Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Abandoned accounts
45 views
Skip to first unread message
Michael Hackett
Feb 29, 2012, 2:00:00 PM2/29/12
to dev-id...@lists.mozilla.org
I've been reading everything I can find on BrowserID, including most of the
archives here, and one concern I still have is about what happens when an
email address changes hands. I may have missed it, but I haven't seen any
clear statement about what information an RP is supposed to capture about a
user. My take-away is that an RP just saves the email address as the sole
identifier. But if that is the case, I see a number of problems.
For one thing, it would appear that if I change to a new email address and
don't remember to go back to *each and every site* I've ever signed into
using the old address, and go through the email-change process, then the
new owner of that address will have access to any of those old accounts.
Conversely, if I'm using a secondary authority, once I have verified
ownership of an email *once* with that authority, I can continue to use
that address with any site, even if I'm no longer the owner of that
address. So I could access the data belonging to the new owner of that
address, if I knew which sites he or she used.
Am I missing something in the design that would prevent the above scenarios
from happening? I understand that the first case is not really a new
problem, as the situation exists with any site that allows password reset
over email. However, with BrowserID, since it becomes a lot less onerous to
create site accounts, I expect that people will end up with a lot more of
these forgotten accounts, without some clear mechanism for closing unwanted
accounts.
Thanks,
-- Michael
archives here, and one concern I still have is about what happens when an
email address changes hands. I may have missed it, but I haven't seen any
clear statement about what information an RP is supposed to capture about a
user. My take-away is that an RP just saves the email address as the sole
identifier. But if that is the case, I see a number of problems.
For one thing, it would appear that if I change to a new email address and
don't remember to go back to *each and every site* I've ever signed into
using the old address, and go through the email-change process, then the
new owner of that address will have access to any of those old accounts.
Conversely, if I'm using a secondary authority, once I have verified
ownership of an email *once* with that authority, I can continue to use
that address with any site, even if I'm no longer the owner of that
address. So I could access the data belonging to the new owner of that
address, if I knew which sites he or she used.
Am I missing something in the design that would prevent the above scenarios
from happening? I understand that the first case is not really a new
problem, as the situation exists with any site that allows password reset
over email. However, with BrowserID, since it becomes a lot less onerous to
create site accounts, I expect that people will end up with a lot more of
these forgotten accounts, without some clear mechanism for closing unwanted
accounts.
Thanks,
-- Michael
Ben Adida
Mar 1, 2012, 1:20:14 AM3/1/12
to dev-id...@lists.mozilla.org
On 2/29/12 11:00 AM, Michael Hackett wrote:
> For one thing, it would appear that if I change to a new email address and
> don't remember to go back to *each and every site* I've ever signed into
> using the old address, and go through the email-change process, then the
> new owner of that address will have access to any of those old accounts.
This is the situation we have today on the Web. Not much we can do
> For one thing, it would appear that if I change to a new email address and
> don't remember to go back to *each and every site* I've ever signed into
> using the old address, and go through the email-change process, then the
> new owner of that address will have access to any of those old accounts.
there. Sites offer recovery via email. Even with OpenID, which
technically offers directed, never-reused identifiers, the OpenID
provider often does password recovery via email.... thus negating the
whole point of not reusing identifies.
So, BrowserID doesn't solve this problem, but it didn't create it and it
doesn't make it worse. It's an inherent problem of the distributed Internet.
> Conversely, if I'm using a secondary authority, once I have verified
> ownership of an email *once* with that authority, I can continue to use
> that address with any site, even if I'm no longer the owner of that
> address. So I could access the data belonging to the new owner of that
> address, if I knew which sites he or she used.
If another user signs up for BrowserID and is verified by our secondary,
then the "old" user of that email loses the ability to use that email
address. (You can try this now.)
So I don't think this one is an actual issue.
Let me know if you any more questions!
-Ben
and...@ducker.org.uk
Mar 17, 2012, 1:11:15 PM3/17/12
to dev-id...@lists.mozilla.org
On Thursday, 1 March 2012 06:20:14 UTC, Ben Adida wrote:
> Even with OpenID, which
> technically offers directed, never-reused identifiers,
It doesn't, at all. I have an OpenID at http://andrewducker.livejournal.com - if I delete my livejournal account then it can be used by someone else once it is purged from the system, and then they will have access to my OpenID credentials.
> Even with OpenID, which
> technically offers directed, never-reused identifiers,
I don't think it's something that can be fixed.
Andy
Hola
Mar 25, 2012, 10:02:41 PM3/25/12
to mozilla.de...@googlegroups.com, dev-id...@lists.mozilla.org
+1
Hola
Mar 25, 2012, 10:02:41 PM3/25/12
to dev-id...@lists.mozilla.org
+1
0 new messages