BrowserID 安全吗?
昨天,Mozilla 宣布 BrowserID身份验证系统,基于验证电子邮件协议。它看起来很漂亮,但它安全吗?
我立即想到的一个问题是,似乎任何可以访问我的浏览器的人都可以以我的身份登录。这也是在浏览器中存储凭据的一个问题,只不过我可以逐个站点地做出决定。 BrowserID 是全有还是全无?
是否还有其他潜在的安全缺陷?
Yesterday, Mozilla announced the BrowserID authentication system, based on the Verified Email Protocol. It looks pretty nifty, but is it secure?
One problem that immediately comes to mind is that it seems that anyone who can access my browser can sign in as me. This is an issue with storing credentials in the browser, as well, except that I can make that decision on a site-by-site basis. Is it all-or-nothing with BrowserID?
Are there any other potential security flaws?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
这不是对您问题的直接回答,但“安全”堆栈交换站点中有一个线程,其中讨论了相同的
https://security.stackexchange.com/ questions/5323/browserid-compared-openid-oauth-facebook 的缺点是什么
This is not direct answer to your question, but there is thread in the "security" stack exchange site, which discuss about the same
https://security.stackexchange.com/questions/5323/what-are-the-downsides-of-browserid-compared-to-openid-oauth-facebook
我最终找到了 Daniel 在 BrowserId/Persona 和WebID。我发现这个答案最有帮助。 (我试图说服他在这里发帖,但他建议我这样做。)
Michael Hackett 和 Kirstie Hawkey 提出的联合身份的安全性、隐私性和可用性要求对 WebID 和 Mozilla Persona(当时仍称为 BrowserID)进行了比较。
注意到的主要区别(表 1)是:
我建议阅读该论文以了解更多详细信息。它可以免费在线获取,无需访问数字图书馆。
I eventually found what Daniel contributed to a third Q&A on BrowserId/Persona and WebID. I found this answer most helpful. (I tried to convince him to post here, but he suggested I do so.)
Security, Privacy and Usability Requirements for Federated Identity by Michael Hackett and Kirstie Hawkey provides a comparison between WebID and Mozilla Persona, which at the time was still referred to as BrowserID.
The main differences that were noted (in Table 1) are:
I suggest reading the paper for more detail. It is freely available online, no digital library access needed.