Mozilla Launches Persona Identity Bridge For Gmail

An anonymous reader writes "Mozilla today announced the Persona Identity Bridge for Gmail users. If you have a Google account, this means you can now sign into Persona-powered websites with your existing credentials. The best part is of course Mozilla's pledge to its users. 'Persona remains committed to privacy: Gmail users can sign into sites with Persona, but Google can't track which sites they sign into,' Mozilla Pesrona engineer Dan Callahan promises."

And this is impressive why?

[BitZtream]

I'm supposed to find it impressive that a website can take my username and password, and present it to another website and confirm its validity?

So I don't tell Google what I'm logging in to, but I instead give you my authentication information for Google?

I don't think so Tim.

Color me unimpressed with Mozilla rehashing something from 40 years ago ... and doing it wrong in the process.

Google can't track....

[dnadoc]

Google can't track Somehow, I'm suspicious of this claim.

Re:And this is impressive why?

[icebike]

I believe mozilla can see what websites you are requesting, but they claim they do not retain this [thenextweb.com] because they are not required to do so.
That could change I suppose. Clearly they have to have a list of emails that they can process, but not necessarily what sites you can use them for because they can just try to log in, and let it fail. Then go thru the authorization process [mozilla.com].

I like the idea of spreading the knowledge around so that no one source knows everything. This essentially puts a middle-man in the Auth process, but that man knows very little.

But I don't think this will work in the long run because someone will break SSL or demand the keys and the whole thing comes down.

Mozilla is just as much subject to NSA letters as anyone else. And since almost 100% of their funding comes from Google anyway, I can't help but thinking this is a joint project, or at least carried out with Google's full approval. But still it makes it necessary for the NSA to look a lot more places when building a list and checking it twice.

Re:And this is impressive why?

[Your.Master]

Because "The Government" isn't the only boogeyman in the world.

Re:And this is impressive why?

[godel_56]

It's meaningless when most sites use Google Analytics and you'll be tracked by Google anyway.

What, you don't use NoScript?

That reminds me, I should send that guy another donation

Re:And this is impressive why?

[Anonymous Coward]

*: I think I read some time ago in the documentation that Mozilla can't see what websites are requesting the auth. I'm not sure I remember it right, and I never checked the claim, and it might have changed since that time. For now, I assume the information is visible.

This is correct.

The way Persona works:
* browser generates public-private key pair with the e-mail address as an attribute
* you send the public part to Mozilla (or whichever ID provider (IdP) you want) to sign
* the IdP confirms that you have access to said e-mail address, and if so, gives you back the signed data (like a CA) by using the IdP's private key
* you send the signed data to the website
* the website grabs the IdP's public key and verifies the signature

Basically think of it as a decentralized PKI and/or a variant of PGP's web of trust: public-private keys with distributed signing to confirm that you have access to a particular e-mail address account.

All Mozilla (or any IdP) knows is that a web site grabbed it's public key (which can be cached, so traffic analysis isn't useful either). The IdP doesn't know which person's signed data is being checked. Whenever you want to sign in, the website sends your browser a timestamped nonce. The website has your verified public key on file and so can verify the signature of your browser's response.

Each device you have (or web browser you use) has its own private key/s, and so if you lose a smartphone you can revoke the keys on it. You should have a "master password" for your web browser with an auto-logout.

This is similar to a password manager, but you don't have to type anything in, and if a website's database is compromised then the attackers don't actually have anything useful.

You can also use multiple e-mail address, even for the same website.

Re:And this is impressive why?

[Anonymous Coward]

Are you still hawking that Comodo shit? How much kickback do they pay you for each endorsement?

Re:And this is impressive why?

[syockit]

I don't remember how it was in NoScript, but in ScriptSafe (for Chrome), even in whitelist mode, a preset of known URLs are blocked before requests could be sent.

Re:And this is impressive why?

[TheRaven64]

An Internet Security suite from a company that no longer has its root certificate in my trusted list because of their inability to secure their own systems? Why on earth would I want something like that?