Hacker Newsnew | comments | show | ask | jobs | submitlogin

Added a mention of/link to Mozilla Persona.

IMO, it's the easiest way to handle authentication today, fully decentralized, secure, and with nice privacy guarantees. With it, you don't have to care about user names (just use email addresses), passwords and secure storage thereof, it mostly just works (and once it'll get linked into the big email providers in December or so, almost everyone will already have an account).




how does it prevent that sniffing data issue from happening when you are not using SSL? Or you just cannot use Persona without SSL?

-----


Presuming you're using session cookies, Persona is no less secure than any other reasonable authentication system when used without SSL.

It also has the nice property that what Persona transmits over the wire -- the proof of identity -- is only valid for 120 seconds. Sniffing it in real time would temporarily allow you to masquerade as another user on that specific site, but any sort of delay and you're locked out.

This is a huge improvement over, say, transmitting passwords, which could grant access to an account for months or years.

-----




Guidelines | FAQ | Support | API | Lists | Bookmarklet | DMCA | Y Combinator | Apply | Contact

Search: