BrowserID 安全吗?

发布于 2024-11-24 09:32:07 字数 446 浏览 1 评论 0原文

昨天,Mozilla 宣布 BrowserID身份验证系统,基于验证电子邮件协议。它看起来很漂亮,但它安全吗?

我立即想到的一个问题是,似乎任何可以访问我的浏览器的人都可以以我的身份登录。这也是在浏览器中存储凭据的一个问题,只不过我可以逐个站点地做出决定。 BrowserID 是全有还是全无?

是否还有其他潜在的安全缺陷?

Yesterday, Mozilla announced the BrowserID authentication system, based on the Verified Email Protocol. It looks pretty nifty, but is it secure?

One problem that immediately comes to mind is that it seems that anyone who can access my browser can sign in as me. This is an issue with storing credentials in the browser, as well, except that I can make that decision on a site-by-site basis. Is it all-or-nothing with BrowserID?

Are there any other potential security flaws?

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(2

千秋岁 2024-12-01 09:32:07

这不是对您问题的直接回答,但“安全”堆栈交换站点中有一个线程,其中讨论了相同的

https://security.stackexchange.com/ questions/5323/browserid-compared-openid-oauth-facebook 的缺点是什么

This is not direct answer to your question, but there is thread in the "security" stack exchange site, which discuss about the same

https://security.stackexchange.com/questions/5323/what-are-the-downsides-of-browserid-compared-to-openid-oauth-facebook

别闹i 2024-12-01 09:32:07

我最终找到了 DanielBrowserId/Persona 和WebID。我发现这个答案最有帮助。 (我试图说服他在这里发帖,但他建议我这样做。)


Michael Hackett 和 Kirstie Hawkey 提出的联合身份的安全性、隐私性和可用性要求对 WebID 和 Mozilla Persona(当时仍称为 BrowserID)进行了比较。

注意到的主要区别(表 1)是:

  • 角色密钥的寿命很短,应使用密码进行保护。 WebID 密钥的寿命很长,但可以轻松地从受密码保护的配置文件中禁用。
  • 当前的 Persona 实现使用标准浏览器窗口,因此很难发现欺骗(一旦浏览器获得本机 Persona 支持,这可能会改变)。 WebID 使用浏览器本机证书选择 UI,因此不会出现网络钓鱼。
  • 如果失去对所有者电子邮件/URI 的控制,Persona 和 WebID 身份都可能受到损害。
  • Persona IdP 不了解使用身份的 SP。 WebID IdP 了解每个使用身份的 SP。
  • 如果角色 SP 具有 IdP 公钥的缓存,并且浏览器仍然具有有效的证书,则仍然可以验证身份。 WebID 配置文件必须可访问,否则身份将无法使用。
  • Persona 具有良好的用户体验设计,而 WebID 则相反。

我建议阅读该论文以了解更多详细信息。它可以免费在线获取,无需访问数字图书馆。

I eventually found what Daniel contributed to a third Q&A on BrowserId/Persona and WebID. I found this answer most helpful. (I tried to convince him to post here, but he suggested I do so.)


Security, Privacy and Usability Requirements for Federated Identity by Michael Hackett and Kirstie Hawkey provides a comparison between WebID and Mozilla Persona, which at the time was still referred to as BrowserID.

The main differences that were noted (in Table 1) are:

  • Persona keys are short lived, and should be protected with a password. WebID keys are long lived but can easily be disabled from a password protected profile.
  • The current Persona implementation uses standard browser windows so it is difficult to spot spoofing (this may change once browsers get native Persona support). WebID uses the browsers native certificate selection UI so no chance of phishing.
  • Both Persona and WebID identities can be compromised if control over the owners email/URI is lost.
  • Persona IdPs have no knowledge of SPs that use an identity. WebID IdPs know every SP that uses an identity.
  • If a Persona SP has a cache of the IdP's public key and the browser still has a valid certificate it should still be possible to verify identities. WebID profiles must be reachable otherwise identities will not be usable.
  • Persona has good UX design, whereas WebID is the opposite.

I suggest reading the paper for more detail. It is freely available online, no digital library access needed.

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文