Mozilla BrowserID: Decentralized, Federated Login 179
An anonymous reader writes "Mozilla Labs has just launched the prototype of its BrowserID project and the accompanying Verified Email Protocol standard. Basically, BrowserID is a browser-based federated login provider like Facebook Connect, but without the privacy leaks. Fundamentally, BrowserID is public key encryption. You register an email address with your browser, which is then confirmed with a standard 'click here to confirm' email. A public/private key pair is then generated; your browser keeps the private key, and your email provider keeps the public key. Now, when you visit Facebook (or any site that supports BrowserID), your browser gives Facebook your email address and an identity token signed with your private key. Facebook queries your email provider for your public key, decrypts your identity token, and logs you in — voila, secure, private, browser-based logins. Oh, and the prototype is written in HTML and JavaScript — so it works across every modern browser, too."
Browser keeps the private key? (Score:2, Insightful)
Ah, so when i have to reinstall my OS due to HDD death or OS death and for whatever reason, can't save my profile app data files (depending on where it stores the key)... then what?
Will i just be able to do a "Forgot my password" type action to regenerate a private key?
Re:Bad idea idiots (Score:4, Insightful)
Not sure if you're trolling or not (you probably are), but in 2nd and 3rd world countries Internet Cafes and cellphones are the primary means of Internet access...
i'm no security expert (Score:5, Insightful)
isn't the browser basically the most targeted piece of software on a computer? if the private key is stored in the browser, doesn't that mean that potentially one successful exploit in the browser would let a hacker log into any website as you?
Let me get this straight (Score:5, Insightful)
My browser will automatically provide my e-mail address? The very thing I do NOT want to provide when signing in with the majority of sites?
Also, as a web developer, I think it is a real bad design error to use an e-mail address as a login. What happens if you change your provider? Do you log in with your new (thus unknown) e-mail address? Or do you want to send the lost password to the no longer existing one?
Re:Bad idea idiots (Score:3, Insightful)
Re:i'm no security expert (Score:4, Insightful)
Re:Yeah but... (Score:4, Insightful)
But it doesn't.
It is just a way to verify the the email-address you already own, but without waiting for the email to arrive (or having it getting stuck in spamfilters) and clicking a link.
Now you click a link only ones to connect your browser to your email address (and obviously you only share the email-address information to site the sites you want).
This allows for a lot more interresting UI changes to make it easier for users to do so:
https://wiki.mozilla.org/images/4/4c/IdentityInTheBrowser.png [mozilla.org]
Also it prevents Facebook from tracking you all over the web, like they currently do with the Facebook Connect-button (!)
Re:Let me get this straight (Score:2, Insightful)
The first issue is fixed simply by the browser asking your permission before it sends your data. The UI can be made in a way that is harder to give permission (at the first login) than just clicking 'Yes'.
The second issue is real, but is also moot. Everybody uses email for authentication. A few people that can think offer the option of changing your email, others don't. Those same groups would do correclty/incorrectly any authentication method you can think of.