Mozilla is promoting a browser-based alternative to usernames and passwords for website logins. Browser ID offers a decentralized system for user identification and authentication along the same lines as OpenID. To use BrowserID users first have to create an account with Mozilla. After this users would be able to use the …
Don't change a winning formula
I kinda stopped paying attention after "you only need to register".
Why would you want your data to be kept online somewhere when you could just as easy have it all tucked away on your local PC ?
And before anyone brings up "ease of use"; why don't they simply implement an option which allows us to import and export saved passwords? That way you can easily copy them from your main computer onto your laptop so that you can still easily visit the websites you frequent without having to worry about passwords.
Some people have more than one device. I use the Firefox's sync feature because it's an easy way to put a bookmark or new password on one pc and automatically see it appear on another pc. The data is encrypted so all Mozilla know is person X has stored some blob of stuff on their server with some datestamp to facilitate synchronizing.
It's much easier than manually exporting bookmarks to some shared location and reimporting them which you could also do if you wanted. There is no UI for doing the same with passwords but you could copy the file from one machine to the other in a similar way. It wouldn't be as easy as sync is though.
I keep my .mozilla dir on a USB key, and just carry it with me. When I plug it in, a udevd script mounts it where necessary. Simple.
I still find it more comfortable/safe to have some gpg encrypted files on an ssh-accessible sever and/or export the encrypted files along with keys to my other machines.
you already can
Firefox Sync already syncs stored passwords between systems. BrowserID is a rather different thing. It doesn't 'store your data online somewhere'.
Another idiot that thinks Mozilla invented bookmark syncing...
Opera users were enjoying this for several years before you.
Sounds rather similar to the Passport system Microsoft announced which nobody else trusted or wanted.
A central point of failure isn't a good idea, if that database gets hacked then you're screwed.
BrowserID isn't very similar to Passport in design, and does not have a central point of failure. The article's description of it is very inaccurate. See http://identity.mozilla.com/post/7616727542/introducing-browserid-a-better-way-to-sign-in .
Is this the same Passport
that means thiefs are still routinely emptying everyones Xbox Live accounts even today? With Mirosoft seemingly unable to stop them?
No password, but an email address?
Instead of typing in a password which you keep as a secret, you type in an email address (which you ought to keep secret)? Have I understood this correctly?
The certificate which identifies the e-mail address is held by the browser and supplied to the Browser ID site when you log in, the Browser ID site verifies the e-mail address and certificate and tells the website that you logged in okay (or not).
SO we only need to hope that the certificate isn't maintained by a company a la DigiNotar.
This really doesn't sound very safe to me.
the certificate is 'held' on your local system only.
I'm looking forward the next step, the Ident-I-Eeze card...
Sort of like OpenID
but tied to a specific browser and manufacturer? Is there a need?
It's not tied to either, and it differs somewhat from OpenID. See http://identity.mozilla.com/post/7669886219/how-browserid-differs-from-openid .
Not really seeing the point
Unless you use the same browser at home, at work, on your mobile phone etc. it'll be useless. If you want central password storage things like lastpass work well. There's facebook and twitter authentication, which this is basically competing directly with.
The motivation for accepting a system that's tied to a single browser is what exactly?
It's not tied to a single browser. Mozilla never write anything that way, it's just not how they do things. BrowserID would be extremely easy to implement in any client.
Obligatory xkcd standards post
why not use public/private keys just like SSH, PuTTY and Pageant. It's trivial (and secure) to give a website your public key, and trivial for the browser (or a plugin running therein) to delegate to Pageant in the same way PuTTY does.
spam, spam, spam, spam, luv'ly spaaaaam, wonderful spaaaaaam
"To use BrowserID users first have to create an account with Mozilla. After this users would be able to use the technology to enter websites that support BrowserID simply by entering their email address."
Create an account with... Mozilla? Then, I enter a Web site by giving it my... email address?
Ummm.... naaahhh, no thanks.
So, if I use browser ID, it has to be with a compatible website who opts in.
Unlikely that google will go with this, or yahoo.
Or my bank, or my online email account.
Or any of the social networks I visit.
So, having got those most important accounts out the way - ones which would never opt for a browser ID solution with Mozilla, what's left?
No thanks Mozilla, even if all of the above opted into this, the idea of keeping all my passwords with a third party intermediary just seems fraught with danger.
Besides, I use Chrome, as you still persist in churning out a buggy, memory hog of a browser since v4x - and haven't managed to sandbox your tabs yet.
You don't 'keep all of your passwords with a third party intermediary'. That isn't how BrowserID works at all. See http://identity.mozilla.com/post/7616727542/introducing-browserid-a-better-way-to-sign-in .
Oh noes, more "decentralized" nonsense
Yes, please let all my passwords be stored in one remote location beyond my control, so they can be hacked, stolen, handed to the NSA, or otherwise lost or compromised at this single point of failure.
Alternatively, I could just save them all in a plain text file, encrypt it, back it up locally, save a copy on a USB thumbdrive, then decrypt it whenever I need reminded of a password.
Why not support for a dongle?
Why can't we just support a hardware dongle, which would store all my keys, access info, etc., and allow the browser a means to access the dongle to retrieve a session key given the site. That way, *I* control my keys - not Mozilla, not Microsoft, not No Such Agency, not the MAFIAA - ME.
No support for those...
... that want to register a different email address with each place they register so they can figure out who sold the email address (or was hacked)...
example: my Amazon account is amazonuk.<hexdigits>@<mydomain name here>, my PSN account is PSN.<hexdigits>@<mydomain name here> where digits is a CRC16 of the domain name I'm registering on...
If any of them starts attracting spam, then I have a go at the company that managed to lose my email address...
Presumably one would lose that with BrowserID (as one typically does with OpenID).
Yes, there is
You can use any amount of different email addresses with BrowserID, though they are of course all different 'identities'.
Pound sand, your product sucks ass and I'll never again install anything Mozilla.
Wow that's off my chest, I will never install any Mozilla product on anything ever again.
I can understand the negative comments, because the article describes BrowserID completely and utterly incorrectly.
The neat point of BrowserID is that it *isn't* centralized and does *not* require a sign up with Mozilla. Mozilla is operating the initial verification service because, well, someone has to. But anyone can run one. The system was designed on the idea that email providers will act as verifiers for the addresses they provide.
BrowserID is a pretty elegant design and somewhat different from OpenID, but this article does a piss-poor job of understanding and explaining it. I recommend referring to:
and the rest of that blog (it's interesting stuff) instead. BrowserID may not succeed, but it's at least an interesting and well-motivated attempt to address a genuine issue. It's not just another silly vendor trying to make a play at the single-sign-in market.
What about client certificates?
It's part of SSL and can be made to be totally controlled by the user.
This little duck won't be using it.
I'm already in the habit of clearing passwords after sessions, and why would I trust Mozilla anyway?
Remember your passwords
Erm ... I just remember my passwords. I never save any of them anywhere or on anything. And yes they are good ones. Sorry for being anal retentive :-)