Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Mozilla Persona for your domain

Francois Marier
July 10, 2013
Programming
2
180

Mozilla Persona for your domain

Passwords are a big problem on the Web. Users pick bad ones and re-use them all over the place, developers can’t seem to be able to secure them. We need something better, but almost all of the new login systems for the Web rely on centralised gate keepers. We can do better than this.

Persona is a new way of logging users in. It’s simple, decentralised and allows users to choose who can vouch for them. It’s also designed to provide meaningful privacy to all users regardless of their level of expertise.

This talk will highlight the main features of Persona and introduce the crypto behind its underlying protocol, BrowserID. It will also provide an overview of what organisations can do to support Persona natively on their domains.

Francois Marier

July 10, 2013
Tweet

More Decks by Francois Marier

See All by Francois Marier
Security and Privacy settings for Firefox Power Users
fmarier
0
290
Getting Browsers to Improve the Security of Your Webapp
fmarier
0
260
Hardening Firefox for Privacy and Security
fmarier
0
990
Security and Privacy on the Web in 2016
fmarier
0
200
Privacy and Tracking Protection in Firefox
fmarier
0
270
Security and Privacy on the Web in 2015
fmarier
0
240
Security and Privacy on the Web in 2015
fmarier
0
180
Integrity protection for third-party JavaScript
fmarier
1
760
URL to HTML
fmarier
1
280

Other Decks in Programming

See All in Programming
OnlineTestConf: Test Automation Friend or Foe
maaretp
0
110
CSC509 Lecture 09
javiergs
PRO
0
140
Nurturing OpenJDK distribution: Eclipse Temurin Success History and plan
ivargrimstad
0
880
Why Jakarta EE Matters to Spring - and Vice Versa
ivargrimstad
0
1.1k
Macとオーディオ再生 2024/11/02
yusukeito
0
370
AWS IaCの注目アップデート 2024年10月版
konokenj
3
3.3k
Make Impossible States Impossibleを 意識してReactのPropsを設計しよう
ikumatadokoro
0
170
タクシーアプリ『GO』のリアルタイムデータ分析基盤における機械学習サービスの活用
mot_techtalk
4
1.4k
TypeScriptでライブラリとの依存を限定的にする方法
tutinoko
2
660
Snowflake x dbtで作るセキュアでアジャイルなデータ基盤
tsoshiro
2
520
EventSourcingの理想と現実
wenas
6
2.3k
RubyLSPのマルチバイト文字対応
notfounds
0
120

Featured

See All Featured
Building Flexible Design Systems
yeseniaperezcruz
327
38k
A Modern Web Designer's Workflow
chriscoyier
693
190k
Automating Front-end Workflow
addyosmani
1366
200k
GraphQLとの向き合い方2022年版
quramy
43
13k
Large-scale JavaScript Application Architecture
addyosmani
510
110k
Intergalactic Javascript Robots from Outer Space
tanoku
269
27k
How to Ace a Technical Interview
jacobian
276
23k
Statistics for Hackers
jakevdp
796
220k
ReactJS: Keep Simple. Everything can be a component!
pedronauck
665
120k
jQuery: Nuts, Bolts and Bling
dougneiner
61
7.5k
Making the Leap to Tech Lead
cromwellryan
133
8.9k
10 Git Anti Patterns You Should be Aware of
lemiorhan
654
59k

Transcript

  1. François Marier – @fmarier Mozilla Persona for your domain

  2. solving the password problem on the web

  3. problem #1: passwords are hard to secure

  4. bcrypt / scrypt / pbkdf2 per-user salt site secret password

    & lockout policies secure recovery

  5. bcrypt / scrypt / pbkdf2 per-user salt site secret password

    & lockout policies secure recovery

  6. bcrypt / scrypt / pbkdf2 per-user salt site secret password

    & lockout policies secure recovery

  7. bcrypt / scrypt / pbkdf2 per-user salt site secret password

    & lockout policies secure recovery

  8. bcrypt / scrypt / pbkdf2 per-user salt site secret password

    & lockout policies secure recovery

  9. bcrypt / scrypt / pbkdf2 per-user salt site secret password

    & lockout policies secure recovery 2013 2013 password password guidelines guidelines

  10. passwords are hard to secure they are a liability

  11. ALTER TABLE user DROP COLUMN password;

  12. problem #2: passwords are hard to remember

  13. None
  14. None

  15. users have two strategies

  16. 1. pick an easy password

  17. None

  18. 2. reuse your password

  19. negative externality: sites that don't care about security impose a

    cost on more important sites

  20. passwords are hard to remember they need to be reset

  21. None

  22. control email account control all accounts =

  23. existing login solutions

  24. client certificates

  25. SAML

  26. None
  27. None

  28. existing login systems are not good enough

  29. • decentralised • simple • cross-browser

  30. how does it work?

  31. [email protected]

  32. getting a proof of email ownership

  33. authenticate?

  34. authenticate? public key

  35. authenticate? public key signed public key

  36. you have a signed statement from your provider that you

    own your email address
  37. None

  38. logging into a 3rd party site

  39. Valid for: 2 minutes wikipedia.org assertion

  40. Valid for: 2 minutes wikipedia.org check audience assertion

  41. Valid for: 2 minutes wikipedia.org check audience check expiry assertion

  42. Valid for: 2 minutes wikipedia.org check audience check expiry check

    signature assertion

  43. assertion Valid for: 2 minutes wikipedia.org public key

  44. assertion Valid for: 2 minutes wikipedia.org

  45. assertion session cookie

  46. demo #1: http://crossword.thetimes.co.uk/ [email protected]

  47. Persona is already a decentralised system

  48. SMS with PIN codes

  49. SMS with PIN codes Jabber / XMPP

  50. SMS with PIN codes Jabber / XMPP Yubikeys

  51. SMS with PIN codes Jabber / XMPP Yubikeys LDAP accounts

  52. SMS with PIN codes Jabber / XMPP Yubikeys LDAP accounts

    Client certificates

  53. SMS with PIN codes Jabber / XMPP Yubikeys LDAP accounts

    Client certificates Password-wrapped secret key { "public-key": { "algorithm": "RS", "n":"685484565272...", "e":"65537" }, "encrypted-private-key": { "iv": "tmg7gztUQT...", "salt": "JMtGwlF5UWY", "ct": "8DdOjD1IA1..." }, "authentication": "...", "provisioning": "..." }

  54. decentralisation is the answer, but it's not a product adoption

    strategy

  55. we can't wait for all domains to adopt Persona

  56. we can't wait for all domains to adopt Persona solution:

    a temporary centralised fallback

  57. demo #2: http://sloblog.io/ [email protected]

  58. Persona already works with all email domains

  59. None

  60. Persona supports all modern browsers >= 8

  61. Persona is decentralised, simple and cross-browser

  62. how can I add Persona support to my domain?

  63. support document https://eyedee.me/.well-known/browserid: { "public-key": { "algorithm":"RS", "n":"8606...", "e":"65537" },

    "authentication": "/browserid/sign_in.html", "provisioning": "/browserid/provision.html" }

  64. https://eyedee.me/.well-known/browserid: { "public-key": { "algorithm":"RS", "n":"8606...", "e":"65537" }, "authentication": "/browserid/sign_in.html",

    "provisioning": "/browserid/provision.html" }

  65. https://eyedee.me/.well-known/browserid: { "public-key": { "algorithm":"RS", "n":"8606...", "e":"65537" }, "authentication": "/browserid/sign_in.html",

    "provisioning": "/browserid/provision.html" }

  66. https://eyedee.me/.well-known/browserid: { "public-key": { "algorithm":"RS", "n":"8606...", "e":"65537" }, "authentication": "/browserid/sign_in.html",

    "provisioning": "/browserid/provision.html" }

  67. https://eyedee.me/.well-known/browserid: { "public-key": { "algorithm":"RS", "n":"8606...", "e":"65537" }, "authentication": "/browserid/sign_in.html",

    "provisioning": "/browserid/provision.html" }

  68. identity provider API 1. check for your /.well-known/browserid 2. try

    the provisioning endpoint 3. show the authentication page 4. call the provisioning endpoint again

  69. identity provider API 1. check for your /.well-known/browserid 2. try

    the provisioning endpoint 3. show the authentication page 4. call the provisioning endpoint again

  70. identity provider API 1. check for your /.well-known/browserid 2. try

    the provisioning endpoint 3. show the authentication page 4. call the provisioning endpoint again

  71. identity provider API 1. check for your /.well-known/browserid 2. try

    the provisioning endpoint 3. show the authentication page 4. call the provisioning endpoint again

  72. as an organization, you control: • details of the authentication

    process

  73. as an organization, you control: • details of the authentication

    process • the duration of certificates

  74. To learn more about Persona: https://login.persona.org/ http://identity.mozilla.com/ https://developer.mozilla.org/docs/Persona/Quick_Setup https://developer.mozilla.org/Persona/Implementing_a_Persona_IdP https://github.com/mozilla/browserid-cookbook

    https://developer.mozilla.org/docs/Persona/Libraries_and_plugins https://wiki.mozilla.org/Identity#Get_Involved @fmarier http://fmarier.org

  75. © 2013 François Marier <[email protected]> This work is licensed under

    a Creative Commons Attribution-ShareAlike 3.0 New Zealand License. Door man: https://secure.flickr.com/photos/wildlife_encounters/8024166802/ Top 500 passwords: http://xato.net/passwords/more-top-worst-passwords/ Parchment: https://secure.flickr.com/photos/27613359@N03/6750396225/ Cookie on tray: https://secure.flickr.com/photos/jamisonjudd/4810986199/ Uncle Sam: https://secure.flickr.com/photos/donkeyhotey/5666065982/ US passport: https://secure.flickr.com/photos/damian613/5077609023/ Stop sign: https://secure.flickr.com/photos/artbystevejohnson/6673406227/ Photo credits: