-
He's not bad as far as it goes, not in the league of a cperceiva but at least he's some hands-on experience. On HN he changed his tune after the Beta and final version were released. The comments in that blog post are based on the initial Alpha and many things changed.
His criticisms are easily defeated and no longer relevant, namely the two he mentions:
- Phishing attack due to use of a third party domain; in a popup or not it's irrelevant, his core criticism is that people signing into domainx.com don't expect to go to domainy.com but then he has acknowledged many times that if you don't trust the client (the app or website), then things like Twitter Signin, Facebook Connect, etc are only secure by visiting the third party domain. Same is true here on LFGSS... we don't trust the web client.
- The fake logout, in that signing out didn't sign you out of Persona; that was solved in a Beta. Signing out of LFGSS will sign you out of Persona.
Not sure whether you know, but I have actually built several web account and SSO systems. The first back in 1998 for British Telecom (for their web portal), the next in 2000 for 300+ football websites, the web account for Premium TV, the third was a SSO extension for SharePoint, the fourth was the basis for trust based security in SharePoint, the fifth was a web account for Yell Group customers and sales people.
I've built auth systems based on LDAP, ActiveDirectory, RDBMS sessions, multi-devices, multi-access tokens, trust based relationships between domain forests, SSO to legacy systems and SAP. Basically, it's one of my speciality areas. Tens of millions of people have used my web account and SSO systems.
Somewhere in that experience I get really hesitant to build yet another sign-in method. But I do have a really really deep understanding of the requirements of one, and of what we needed for LFGSS to make it so that the API could work and we can build native client apps in future.
When I sat down to start this, I knew exactly what we would need to build, and what I saw was that Mozilla were building precisely the same thing.
If we didn't use Persona, I would build Persona.
It may have some nuanced differences. I wouldn't have done the email bridge (auto-signin with Gmail accounts) for example. But in the implementation and flow, almost everything else would be really similar.
If we ever stop using Persona, we will build something that looks very much like Persona.
But for today, the dedicated security and ops people that Persona has beats a single me, needing to sleep, and not being available 24/7.
Persona is 95% of what we need, and has saved us months of work by not requiring that we build it.
- Phishing attack due to use of a third party domain; in a popup or not it's irrelevant, his core criticism is that people signing into domainx.com don't expect to go to domainy.com but then he has acknowledged many times that if you don't trust the client (the app or website), then things like Twitter Signin, Facebook Connect, etc are only secure by visiting the third party domain. Same is true here on LFGSS... we don't trust the web client.
Velocio-
But for today, the dedicated security and ops people that Persona has beats a single me, needing to sleep, and not being available 24/7.
Mozilla is no longer developing Persona, has moved staff away from the project and while it is still providing minimal support, this is for the existing hosted service (downtime, critical bugs and the like). Mozilla has promised not do decommission Persona this year.
I know people who work for Mozilla. Persona is a dead duck. Now is a good time to be planning alternatives for the near future.
itsbruce
http://www.opine.me/mozilla-persona-browserid-is-a-step-in-the-wrong-direction/
To be fair I don't know if the author is a security expert. He might be a total numpty on security matters for all I know.