
Mozilla Persona and Surveillance - ibotty
http://identity.mozilla.com/post/52729477874
======
gonvaled
The statement that Mozilla should have issued:

"Some have claimed that we should move Mozilla out of the US. Unfortunately,
for reasons of connectivity, workforce, ties to US market, legal issues and
restructuring costs we are not able to do that.

Current (recurring) developments in the US have shown that our government can
not be trusted. No amount of legislation is going to achieve a fully
accountable government.

Because of this, we are unable to guarantee that Persona is or will be exempt
of data requests from one of the government agencies. Even worse: we will not
be able to tell you when / what data has been requested. We are and will not
be able to confirm or deny data requests. It can be that future legislation
forbids us to even make the statements that we are making in this paragraph,
so this is maybe the last time that we can tell you this.

The only solution to a private internet is to fully embrace cryptography for
all our communications. Until then, you can use Persona at your own risk."

~~~
clarkevans
The last bit here is a reach. For starters, Persona uses SSL, so it's
encrypted. But more broadly, if you're going to use centralized, third-party
authentication mechanism you could do far, far worse than Persona. I'd go so
far as to say if your site is implementing its own authentication system, you
could do yourself even more damage with a poor implementation.

Your critique seems to missed an important part about Persona's design: "It’s
also worth pointing out that we do take certain technical measures to limit
the data we collect. We’ve designed Persona so that the identity provider –
including the fallback Identity Provider that we run – does not learn your
browsing history. We consider that a good security practice, not specifically
because of surveillance, but generally because collecting data without a user
benefit just creates risk."

Further, the main "centralized" risk would be their default identity provider.
If you don't want to use that for your domain, you can provide your own, and
host it in another country. In this case, Mozilla's servers aren’t even being
contacted when you authenticate.

~~~
gonvaled
I know nothing about Persona. I have never used, and I have not read anything
about it. But that much is clear to me: the communication between you and the
Persona provider can happen very much over an encrypted channel, _but_ the
data in the Provider is not encrypted with a key which _you_ only know. The
Persona provider has the data in the open (except passwords, which are hashed)

This whole fiasco has shown a weakness in the system which was there all the
time, but little acknowledged: it is not about encrypting communications
anymore. The eavesdropping risk is well understood and there are technologies
available to get rid of it (SSL, SSH tunnels, whatever). But now we need to
encrypt the data everywhere. Nobody can be trusted with the data anymore
because the government can be accessing that data, and they do not need to
eavesdrop: they just need to send a letter and implicitly threaten with
litigation and imprisonment to obtain _whatever_ data they want.

This makes the technological solutions much more challenging, and some
services can probably not be provided. How does Facebook provide services to
their users if the data they have must be encrypted and they can not access
it? How to share with friends photos if they are encrypted? Maybe creating ad-
hoc group passwords to share data? I do not know, it is difficult.

~~~
bad_user
Dude, what the hell are you talking about?

The only thing those in power would find out by looking at Mozilla's servers
in charge with Persona authentication would be your freaking email address and
that's it. This is by design.

~~~
gonvaled
"It’s also worth pointing out that we do take certain technical measures to
limit the data we collect. We’ve designed Persona so that the identity
provider – including the fallback Identity Provider that we run – does not
learn your browsing history."

That does not say "we only store your email address". It also does not say
they are storing more than that, either. In any case, the data is not
encrypted, so my argument stands.

~~~
quadrangle
You should read up on what Persona is before making judgments about it. Just a
general guideline for reasonable discourse.

~~~
gonvaled
Here: [http://www.mozilla.org/en-US/persona/](http://www.mozilla.org/en-
US/persona/)

"Many sign-in systems carry your profile data with them; some even share that
info with other sites and social networks. We believe you should control how
your personal information is shared. Persona lets you get started with just
your email address; you can add your profile data later, when and where you
think it’s appropriate."

Whatever that "profile data" is, can be requested by the government.

~~~
StavrosK
The "profile data" that refers to is the profile data you want to add per-
site. It's got nothing to do with Persona.

All Persona knows is your email, a password and the fact that you (maybe) want
to authenticate at some point (but it doesn't know where, and it can't be sure
you're actually trying to authenticate somewhere even).

------
gonvaled
"First, it’s not clear to us that other governments have any less intrusive
surveillance activities."

Well, it is clear the US has it. That should be enough. There are some
unknowns unknowns, but this is a known unknown. There are other governments
with the same willingness and capabilities of spying on everyone (do not move
to China), but most of the countries in the world do not have a Government
with both willingness and the technical abilities to do it. And most of the
countries do not have a _huge_ and highly sophisticated shadow-government,
with multiple agencies working out of the public oversight. Most countries
have secret services, but they are a joke compared to what the US is able to
deliver.

"Second, as a US company, Mozilla is subject to US Laws, wherever we host our
servers."

Move the company out of the US. I undertsand that it won't be easy, but is the
only way to be 100% sure that the US Government will not come requesting data
(not that they will not take it anyway, if they are able to)

"Third, we’d rather not engage in an arms-race with US government agencies."

Read: we are afraid to lead here, because backlash from the government (and
the public?) could be too damaging for Mozilla.

"We’d rather focus on efforts to change the Law to respect user data wherever
it lives."

We know so much: the privacy situation in the US is bad, and getting worse
_very_ fast. No amount of public discussion or legislation is going to change
that. If PRISM is outlawed, even if those responsible are put into prison,
they will start the PROSM program, more secretive, more broad. We will know
about it on 2037 (maybe not, since by then we will be already living in a
fully accomplished Orwell world). By then Mozilla will issue a statement
similar to this one, explaining why they are not really taking the necessary
steps.

Fazit: if even a company committed to freedom and openness like Mozilla is not
willing and/or able to take the necessary steps, it shows how unavoidable 1984
is.

~~~
DanBC
NSA and GCHQ are _very good at math_ and _very good at surveillance_.

Not engaging in an arms race with well funded, very smart, government agencies
is probably a good idea.

If they think you're a criminal (doesn't apply to Mozilla) they will coerce
foreign governments to cooperate - see for example the illegal attacks on Mega
or the domain seizures for gambling or torrent sites.

But we know, from ECHELON, that they're happy to spy on anyone, and use weird
loopholes in the law to do so.

Mozilla would need to find a country that had great Internet infrastructure;
good strong laws and privacy culture[1]; lack of links to US; comfortable
living for staff; etc etc.

That's not easy.

[1] The US has a strong culture of privacy, which is what makes PRISM so
surprising for their citizens. (Not for many other people who were saying it's
happening, and have been doing so for a while.)

~~~
gonvaled
"good strong laws and privacy culture[1]"

"[1] The US has a strong culture of privacy, which is what makes PRISM so
surprising for their citizens. (Not for many other people who were saying it's
happening, and have been doing so for a while.)"

When will the public accept that "good strong laws and privacy culture" is not
in the _least_ a characteristic of the US, and hasn't been for the last 30
years?

The US is probably not a democracy anymore, and hasn't been for over 20 years,
since Governments are elected by corporate interests (via campaign funding)

~~~
ricardobeat
That's not the impression you get from people's reactions to PRISM (see
"nothing to hide").

------
kijin
One great thing about Persona is that it doesn't have to get involved every
time I log into some website. The keys can be cached, so Persona doesn't need
to know which websites I visit the most frequently, how long I spend on each
site, which pages I read, etc. Persona just provides the identity and stops
there. In that sense, Persona's very design makes it an unattractive target of
surveillance. Not much data there.

Right now, Mozilla knows my email address, my (hopefully salted and hashed)
password, some keys associated with said password, and the set of IP addresses
from which I ever accessed Persona. Maybe also the set of IP addresses from
which its key was requested, but that's not a particularly useful piece of
information when NSA is trying to figure out what I'm up to.

However, Two of the planned changes to Persona gets me worried a little. The
first is that Persona will allow people to add multiple email addresses to
each account and choose which one to use at any given time. This means that if
NSA gains access to the contents of a Persona server, they'll be able to link
several (seemingly unrealted) email addresses to the same account. If you're a
heavy Redditor, imagine that somebody will be able to find out every throwaway
account that you made and abandoned over the years to talk about things you
don't want traced back to you. That's the sound of the Eureka! that the NSA
agent utters when he finds out that the person who has been posting anti-
factory-farming comments all over the place is actually the same guy who
retweeted some anti-Esso catchphrase, who is the same guy whose personal blog
contains pictures from a recent trip to Pakistan.

My second worry is that Mozilla expects email service providers to serve as a
Persona provider for their users. If I'm not sure whether I want to trust the
Mozilla Foundation (the good guys) with information about my various alter
egos, I'm definitely going to be wary of giving Google, Yahoo, and Microsoft
the same kind of information. Although it's possible for you to be your own
Persona provider, realistically, not many people are their own OpenID
providers at the moment, and not many of them are going to be their own
Persona provider, either. Decentralization is often advertised as one of the
better features of Persona, but I suspect that it's going to remain little
more than an advertisement. Everyone else will just use Google-hosted Persona
with their Google-hosted email, with no real improvement of privacy.

~~~
Osmose
Unless I'm mistaken[1], right now the popup that has multiple emails in it is
the part that will eventually become native to the browser itself, so no
service should have access to that list of multiple emails.

Each of those emails is instead tied to an identity provider: for example, you
might have a GMail address that uses Google as the IdP, while a Yahoo one
would use Yahoo as the IdP. But Google and Yahoo don't actually know that
you're using multiple emails to login to stuff, they only deal with the emails
you register with them.

What happens right now is that Mozilla Persona hosts the JS-powered popup that
lets you choose between emails, so we end up with that info. This is for use
in the short-term and for older browsers, but long term I think it will shift
to client-side only.

[1] I work for Mozilla, but not on the Persona project, so there is a chance
that I'm completely wrong. Doh!

~~~
kijin
When I log into persona.org, it seems to allow me to remove my (currently
only) email address by clicking the first blue "Edit" button and then clicking
"Remove" next to my email address. So I assumed that, in the future, I might
also be able to add email addresses. Sorry if I was wrong about this.

~~~
StavrosK
You can add email addresses now, this is just for the bridge, so it allows you
to use alternate addresses to log in with. It's not specific to Persona, it's
just how they designed the current bridge (which they aim to phase out in the
long run).

------
josephg
Any plans to pin the login.persona.org SSL certificate in browsers? It seems
like a pretty tasty MITM attack target, especially while most identity
providers don't have native persona support.

login.persona.org is listed in the key pinning list in Chrome[1], but marked
as kNoPins, DOMAIN_NOT_PINNED - whatever that means.

[1]
[http://src.chromium.org/viewvc/chrome/trunk/src/net/http/tra...](http://src.chromium.org/viewvc/chrome/trunk/src/net/http/transport_security_state_static.h?view=markup)

~~~
fmarier
Yes and we're tracking it here:
[https://github.com/mozilla/browserid/issues/2158](https://github.com/mozilla/browserid/issues/2158)

That list you see in Chromium (which is now also shared with Firefox) is the
list of sites that come with HSTS ([https://developer.mozilla.org/en-
US/docs/Security/HTTP_Stric...](https://developer.mozilla.org/en-
US/docs/Security/HTTP_Strict_Transport_Security)) turned ON.

------
buro9
The best things in Persona's favour:

1) A lot of people are working on it (hopefully eyeballs translate to fewer
flaws)

2) You can host your own

3) Eventually when browsers are in on the game, it can be decentralised

The best response Mozilla could give is to highlight the above and ask for
more help from those able to give it to make those things come true sooner.

We all know where we are today, so let's just get to where we want to be
tomorrow.

And finally add a link to Github:
[https://github.com/mozilla/browserid](https://github.com/mozilla/browserid)

~~~
kijin
> _it can be decentralised_

Technically, yes. Realistically, highly unlikely.

What's going to happen, at best, is that email service providers like Google
and Microsoft will begin to support Persona. Either as a replacement for
OpenID, or in addition to it. A negligible minority of the human population,
such as regular HN readers like you and I, might opt to implement Persona on
our own servers, but everyone else will remain hostages of their respective
email service providers.

~~~
clarkevans
Realistically and perhaps sooner than you think They are finishing up the LDAP
based provider, once that happens, you could hook it up to most company-wide
authentication systems.

Once that's working @university.edu and @bigco.com would authenticate directly
with the organization. That'll be huge. This is a very very high value
feature, I expect it to be _the_ driving force for adoption.

One of the big challenges of large organizations is shutting someone off once
they've left the company. This provides very unintrusive way to do so for
applications that use Persona. I could see large organizations requiring that
all logins use Persona (and the @organization domain).

~~~
StavrosK
That's exactly my thinking when creating
[https://persowna.net/](https://persowna.net/). Providing authentication that
hooks up to the corporation's specific system _for the entire web_ is
potentially a very big thing.

------
Millennium
It seems to me as though an interim solution would be to partner with
organizations in other countries to set up Persona fallbacks there. Key to
this is that it would need to be a partnership with an entity local to the
nation where the server is stored: Mozilla should not run these services
itself, for the reasons listed in Mozilla's own post.

Has this option been explored, or at least considered?

------
denzil_correa
The most important line for me from the blog post was

    
    
        Third, we’d rather not engage in an arms-race with US 
        government agencies. We’d rather focus on efforts to 
        change the Law to respect user data wherever it lives.
    

This effectively tells a lot about Mozilla's intent.

~~~
Ziomislaw
how do you know mozilla was not forced by US to post just that? and they cant
tell you they have been forced to do this. This simple fact basically destroys
persona imho.

------
ricardobeat
> First, it’s not clear to us that other governments have any less intrusive
> surveillance activities.

This is a surprising statement, and somewhat dismissive of the respect for
privacy and personal rights in the rest of the world. The NSA program is not a
mundane activity, and should not be regarded as such, especially by a
foundation like Mozilla.

------
ndesaulniers
We can run, or we can fight!

