info
Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
FrOSCon talk report
2 views
Skip to first unread message
Francois Marier
Aug 31, 2013, 9:19:22 AM8/31/13
to
Last weekend, I gave a talk [1] at FrOSCon [2] in front of about 60 people.
One of the best part of the conference was that I got to meet in person
the German security researchers that reported winchan [3] and ephemeral
session problems [4] to us (see the paper I posted yesterday). It was
really interesting discussing the model they built to analyze all of the
flows in the BrowserID protocol and looking for ideas of other things
they could study by extending their model. They have decided to do more
analysis work on BrowserID, in particular to look at Sideshow and BigTent.
In terms of the feeling from the audience, it was a mix of enthusiastic
people who love our approach and a few people who are disappointed that
the system is not fully decentralized yet and asked 15 minutes worth of
tough questions :)
The most surprising thing is that nobody asked about the NSA!
# Questions from the audience
- Why does the fallback identity provider ask for a password?
- What prevents Wikipedia from using the certificate in the assertion to
log into another site as me?
- What prevents an attacker from stealing an assertion on the wire?
- What prevents a site from modifying an assertion sent to it by a user
and reusing it elsewhere?
- If sites are loading include.js from Mozilla and using the online
verifier, can't Mozilla see everywhere users are going?
- Will your server be able to handle the load if everybody is including
that file from their site?
- Do you offer a way for sites to self-host the JS file and then remove
the need to load anything from persona.org?
- How easy is it for an organization to become an identity provider?
- What would happen if the fallback identity provider gets compromised?
What about a native identity provider?
- Is Persona PCI certified? Can we use it in PCI-certified applications?
- This system has many problems: it's centralized, it's totally
dependent on JavaScript, it uses popups and iframes so it's vulnerable
to phishing just like OpenID.
- Where do you use public/private key cryptography in the protocol? Is
it a temporary or a permanent keypair?
- Does Firefox have native support yet? Will you provide plugins or
something like that for other browsers?
- Why would web.de want to become a Persona identity provider?
- What happens to organizations that don't care (and will never care)
about becoming a Persona identity provider?
- Couldn't we use client SSL certs to achieve the same thing?
- What happens when a user changes their email address or loses access
to their address?
- Would there be a way to create an arbitrary OpenID bridge (where you
can use any OpenID URL, not just Yahoo/GMail)?
Francois
[1] Slides are here:
https://speakerdeck.com/fmarier/persona-a-federated-and-privacy-protecting-login-system-for-the-whole-web,
the video will be posted here soon: ftp://media.ccc.de/events/froscon/2013/
[2] http://www.froscon.de/en/home/
[3]
https://github.com/mozilla/winchan/commit/0afb18feae83d0f22d2b94f61fd56efe5fe19904
[4] https://github.com/mozilla/browserid/issues/3770 and
https://github.com/mozilla/browserid/issues/3769
One of the best part of the conference was that I got to meet in person
the German security researchers that reported winchan [3] and ephemeral
session problems [4] to us (see the paper I posted yesterday). It was
really interesting discussing the model they built to analyze all of the
flows in the BrowserID protocol and looking for ideas of other things
they could study by extending their model. They have decided to do more
analysis work on BrowserID, in particular to look at Sideshow and BigTent.
In terms of the feeling from the audience, it was a mix of enthusiastic
people who love our approach and a few people who are disappointed that
the system is not fully decentralized yet and asked 15 minutes worth of
tough questions :)
The most surprising thing is that nobody asked about the NSA!
# Questions from the audience
- Why does the fallback identity provider ask for a password?
- What prevents Wikipedia from using the certificate in the assertion to
log into another site as me?
- What prevents an attacker from stealing an assertion on the wire?
- What prevents a site from modifying an assertion sent to it by a user
and reusing it elsewhere?
- If sites are loading include.js from Mozilla and using the online
verifier, can't Mozilla see everywhere users are going?
- Will your server be able to handle the load if everybody is including
that file from their site?
- Do you offer a way for sites to self-host the JS file and then remove
the need to load anything from persona.org?
- How easy is it for an organization to become an identity provider?
- What would happen if the fallback identity provider gets compromised?
What about a native identity provider?
- Is Persona PCI certified? Can we use it in PCI-certified applications?
- This system has many problems: it's centralized, it's totally
dependent on JavaScript, it uses popups and iframes so it's vulnerable
to phishing just like OpenID.
- Where do you use public/private key cryptography in the protocol? Is
it a temporary or a permanent keypair?
- Does Firefox have native support yet? Will you provide plugins or
something like that for other browsers?
- Why would web.de want to become a Persona identity provider?
- What happens to organizations that don't care (and will never care)
about becoming a Persona identity provider?
- Couldn't we use client SSL certs to achieve the same thing?
- What happens when a user changes their email address or loses access
to their address?
- Would there be a way to create an arbitrary OpenID bridge (where you
can use any OpenID URL, not just Yahoo/GMail)?
Francois
[1] Slides are here:
https://speakerdeck.com/fmarier/persona-a-federated-and-privacy-protecting-login-system-for-the-whole-web,
the video will be posted here soon: ftp://media.ccc.de/events/froscon/2013/
[2] http://www.froscon.de/en/home/
[3]
https://github.com/mozilla/winchan/commit/0afb18feae83d0f22d2b94f61fd56efe5fe19904
[4] https://github.com/mozilla/browserid/issues/3770 and
https://github.com/mozilla/browserid/issues/3769
0 new messages