You are reading a single comment by @bq and its replies. Click here to read the full conversation.
  • One of the main criticisms of Persona from the security types is that it uses a pop up window for authentication

    Do you have citations of this from security experts?

  • He's not bad as far as it goes, not in the league of a cperceiva but at least he's some hands-on experience. On HN he changed his tune after the Beta and final version were released. The comments in that blog post are based on the initial Alpha and many things changed.

    His criticisms are easily defeated and no longer relevant, namely the two he mentions:

    1. Phishing attack due to use of a third party domain; in a popup or not it's irrelevant, his core criticism is that people signing into domainx.com don't expect to go to domainy.com but then he has acknowledged many times that if you don't trust the client (the app or website), then things like Twitter Signin, Facebook Connect, etc are only secure by visiting the third party domain. Same is true here on LFGSS... we don't trust the web client.
    2. The fake logout, in that signing out didn't sign you out of Persona; that was solved in a Beta. Signing out of LFGSS will sign you out of Persona.

    Not sure whether you know, but I have actually built several web account and SSO systems. The first back in 1998 for British Telecom (for their web portal), the next in 2000 for 300+ football websites, the web account for Premium TV, the third was a SSO extension for SharePoint, the fourth was the basis for trust based security in SharePoint, the fifth was a web account for Yell Group customers and sales people.

    I've built auth systems based on LDAP, ActiveDirectory, RDBMS sessions, multi-devices, multi-access tokens, trust based relationships between domain forests, SSO to legacy systems and SAP. Basically, it's one of my speciality areas. Tens of millions of people have used my web account and SSO systems.

    Somewhere in that experience I get really hesitant to build yet another sign-in method. But I do have a really really deep understanding of the requirements of one, and of what we needed for LFGSS to make it so that the API could work and we can build native client apps in future.

    When I sat down to start this, I knew exactly what we would need to build, and what I saw was that Mozilla were building precisely the same thing.

    If we didn't use Persona, I would build Persona.

    It may have some nuanced differences. I wouldn't have done the email bridge (auto-signin with Gmail accounts) for example. But in the implementation and flow, almost everything else would be really similar.

    If we ever stop using Persona, we will build something that looks very much like Persona.

    But for today, the dedicated security and ops people that Persona has beats a single me, needing to sleep, and not being available 24/7.

    Persona is 95% of what we need, and has saved us months of work by not requiring that we build it.

About

Avatar for bq @bq started