Forgot your password?
typodupeerror
This discussion has been archived. No new comments can be posted.

Mozilla Launches Persona Identity Bridge For Gmail

Comments Filter:
  • I'm supposed to find it impressive that a website can take my username and password, and present it to another website and confirm its validity?

    So I don't tell Google what I'm logging in to, but I instead give you my authentication information for Google?

    I don't think so Tim.

    Color me unimpressed with Mozilla rehashing something from 40 years ago ... and doing it wrong in the process.

    • Re: (Score:2, Interesting)

      by Anonymous Coward

      This is news because the browser becomes increasingly biased. First Facebook integration, now a Google identity bridge (or whatever it is called). Firefox increasingly gravitates towards the money and away from the neutral zone. It's about time to switch to Seamonkey or Chromium.

      • by hairyfeet (841228)

        Uhhhh...you just NOW figured this out? Them being more and more tied in has been SOP at Moz for awhile, its pretty dang obvious that like Canonical they are in the "show me the money!" phase instead of listening to users.

        BTW for those that want a different browser, mind a suggestion? Try Comodo Dragon [comodo.com] for those that like the Chromium based and Comodo Ice Dragon [comodo.com] for those that prefer the Gecko way of doing things as not only does it have none of the phone home stuff (any and all extra features are opt in an

        • Re: (Score:1, Insightful)

          by Anonymous Coward
          Are you still hawking that Comodo shit? How much kickback do they pay you for each endorsement?
        • Re: (Score:3, Interesting)

          by Anonymous Coward

          Uhhhh...you just NOW figured this out?

          Sigh, more anti-FOSS fud from somebody who should know better. Plenty of people have explained this to you in past conversations.

          In fact, Google is not the default search engine in all the localized versions of Firefox. There's long been a Yandex version of Firefox and Yandex is the default in Russia and Russian speaking countries.

          More recently, Mozilla partnered with Microsoft, once its arch nemesis, to offer a Bing-themed version of Firefox. Bing, of course, is a default search option in Firefox.

          Now, Microsoft and Mozilla are partnering once again with a MSN-themed version of the browser, for the people that still use MSN for some reason. Probably the same reason why people still use Yahoo Mail.

          This version of the browser comes with the standard modifications, Bing as the default search engine, both in the search box and the AwesomeBar, a link to msnNOW in the toolbar and MSN as the homepage.

          http://news.softpedia.com/news/MSN-ified-Version-of-Firefox-Dilutes-Mozilla-s-Dependence-on-Google-310533.shtml [softpedia.com]

          • Hey don't diss Yahoo! mail. That's what I use to signup to various websites so my regular email is not spammed by websites that I used only once in my life.

          • by hairyfeet (841228)
            LOL look at the FOSSIe! I suggested over a dozen alternatives, ALL OF THEM FOSS except for Opera but because he is a foaming at the mouth religious lunatic he isn't goes "ZOMG u don't like teh Moz, u must be the debil!". Try reading dumbass, the source for every one of the alternatives is on their website, moron. BTW please keep it up, you make all FOSS users look completely batshit, I'm sure Apple and MSFT love you.
        • Re: (Score:2, Insightful)

          by TheRaven64 (641858)
          An Internet Security suite from a company that no longer has its root certificate in my trusted list because of their inability to secure their own systems? Why on earth would I want something like that?
        • by Clsid (564627)

          Lol, comodo what? Go back to the hole you came from troll. Today if you are not using Chrome, Firefox or Safari, I hope you can at least say it is because you are using Icecat.

          All of those alternate browser fail because of the add-ons. That's the main thing today with browsers since anybody can build a proper browser using Gecko, Webkit or even Trident.

          • by hairyfeet (841228)
            So you suggest 2 browsers that send everything back to corporate, one of which frankly doesn't even run worth a shit on Windows, or a browser where their own devs have said on their website repeatedly their current focus is on MOBILE and NOT the desktop? Yeah, keep slurping that koolaid pal, BTW there AREN'T any addons on ANY of the alternatives I named, there is a button that lets you use Secure DNS, just as there is a button to tie Chrome to your Gmail, but if you actually tried them instead of mouthing o
        • BTW for those that want a different browser, mind a suggestion? Try Comodo Dragon [comodo.com] for those that like the Chromium based and Comodo Ice Dragon [comodo.com] for those that prefer the Gecko way of doing things as not only does it have none of the phone home stuff (any and all extra features are opt in and both ask during install and can be turned on and off in settings if you change your mind) but the extra features are all based around increasing security,

          I use Comodo firewall It's been rated the best and it's worked very well for me.

          At some point Comodo started pushing this GeekBuddy bullcrap even if you select not to install it, it would install a mini version,
          then pop up reminders of it. When Comodo went with a different GUI that was so confusing (more so than normal)
          I couldn't trust running it as I wasn't sure of it's configuration -almost like I should start paying for help.

          Comodo is now at Version 6.0.260739.2674 I still run 5.3.176757.1236 as it's muc

      • by icebraining (1313345) on Friday August 09, 2013 @05:00AM (#44518249) Homepage

        1) This is not part of Firefox

        2) The first bridge was for Yahoo, not Google, and it's part of an authentication system (Persona) that is actually completely unbiased towards any provider.

      • by X0563511 (793323)

        If it was part of Firefox (it isn't) switching to Seamonkey wouldn't get you anything different...

    • by Noughmad (1044096) <miha.cancula@gmail.com> on Thursday August 08, 2013 @07:26PM (#44515625) Homepage

      This is impressive. It's basically separation of powers. Google has your account, but doesn't know what sites you visit. Mozilla doesn't have your account, but knows what websites you visit*. The websites themselves have nothing, except a confirmation that the e-mail address is really yours.

      I, for one, trust Mozilla more than Google, and both much more than the average website.

      *: I think I read some time ago in the documentation that Mozilla can't see what websites are requesting the auth. I'm not sure I remember it right, and I never checked the claim, and it might have changed since that time. For now, I assume the information is visible.

      • by icebike (68054) on Thursday August 08, 2013 @08:03PM (#44515915)

        I believe mozilla can see what websites you are requesting, but they claim they do not retain this [thenextweb.com] because they are not required to do so.
        That could change I suppose. Clearly they have to have a list of emails that they can process, but not necessarily what sites you can use them for because they can just try to log in, and let it fail. Then go thru the authorization process [mozilla.com].

        I like the idea of spreading the knowledge around so that no one source knows everything. This essentially puts a middle-man in the Auth process, but that man knows very little.

        But I don't think this will work in the long run because someone will break SSL or demand the keys and the whole thing comes down.

        Mozilla is just as much subject to NSA letters as anyone else. And since almost 100% of their funding comes from Google anyway, I can't help but thinking this is a joint project, or at least carried out with Google's full approval. But still it makes it necessary for the NSA to look a lot more places when building a list and checking it twice.

        • by ozmanjusri (601766) <aussie_bob@nOsPAm.hotmail.com> on Thursday August 08, 2013 @10:10PM (#44516823) Journal

          And since almost 100% of their funding comes from Google anyway, I can't help but thinking this is a joint project, or at least carried out with Google's full approval.

          About 85%, and that's from a standard commercial arrangement - eg a fee for a service. It bought Google the default search engine spot, but nothing else.

          Microsoft had the opportunity to buy the spot for Bing, but chose not to.

          http://www.businessinsider.com/why-did-microsoft-let-google-win-the-firefox-deal-2011-12 [businessinsider.com]

          • by Clsid (564627)

            I hate to break it to you but Firefox has a lot of Google integration without you noticing. Take a system like Safebrowsing for instance, Microsoft developed their own thing and so did a lot of antivirus companies. Firefox's solution? Instead of trying to use something like WOT or even some local replicated list a la DNS, they just send your queries to Google in hash form. Ask yourself if Google is so benevolent why don't they allow a service where those queries are done locally?

            Also if you do not install s

        • by Anonymous Coward on Thursday August 08, 2013 @10:31PM (#44516957)

          Persona is a reference implementation of the BrowserID protocol, which is fully decentralized.

          If your browser and email provider (or your own domain!) support BrowserID / Persona, then Mozilla is completely removed from the login transaction. We don't want to be able to track you, and we've designed a system that automatically removes us from the picture as it gains traction.

        • I like the idea of spreading the knowledge around so that no one source knows everything. This essentially puts a middle-man in the Auth process, but that man knows very little.

          Why spread that knowledge? OpenID doesn't require you to make any information available to any third party - unless you pick a third party provider, but still, you've a large amount of options from where to pick.

      • Re: (Score:3, Informative)

        by Desler (1608317)

        It's meaningless when most sites use Google Analytics and you'll be tracked by Google anyway.

        • by godel_56 (1287256) on Thursday August 08, 2013 @08:45PM (#44516263)

          It's meaningless when most sites use Google Analytics and you'll be tracked by Google anyway.

          What, you don't use NoScript?

          That reminds me, I should send that guy another donation

          • by Desler (1608317)

            Sure, but the vast majority of web users don't.

          • by Anonymous Coward

            What, you don't use NoScript?

            NoScript isn't enough, unless you never enable JS for any sites. In which case - why use NoScript when you could just turn off JS?
            Any sites you enable JS for will load Google's JS, even if NoScript prevents them from executing - and that's enough for Google to track you.

            To really stop it, you need a proxy like Privoxy or Squid.
            Even with that, I'm having a hard time keeping up with all the new ways Google tries to track.

            • Re: (Score:3, Insightful)

              by syockit (1480393)
              I don't remember how it was in NoScript, but in ScriptSafe (for Chrome), even in whitelist mode, a preset of known URLs are blocked before requests could be sent.
              • by Clsid (564627)

                I think Ghostery does a better job and it is a bit user to use.

                • by kermidge (2221646)

                  Amen to that. Since using ghostery have less clutter on pages and they load faster as well. Only difficulty is when something on a page isn't working and I don't readily know how to find out what's blocking it - that can get tedious and much of the time I give up.

            • Uh, you haven't actually used it, have you? You can enable scripts for the main domain, while keeping Google services blocked.

            • by Raenex (947668)

              To really stop it, you need a proxy like Privoxy or Squid.

              Try the RequestPolicy plugin. It blocks all 3rd-party requests by default, and you can selectively enable stuff while browsing like you do in NoScript.

        • A combination of Ghostery and NoScript fixes that.
      • by Anonymous Coward on Thursday August 08, 2013 @09:39PM (#44516645)

        *: I think I read some time ago in the documentation that Mozilla can't see what websites are requesting the auth. I'm not sure I remember it right, and I never checked the claim, and it might have changed since that time. For now, I assume the information is visible.

        This is correct.

        The way Persona works:
        * browser generates public-private key pair with the e-mail address as an attribute
        * you send the public part to Mozilla (or whichever ID provider (IdP) you want) to sign
        * the IdP confirms that you have access to said e-mail address, and if so, gives you back the signed data (like a CA) by using the IdP's private key
        * you send the signed data to the website
        * the website grabs the IdP's public key and verifies the signature

        Basically think of it as a decentralized PKI and/or a variant of PGP's web of trust: public-private keys with distributed signing to confirm that you have access to a particular e-mail address account.

        All Mozilla (or any IdP) knows is that a web site grabbed it's public key (which can be cached, so traffic analysis isn't useful either). The IdP doesn't know which person's signed data is being checked. Whenever you want to sign in, the website sends your browser a timestamped nonce. The website has your verified public key on file and so can verify the signature of your browser's response.

        Each device you have (or web browser you use) has its own private key/s, and so if you lose a smartphone you can revoke the keys on it. You should have a "master password" for your web browser with an auto-logout.

        This is similar to a password manager, but you don't have to type anything in, and if a website's database is compromised then the attackers don't actually have anything useful.

        You can also use multiple e-mail address, even for the same website.

      • I trust mozilla, but why should I have them in the middle of my authentications? Why would I allow them to know where I'm logging in? Why should anyone else trust them?

        I'd much rather use something like OpenID. I don't have to use any intermediate I don't want to. I trust mozilla (today), but I still think it's wrong to have them in the middle when there's no strict need. I also respect that other may wish not to trust mozilla with the mentioned data.

        • Persona only needs a "middle man" if the domain you use doesn't support it natively. It's a fallback, not a requirement.

          If you used a provider that supported Persona natively, not only you wouldn't need Mozilla as the middle man, as (unlike with OpenID), that same provider wouldn't know where you were logging in to.

          • So, how is this an improvement over OpenID?

            • Well, as I said, with OpenID the providers knows exactly what sites you logged in to, while with Persona they just sign a certificate your browser gives them, vouching for your identity, without getting the site.

              In terms of UI, Persona uses email addresses instead of URLs, which are easier for non-techies to grasp as an authentication identifier.

              • Well, as I said, with OpenID the providers knows exactly what sites you logged in to, while with Persona they just sign a certificate your browser gives them, vouching for your identity, without getting the site.

                If you care about privacy, you can host your own OpenID provider, otherwise, just use one you trust. What's the issue there?

                In terms of UI, Persona uses email addresses instead of URLs, which are easier for non-techies to grasp as an authentication identifier.

                Why are they easier? People type URLs every day, what's so hard about them?

      • by 2fuf (993808)

        > I, for one, trust Mozilla more than Google, and both much more than the average website.

        The point is not whom you trust, the point is that the list of parties having access to the data stored by whom you trust, may change without your/their knowledge and control.

    • by icknay (96963) on Thursday August 08, 2013 @07:50PM (#44515839)
      Are you kidding? Persona solves a whole raft of super common problems
      • -Say for example kittens.com site you post on is hacked. With Persona the bad guys don't get anything. There is no password stored on kittens.com. It's more akin to certs. That alone will eliminate a whole class of internet disasters that we read about every week on slashdot.
      • -I don't want to make up yet another stupid username/password recovery question for every site. Now I can just use one of the Persona identities I already have, and I'm done. I also trust Mozilla or Google a lot more to be on top of security than kittens.com
      • -Unlike, say, facebook connect, this is a federated standard, not dependent on any org. You can run your own identity-provider if you like, not that most people would care to.
      • by icebike (68054)

        Are you kidding? Persona solves a whole raft of super common problems

        • -Say for example kittens.com site you post on is hacked. With Persona the bad guys don't get anything. There is no password stored on kittens.com. It's more akin to certs. That alone will eliminate a whole class of internet disasters that we read about every week on slashdot.
        • -I don't want to make up yet another stupid username/password recovery question for every site. Now I can just use one of the Persona identities I already have, and I'm done. I also trust Mozilla or Google a lot more to be on top of security than kittens.com
        • -Unlike, say, facebook connect, this is a federated standard, not dependent on any org. You can run your own identity-provider if you like, not that most people would care to.

        Well its not totally dissimilar from using your google log in to access any site. That site never knows your google password.
        But they do know your email, at a minimum.

        This is the same thing, except that Persona will serve as the authentication for your email, and they will in-turn ask Google, and then they will tell you exactly what the target site is requesting from Google, and let you approve it.

        But the target site clearly gets your email.

        • No, it's not the same thing, because 1) you don't have to use Google to use Persona, and 2) with Persona, Google doesn't know where you're logging in to.

      • You CAN run your own identity-provider, but good luck using it anywhere. OpenID and OAuth are federated standards too, but most "relying parties" only accept a handful of major providers.

        • Re: (Score:2, Informative)

          by Anonymous Coward

          OAuth requires specific providers to individually be enabled by each consuming website, yes.
          OpenID does not. If a website implements OpenID properly, any OpenID provider can be used, even if the website owner has never heard of it.

    • by TheLink (130905)
      Maybe they're trying get some money from the NSA too ;)
  • What about the NSA? (Score:3, Interesting)

    by runeghost (2509522) on Thursday August 08, 2013 @07:18PM (#44515555)
    Can the government track what sites I sign into with Persona? And if they can't, can they do so once they serve the Mozilla Foundation with a Writ of Assistance ^W^W^W National Security Letter.
    • by icebike (68054) on Thursday August 08, 2013 @07:30PM (#44515649)

      They post exactly what they have on you and how they use the data here. [thenextweb.com]

      Basically it keeps Google from snooping, and allows Mozilla still has some records of the sites you access.
      All information is transferred by SSL but its highly likely that Mozilla has already been forced to quietly turn over its SSL keys
      to the government. (At least Snowden claims this has happened).

      So at best you protect yourself from Google, and make the government look in two databases to see where you log in.

      • by murdocj (543661)

        How does the government "force" Mozilla to turn over SSL keys?

      • by Anonymous Coward

        Basically it keeps Google from snooping, and allows Mozilla still has some records of the sites you access.

        How exactly does Mozilla have records of where you visit? The way Persona works prevents the ID provider (IdP) from gathering this information.

        For every site you create a public-private key pair. You send the public key to your IdP (e.g., Mozilla) for signing with their private key. Once it's signed, you send that signed data to the website you want to log into. They send you a nonce which you sign with your private key.

        To verify, the website grabs the IdP's public key and verifies the signature. The IdP do

        • Re: (Score:2, Informative)

          by Anonymous Coward

          Mozilla can, for now, have records of where you visit because the system is still bootstrapping off their servers. In the common case right now, the site (RP) includes a JavaScript file from Mozilla's servers to do the login; and that uses the Mozilla database for a fallback until your email provider/IdP opts in into supporting Persona. So, right now, Mozilla can see which site you're trying to visit and what your account is because the window you enter your credentials into is all hosted by them. (I hav

    • They already know and record every damned site you go to already, and thus also that Persona goes to, and they could, I supposed, trivially correlate that.

      They could also gin up one of those unconstitutional blanket orders and force Persona to give them all your other info, and password, though that would largely just be correlating what they know about you already.

    • by caspy7 (117545) on Thursday August 08, 2013 @10:31PM (#44516955)

      Persona has been designed to be fully decentralized. Mozilla plans to be removed from the equation. So that should really help to up the anonymizability (suck it spell check!) of the system.

  • by Anonymous Coward

    And no Social Networking button? What wrong with these people!

  • by dnadoc (3013299)
    Google can't track Somehow, I'm suspicious of this claim.
    • by Noughmad (1044096)

      From this identity bridge, Google only gets one authentication request, and it is from Mozilla.

      However, considering their yearly donations to Mozilla, they might have other means of accessing it.

  • by frovingslosh (582462) on Thursday August 08, 2013 @08:56PM (#44516347)

    If I use this then presumably every website that I sign in to would have my real private Gmail address. As it is now, I use a free forwarding service (Spamgourmet) to create a unique address for everyone I sign up with. That way, if and when the spam starts, I can disable just that one address rather than having to go through the tassel of abandoning my prime email address. And I have been spammed at some of those addresses that I created, both by the people that I signed up with and sometimes even by Chinese malware sent to addresses that only one company had and that should have been keeping their data very secure. So, no thank you, I'll go through the extra hassle of keeping separate names and passwords for all of the sites that I want to sign in to, and be a little less concerned that I opened myself to endless spamming and attacks.

    And before anyone questions it, yes, I have had to abandon some email addresses before I started using a forwarding service. In one case that I particularly remember I logged in one day and there was so much duplicate spam in my inbox that it used the mailbox's full quota and was effectively a denial of service attack. The attack lasted longer than the account did.

    • by Agent ME (1411269)

      Just use a different email address at different places then.

  • by Jherek Carnelian (831679) on Thursday August 08, 2013 @09:06PM (#44516417)

    For me, the deal-breaker with Persona is that it is tied to my email address and exposes that unique identifier to every website that does Persona.. The pro-persona types argue that is a benefit, that people are used to using their email address as a relatively constant identifier.

    My argument is that giving the same email address out to every website makes it super-easy for those websites to cross-reference my web usage. Nowadays your email address is the online equivalent of your social-security number for marketers. It is the most useful key in the cyberstalker/marketing databases. All of the cyberstalker companies like BlueKai, Janrain, Scorecard, Doubeclick, etc create phantom profiles of people on the web that just sit dormant until you give one of their partner websites your email address and then they file all that dormant data in with any other data associated with your address.

    Some people say, no problem, just create a different email address for every website you visit. Yeah, right. That's no problem at all. The system isn't designed for that. If there were a way to generate a login credential unique to each website so cross-referencing didn't work and it was easy and automatic, then Persona would be useful. As it is now it is only mis-leading, addressing a privacy problem we had 5 years ago but it does nothing to protect us against the current state of the art in privacy invasion.

    • by tlhIngan (30335)

      All of the cyberstalker companies like BlueKai, Janrain, Scorecard, Doubeclick, etc create phantom profiles of people on the web that just sit dormant until you give one of their partner websites your email address and then they file all that dormant data in with any other data associated with your address.

      DoubleClick doesn't do that. It's DoubleClick, A Google(tm) Company, so you can expect that to already happen. Probably just visit a Google site while logged in and one using DoubleClick ads and boom. An

  • by assemblerex (1275164) on Thursday August 08, 2013 @09:47PM (#44516675)
    With the assault on privacy and human rights, why would I ever want to have my credentials
    across a multitude of sites?

    Then new trend will be towards obfuscation, not sharing.
  • Given the pathetic interface of Gmail and ever more frustrating themes, I wish Gmail integrated more closely with browser persona.
  • If you have a Google account, this means you can now sign into Persona-powered websites with your existing credentials. The best part is of course Mozilla's pledge to its users. 'Persona remains committed to privacy: Gmail users can sign into sites with Persona, but Google can't track which sites they sign into,'

    First off, I have no bloody interest in logging into web sites with my Google credentials. I will log into them (if at all) with the set of credentials I choose, and if the browser is going to thi

    • by agenaud (538288)
      • Conversation between Alice and Cats.com
        • Alice: Hello Cats.com, I would like to login as alice@gmail
        • Cats.com: Please, provide me proof with nonce 98765
      • Conversation between Alice and Gmail
        • Alice: Hi Gmail, can you verify that I own alice@gmail with nonce 98765
        • Gmail: Certainly, Just login
        • Alice: OK, here's my password
        • Gmail: Here's a signed assertion that alice@gmail logged in and provided the nonce 98765
      • Conversation between Alice and Cats.com
        • Alice: Hi Cats.com, here's Gmail's signed ass

You can do more with a kind word and a gun than with just a kind word. - Al Capone

Working...