4

Yesterday, Mozilla announced the BrowserID authentication system, based on the Verified Email Protocol. It looks pretty nifty, but is it secure?

One problem that immediately comes to mind is that it seems that anyone who can access my browser can sign in as me. This is an issue with storing credentials in the browser, as well, except that I can make that decision on a site-by-site basis. Is it all-or-nothing with BrowserID?

Are there any other potential security flaws?

Aaron Novstrup
  • 20,967
  • 7
  • 70
  • 108
  • I'm guessing actual implementations would have a popup requesting permission to do a browserID login, before sending off the encrypted token. – Marc B Jul 15 '11 at 20:45
  • @Marc B Right, but it's supposed to be a two-click process. If I'm understanding correctly, you don't enter credentials in that popup -- you just verify that you want to sign in to a particular destination site with a particular email address. – Aaron Novstrup Jul 15 '11 at 20:59
  • Firefox allows you to protect your regular stored passwords with a master password, which is used to protect the encryption key that is used to encrypt your passwords. I would have thought that something similar would apply to BrowserID. – Neil Jul 15 '11 at 21:21

2 Answers2

2

This is not direct answer to your question, but there is thread in the "security" stack exchange site, which discuss about the same

https://security.stackexchange.com/questions/5323/what-are-the-downsides-of-browserid-compared-to-openid-oauth-facebook

Community
  • 1
  • 1
Rajeesh
  • 4,377
  • 4
  • 26
  • 29
1

I eventually found what Daniel contributed to a third Q&A on BrowserId/Persona and WebID. I found this answer most helpful. (I tried to convince him to post here, but he suggested I do so.)

Security, Privacy and Usability Requirements for Federated Identity by Michael Hackett and Kirstie Hawkey provides a comparison between WebID and Mozilla Persona, which at the time was still referred to as BrowserID.

The main differences that were noted (in Table 1) are:

  • Persona keys are short lived, and should be protected with a password. WebID keys are long lived but can easily be disabled from a password protected profile.
  • The current Persona implementation uses standard browser windows so it is difficult to spot spoofing (this may change once browsers get native Persona support). WebID uses the browsers native certificate selection UI so no chance of phishing.
  • Both Persona and WebID identities can be compromised if control over the owners email/URI is lost.
  • Persona IdPs have no knowledge of SPs that use an identity. WebID IdPs know every SP that uses an identity.
  • If a Persona SP has a cache of the IdP's public key and the browser still has a valid certificate it should still be possible to verify identities. WebID profiles must be reachable otherwise identities will not be usable.
  • Persona has good UX design, whereas WebID is the opposite.

I suggest reading the paper for more detail. It is freely available online, no digital library access needed.

Community
  • 1
  • 1
sage
  • 4,863
  • 2
  • 44
  • 47