like SSN no matter where person moves he/she is identifiable for the advertising+browsing behavior based on browserID.  thumb down I don't know if browserID expects personal information name/age/gender in their profiles or account but if they do then chances are there that the flaw which i mentioned is going to pop up in future.
Not any simpler than the alternative where you sign in to the service after setting do not track.

Quote
BrowserID protects the privacy of your Web activity
With BrowserID, by design, your identity providers are not involved in the login transaction. This means they need not be aware of your entire Web activity, a significant privacy advantage. With OpenID, your identity provider is, unfortunately, a necessary participant in the login flow.
« Last Edit: July 17, 2011, 06:49:28 AM by justice » Logged

justice
Supporting Member
**
Posts: 1,889



Solve issues simply.

View Profile WWW Give some DonationCredits to this forum member
« Reply #15 on: July 17, 2011, 06:47:22 AM »

There's real confusion about BrowserID. The website popup is a stopgap. Browser vendors and email providers will implement a key exchange system so that sites can ask the email provider if the person using the browser is a certain identity. With browser and email provider support,  all you need to do once it is setup is click the sign in button and cryptographically things get checked and you get logged in. This will be a password replacement that is more secure than the current systems, easier to use than openid, and not any more privacy threathening then any login system. at the moment the BrowserID popup is an stopgap.

If you want to read common misconceptions check this thread:
http://news.ycombinator.com/item?id=2764824

How browserid differs from openid:
http://identity.mozilla.c...serid-differs-from-openid

How browserid works from a technical perspective:
http://lloyd.io/how-browserid-works
Logged

wraith808
Supporting Member
**
Posts: 6,446



"In my dreams, I always do it right."

see users location on a map View Profile WWW Read user's biography. Give some DonationCredits to this forum member
« Reply #16 on: July 17, 2011, 01:33:14 PM »

What is the advantage of BrowserID over OpenID?

OpenID has been criticized in the past for its failure in solving certain security as well as privacy problems. For example, your OpenID provider tracks your activity every time you use its identity to log in any site. Supposedly, BrowserID solves this, but this is a new standard that has not been subjected to a thorough analysis, so the advantages may be a moot point.

If you're concerned about that, you can easily set yourself up to be your own provider.

And reading that differences between the two, I actually don't like any of their talking points.  I don't *want* my information, even my e-mail, associated with my login.  I want the login dialog to come from my domain, rather than some other location I don't control.  And as my own provider, I don't have to worry about the tracking part.
« Last Edit: July 17, 2011, 01:36:54 PM by wraith808 » Logged

Deozaan
Charter Member
***
Posts: 6,439



see users location on a map View Profile WWW Read user's biography. Give some DonationCredits to this forum member
« Reply #17 on: January 03, 2014, 07:10:14 PM »

NECRO THREAD REVIVAL!

Well, it's been a couple of years since BrowserID was first introduced. But I stumbled across this thread again today while looking for information about OpenID and looked into BrowserID. Apparently it's now called Persona.

More technical details about it can be found here: https://developer.mozilla.org/en-US/Persona

Any new opinions on the matter since this was originally discussed 2.5 years ago?
Logged

TaoPhoenix
Supporting Member
**
Posts: 3,601



0 - 60 ... then back to 0 again!

see users location on a map View Profile Give some DonationCredits to this forum member
« Reply #18 on: January 03, 2014, 08:14:29 PM »


Well, it's been a couple of years since BrowserID was first introduced. But I stumbled across this thread again today while looking for information about OpenID and looked into BrowserID. Apparently it's now called Persona.

More technical details about it can be found here: https://developer.mozilla.org/en-US/Persona

Any new opinions on the matter since this was originally discussed 2.5 years ago?

Well, for me it at least some FF add-ons cause interference. (I don't know which ones; I blanket turned them all off and got it to work.)

Meanwhile, it doesn't seem to be supported anywhere, so it's like a "toy" that I can't even try out.

But overall trying to tie all authentication into the browser feels just a little fishy somehow.

I also don't know what it means that some sites are using the email address AS the ID!

Logged
Deozaan
Charter Member
***
Posts: 6,439



see users location on a map View Profile WWW Read user's biography. Give some DonationCredits to this forum member
« Reply #19 on: January 07, 2014, 12:02:58 AM »

I tried it out and found that you can link multiple email addresses to the same Persona. And then you can login to sites using any one of those addresses you want. So you still don't necessarily have to give out your primary address to login. I think I'd like it a lot more if it was more widely used. But like you said, it's used virtually nowhere, so it's kind of worthless. )c:
Logged

J-Mac
Supporting Member
**
Posts: 2,869


see users location on a map View Profile Read user's biography. Give some DonationCredits to this forum member
« Reply #20 on: January 07, 2014, 01:03:32 AM »

And to be honest, OpenID isn't much better currently with regard to the number of sites using it, unfortunately. I like OpenID but I don’t get many chances to use it.

Jim
Logged

"I am getting so tired of slitting the throats of people who say that I am a violent psychopath."
wraith808
Supporting Member
**
Posts: 6,446



"In my dreams, I always do it right."

see users location on a map View Profile WWW Read user's biography. Give some DonationCredits to this forum member
« Reply #21 on: January 07, 2014, 08:19:47 AM »

And to be honest, OpenID isn't much better currently with regard to the number of sites using it, unfortunately. I like OpenID but I don’t get many chances to use it.

Jim

Bare openid seems to be going away.  I've had to change mine on every site that I formerly used it on.  Finally gave up and started using Google as my provider. *sigh*
Logged

40hz
Supporting Member
**
Posts: 10,770



see users location on a map View Profile Read user's biography. Give some DonationCredits to this forum member
« Reply #22 on: January 07, 2014, 09:18:09 AM »

To make something like this work and be accepted, you either need a great deal of financial or moral clout behind you. Mozilla has neither.

And, as was noted, the way it works can be considered a stopgap at best.

Can the next contestant please step up?  Grin
Logged

Don't you see? It's turtles all the way down!
superboyac
Charter Member
***
Posts: 5,716


Is your software in my list?

see users location on a map View Profile WWW Read user's biography. Give some DonationCredits to this forum member
« Reply #23 on: January 07, 2014, 09:23:25 AM »

Wouldn't web id's and stuff eventually evolve like mailing addresses did?  I don't know the history, but I imagine when mailing addresses first were formalized, a similar thing occurred with privacy and such, no?
Logged

Tuxman
Supporting Member
**
Posts: 1,485


OMG not him again!

View Profile WWW Give some DonationCredits to this forum member
« Reply #24 on: January 07, 2014, 10:16:21 AM »

I like OpenID but I don’t get many chances to use it.

Large tech sites mostly allow a sign-in by OpenID, some board systems added that... well.
Logged

I bet when Cheetahs race and one of them cheats, the other one goes "Man, you're such a Cheetah!" and they laugh & eat a zebra or whatever.
- @VeryGrumpyCat
Pages: [1] 2 Next   Go Up
  Reply  |  New Topic  |  Print  
 
Jump to:  
   Forum Home   Thread Marks Chat! Downloads Search Login Register  

DonationCoder.com | About Us
DonationCoder.com Forum | Powered by SMF
[ Page time: 0.051s | Server load: 0.19 ]