Hi, I hack on Persona at Mozilla. Persona is not a panacea, but this post is disingenuous.
Benjamin is concerned about user impersonation by identity (email) providers.
1. The identical risk of silent impersonation is present with any OpenID or OAuth-based system.
2. With password-based systems, a malicious provider could also intercept reset emails, creating similar risk. Benjamin notes that "a user will be aware of the attack then next time they try to login," but that's a poor mitigation, since the attacker has already gained access. Benjamin agrees: "On bugzilla.mozilla.org, we disabled password reset emails for users with access to security bugs."
If you're operating under the same constraints as Benjamin, then I agree: Persona alone is not sufficient. Nor is any other normal authentication system.
Since each IdP has a private key, couldn't they request "pinning" it? So, for example, I can ask my IdP to say "I will be the IdP for this user for at least a year, if you get a different signature within this year, it's an impostor".
Each client would have to cache the ID specifically for every user, but that doesn't seem too bad for the extra security it gives. Alternately, the user themselves could send the IdP ID to the authenticating site and the site can check that they match, thus detecting any foul play.
Please correct me if I'm talking out of my ass, it's been a while since I implemented an IdP.
> 2. With password-based systems, a malicious provider could also intercept reset emails,
He could also intercept the login attempts (e.g. webmail login form => the password is typically sent in plain text to the server [regardless of transport security]), the user will never notice.
I'm sorry, I might just be misunderstanding so please correct me if I'm wrong but...
The main vulnerability he talks about is if a major provider were to be hacked and have their file replaced (or go rogue, entirely). In either case, is any login system that doesn't use two factor authentication and allows for password resets via email really going to do any better?
Edit: I realize he points out that 2 factor auth really is the only solution here, just, it seems like the criticism applies much more widely than just against Persona.
The main problem with Persona (and OpenID and OAuth) is that you don't own your identity, by design. The identity is completely managed by provider, so anything that uses Persona is inherently prone to all sorts of identity provider abuse.
Analogy: you don't have any keys to your safe deposit box at bank, but a warden may open it for you after a phone call to your landlord, who'd assert your identity. The obvious question is why we need a landlord in this scenario.
Unfortunately, gpgAuth is practically dead and WebID WG had no progress for two years.
A slightly less overloaded summary might be "users must trust their identity provider", which is true of every authentication scheme I'm aware of except for perhaps PGP, which itself is a usability nightmare for 99% of the planet
It's more than just 2-factor, your site has to control the second factor. E.g., even if you're using Google OAuth and requiring folks to have 2FA turned on, Google still effectively controls both of the factors.
It seems to me that the issue with respect to the .well-known/browserid which he raises is itself an issue with the CA system; the assumptions are a) that the key serving the site is verified by a trusted CA and b) that the key is serving the correct file. In fact, it's quite possible that a trusted CA is compromised, and it's even possible that the key has been misled into serving (and authenticating) the wrong file.
In short, we're entrusting every single CA in the world with the login of every single user in the world.
That doesn't seem terribly good to me.
A better system, IMHO, would involve offline keys for each identity provider; these keys would each sign an online key (or online keys) which would be used to authenticate the users. Each relying party would have to make a decision on how to handle hitherto-unseen keys (TOFUPOP backed up by SSL is, while imperfect, no indefensible).
TOFUPOP would protect against bad-faith CAs, and offline long-term keys would enable key mobility. Note that with a properly-specified certificate calculus, the offline key could authorise its own backups...
Now that Firefox Accounts is being used in Mozilla properties rather than Persona I'd expect more downplaying of Persona to come from Mozilla, including employees like OP. Is Persona still being developed at Mozilla?
[+] [-] callahad|12 years ago|reply
Benjamin is concerned about user impersonation by identity (email) providers.
1. The identical risk of silent impersonation is present with any OpenID or OAuth-based system.
2. With password-based systems, a malicious provider could also intercept reset emails, creating similar risk. Benjamin notes that "a user will be aware of the attack then next time they try to login," but that's a poor mitigation, since the attacker has already gained access. Benjamin agrees: "On bugzilla.mozilla.org, we disabled password reset emails for users with access to security bugs."
If you're operating under the same constraints as Benjamin, then I agree: Persona alone is not sufficient. Nor is any other normal authentication system.
[+] [-] StavrosK|12 years ago|reply
Each client would have to cache the ID specifically for every user, but that doesn't seem too bad for the extra security it gives. Alternately, the user themselves could send the IdP ID to the authenticating site and the site can check that they match, thus detecting any foul play.
Please correct me if I'm talking out of my ass, it's been a while since I implemented an IdP.
[+] [-] unknown|12 years ago|reply
[deleted]
[+] [-] lazyjones|12 years ago|reply
He could also intercept the login attempts (e.g. webmail login form => the password is typically sent in plain text to the server [regardless of transport security]), the user will never notice.
[+] [-] fournm|12 years ago|reply
The main vulnerability he talks about is if a major provider were to be hacked and have their file replaced (or go rogue, entirely). In either case, is any login system that doesn't use two factor authentication and allows for password resets via email really going to do any better?
Edit: I realize he points out that 2 factor auth really is the only solution here, just, it seems like the criticism applies much more widely than just against Persona.
[+] [-] drdaeman|12 years ago|reply
Analogy: you don't have any keys to your safe deposit box at bank, but a warden may open it for you after a phone call to your landlord, who'd assert your identity. The obvious question is why we need a landlord in this scenario.
Unfortunately, gpgAuth is practically dead and WebID WG had no progress for two years.
[+] [-] _wmd|12 years ago|reply
No clue what point this post was trying to make
[+] [-] callahad|12 years ago|reply
[+] [-] natrius|12 years ago|reply
[+] [-] StavrosK|12 years ago|reply
[+] [-] pdpi|12 years ago|reply
[+] [-] wtbob|12 years ago|reply
In short, we're entrusting every single CA in the world with the login of every single user in the world.
That doesn't seem terribly good to me.
A better system, IMHO, would involve offline keys for each identity provider; these keys would each sign an online key (or online keys) which would be used to authenticate the users. Each relying party would have to make a decision on how to handle hitherto-unseen keys (TOFUPOP backed up by SSL is, while imperfect, no indefensible).
TOFUPOP would protect against bad-faith CAs, and offline long-term keys would enable key mobility. Note that with a properly-specified certificate calculus, the offline key could authorise its own backups...
[+] [-] dllthomas|12 years ago|reply
[+] [-] jessaustin|12 years ago|reply
[+] [-] yetfeo|12 years ago|reply