[tor-bugs] #12193 [Ponies]: Set up a Mozilla Persona testing server

Tor Bug Tracker & Wiki blackhole at torproject.org
Fri Jun 6 03:05:21 UTC 2014 

#12193: Set up a Mozilla Persona testing server
---------------------------+----------------------
     Reporter:  mikeperry  |      Owner:
         Type:  project    |     Status:  new
     Priority:  normal     |  Milestone:
    Component:  Ponies     |    Version:
   Resolution:             |   Keywords:  SponsorP
Actual Points:             |  Parent ID:
       Points:             |
---------------------------+----------------------
Changes (by isis):

 * cc: isis (added)


Comment:

 Mike Perry kept lauting Persona while I was starting research on
 authentication mechanisms for BridgeDB's social distributor last
 summer/fall. I ended up setting up a Mozilla Persona server on my personal
 server for a while on patternsinthevoid.net (it's not up anymore though)
 to test it out, and, ultimately, to be able to log into the silly Tor
 Stack Exchange thingie that insisted on being MITMable and insecure.

 Long story short: I've already read a few papers on it, and read their
 docs, and set one up. It's supposed to have changed some, but I could do
 it again.

 '''@mikeperry''': As a technical aside, why did you say

 > a number CAPTCHAs

 plural? Why is solving 2-out-of-3 8-char CAPTCHAs better than solving 1
 24-char CAPTCHA with 3 chars wrong? Is there something better about having
 plural CAPTCHAs? As a user, that would annoy the crap out of me; I would
 think I'd done something wrong.

 --------

 If you want just the server, and you want it well-tested and scalable to a
 potentially high number of Tor clients who are waiting to pounce on it,
 then that would probably take me two months. I could plug the CAPTCHA
 system that I already made for BridgeDB into it pretty easily, I think.

 If you want extra authentication systems, then I'd estimate 2 months
 extra, on top of setting up the server(s), for each auth mechanism that is
 simple. Simple RSA-based blind tokens probably count as simple. If you
 want crazy stuff for extra authentication systems, like BTC payments, that
 would need a bit of extra work to guarantee that any adversarial advantage
 for deanonymisation isn't introduced. I would estimate roughly 6 months
 extra work for implementing any more ambitious auth/PoW scheme.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/12193#comment:2>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list