Mozilla BrowserID "seriously flawed", privacy advocate says

Mozilla’s online identity authorisation platform BrowserID is “seriously flawed”, “ill-considered” and “privacy-threatening” according to a prominent Australian online consumer advocate.

Roger Clarke wasted no time in blasting the identity management scheme released this week as a replacement to traditional username and password authentication.

“The BrowserID initiative appears to be merely yet another in the long line of seriously flawed 'identity management' schemes built around digital signature technology, and based on ill-considered and privacy-threatening assumptions about both technology and human needs,” Clarke said.

The system allows users to authenticate their email address using PGP (pretty-good-privacy) with participating websites without requiring a password. It is based on the web-based Verified Email Protocol developed by Mozilla engineer Mike Hanson and is a step away from token-based identity schemes.

“What we've learned from several years of experience with OpenID and related protocols is that this isn't quite good enough: establishing an identity token, in isolation from the rest of the web, doesn't actually help a site engage with its users,” Hanson said.

It uses asymmetric cryptography and digital signatures to allow browsers to create signed assertions about a user's identity and for providers to vouch for a user's identity with a signed key-email pair.

Mozilla programmer Lloyd Hilaiel said BrowserID increeases privacy and security because identity providers are not involved in login transactions, and the system required less user information such as birth dates under a process dubbed ownership-based authentication.

He said a usable implementation of BrowserID is available “right now” without modifications to other browsers.

But privacy advocate Roger Clarke said the system is an attack on online anonymity, and may be vulnerable to browser-based attacks.

“‘Ownership-Based Authentication’ is misleading. Authentication is based, initially, on the demonstrated ability to login to the email service [and] subsequently on the demonstrated ability to access the relevant browser's functionality.  Given the incidence of malware on consumer devices, the 'Ownership' metaphor is inappropriate. A more suitable notion is 'virtual possession'. Two or even multiple entities may enjoy 'Virtual Possession'. Moreover, the fact that possession is shared with an unauthorised local process, and even by an unauthorised remote process or individual, may be unknown to the user. Given the high quality of rootkits, it may even be effectively unknowable.”

Clarke also attacked claims by Mozilla that Yahoo! mail and gmail “directly vouch for users' identities” as misleading because “the purpose of many such schemes is to provide local, not global, assurance, and no undertakings are given to 'relying parties'.”

“Secondly, such assurance as may be provided relates not to any assertion about the user's identity, but only to the existence of such an identity, and the fact that, at some time in the [recent] past, [the device] had satisfied whatever authentication test the organisation applied to the account which is in most cases a relatively low level of authentication, a password.”

Clarke had long-maintained that a user’s multiple online identities must be kept separate to maintain civil liberty.