Catch up on stories from the past week (and beyond) at the Slashdot story archive

 


Forgot your password?
Close
typodupeerror
×
Mozilla Privacy The Internet Your Rights Online

Mozilla BrowserID: Decentralized, Federated Login 179

Posted by Soulskill from the grand-unified-login dept.
An anonymous reader writes "Mozilla Labs has just launched the prototype of its BrowserID project and the accompanying Verified Email Protocol standard. Basically, BrowserID is a browser-based federated login provider like Facebook Connect, but without the privacy leaks. Fundamentally, BrowserID is public key encryption. You register an email address with your browser, which is then confirmed with a standard 'click here to confirm' email. A public/private key pair is then generated; your browser keeps the private key, and your email provider keeps the public key. Now, when you visit Facebook (or any site that supports BrowserID), your browser gives Facebook your email address and an identity token signed with your private key. Facebook queries your email provider for your public key, decrypts your identity token, and logs you in — voila, secure, private, browser-based logins. Oh, and the prototype is written in HTML and JavaScript — so it works across every modern browser, too."
This discussion has been archived. No new comments can be posted.

Mozilla BrowserID: Decentralized, Federated Login More

Mozilla BrowserID: Decentralized, Federated Login

Comments Filter:

  • Browser keeps the private key? (Score:2, Insightful)

    by Anonymous Coward on Friday July 15, 2011 @08:57AM (#36773926)

    Ah, so when i have to reinstall my OS due to HDD death or OS death and for whatever reason, can't save my profile app data files (depending on where it stores the key)... then what?

    Will i just be able to do a "Forgot my password" type action to regenerate a private key?

  • Re:Bad idea idiots (Score:4, Insightful)

    by BHearsum ( 325814 ) on Friday July 15, 2011 @09:05AM (#36773996) Homepage

    Not sure if you're trolling or not (you probably are), but in 2nd and 3rd world countries Internet Cafes and cellphones are the primary means of Internet access...

  • i'm no security expert (Score:5, Insightful)

    by Anonymous Coward on Friday July 15, 2011 @09:06AM (#36774006)

    isn't the browser basically the most targeted piece of software on a computer? if the private key is stored in the browser, doesn't that mean that potentially one successful exploit in the browser would let a hacker log into any website as you?

  • Let me get this straight (Score:5, Insightful)

    by Errol backfiring ( 1280012 ) on Friday July 15, 2011 @09:11AM (#36774064) Journal

    My browser will automatically provide my e-mail address? The very thing I do NOT want to provide when signing in with the majority of sites?

    Also, as a web developer, I think it is a real bad design error to use an e-mail address as a login. What happens if you change your provider? Do you log in with your new (thus unknown) e-mail address? Or do you want to send the lost password to the no longer existing one?

  • Re:Bad idea idiots (Score:3, Insightful)

    by thaylin ( 555395 ) on Friday July 15, 2011 @09:21AM (#36774164)
    Dont know, if you want to use your cell phone you may be able to syc your keys to that browser, however if you are really going to an internet cafe, maybe you should remember your password.... So you hate this extra security, because your choice in browsing is innately insecure... No ones problem but your own.

  • Re:i'm no security expert (Score:4, Insightful)

    by ArsenneLupin ( 766289 ) on Friday July 15, 2011 @09:32AM (#36774300)
    How is that different from now, where you can have the browser autocomplete the password for most login forms anyways? If the browser is hacked, the autologin password db is exposed too.

  • Re:Yeah but... (Score:4, Insightful)

    by Lennie ( 16154 ) on Friday July 15, 2011 @09:36AM (#36774362)

    But it doesn't.

    It is just a way to verify the the email-address you already own, but without waiting for the email to arrive (or having it getting stuck in spamfilters) and clicking a link.

    Now you click a link only ones to connect your browser to your email address (and obviously you only share the email-address information to site the sites you want).

    This allows for a lot more interresting UI changes to make it easier for users to do so:
    https://wiki.mozilla.org/images/4/4c/IdentityInTheBrowser.png [mozilla.org]

    Also it prevents Facebook from tracking you all over the web, like they currently do with the Facebook Connect-button (!)

  • The first issue is fixed simply by the browser asking your permission before it sends your data. The UI can be made in a way that is harder to give permission (at the first login) than just clicking 'Yes'.

    The second issue is real, but is also moot. Everybody uses email for authentication. A few people that can think offer the option of changing your email, others don't. Those same groups would do correclty/incorrectly any authentication method you can think of.

Slashdot Top Deals

When bad men combine, the good must associate; else they will fall one by one, an unpitied sacrifice in a contemptible struggle. - Edmund Burke

Close