[tor-dev] Using Mozilla Persona for "Helping Internet services accept anonymous users"

isis isis at torproject.org
Mon Oct 27 23:55:46 UTC 2014 

[pre scriptum] This email particularly concerns the people on the Tor Browser
    team, and to those interested in progress on Roger's "A Call To Arms:
    Helping Internet services accept anonymous users" blog post. [0]


Hello all,

While setting up a Mozilla Persona Identity Provider (IdP) server for testing
ways to provide a system for anonymous users to log in to websites, I
discovered some serious problems [1] which, in my opinion, make Persona
unusable for our case.

One of these problems [2] essentially boils down to forcing us to choose
between two options for real-world deployment, due to a lack of forward
compatibility in the existing Mozilla Persona deployment:

 1. We could deploy a version which is compatible with the legacy Persona
    implementation but which has privacy issues.

    We would need to accept that the so-called "anonymous" users of the Tor
    Project IdP would be sent from the website they are trying to log into
    (Wikipedia, for example) to https://login.persona.org, and that the latter
    would speak to the Tor Project IdP.

    There is not even remotely a chance for even pseudonymity, if we went this
    route, as the https://login.persona.org server could:

      * Log which websites a Tor user tries to log into,
      * Log when a Tor user tried to log into or out of any website,
      * Potentially link a user's pseudonyms (yes, even if we handed out
        blinded signatures in our credentials),
      * Arbitrarily decide to block all Tor users without the consent of
        either Wikipedia or the Tor Project IdP,
      * and probably a bunch of other horrible stuff.

 2. We could make a version based on the so-called "native" Persona
    implementation within Firefox. This would result in fewer privacy issues,
    however it would be incompatible with all the rest of existing Persona
    infrastructure.

    Mozilla's "native" Persona implementation is already incompatible with the
    legacy version currently deployed on all Persona-enabled websites and IdPs
    today.

    If we decide to go this route, and create a version of Persona which does
    not redirect our users through third-party IdPs, we would need to try to
    force every website that wants to allow anonymous users to login to source
    custom Javascript that we make available, [3] which is specific to
    allowing logins from our IdP.  In addition, sites which include this
    Javascript would no longer be compatible with the regular (non-Tor
    Browser) Firefox userbase and any existing Persona infrastructure (both
    Persona-enabled websites and other Persona IdPs).  For a more verbose
    explanation, please see [4].


I think we can all agree that Option #1 is unacceptable.

If we were to do Option #2, we would essentially be taking over maintenance of
Persona from Mozilla *and* creating an entirely new, incompatible
authentication system on top of the dilapidated remains.  Before going that
route we should pay attention to the fact that Mozilla pulled support for the
project because of lack of adoption.  If our goal was to save work by using
Persona for this purpose, I estimate that we would be doing more work by using
Persona than if we were to build something completely from scratch.


[0]: https://blog.torproject.org/blog/call-arms-helping-internet-services-accept-anonymous-users
[1]: https://trac.torproject.org/projects/tor/ticket/12193
[2]: https://trac.torproject.org/projects/tor/ticket/12193#comment:12
[3]: https://github.com/isislovecruft/browserid-certifier/blob/master/srv/login.persona.torproject.org/document_root/include.js
[4]: https://trac.torproject.org/projects/tor/ticket/12193#comment:13

-- 
 ♥Ⓐ isis agora lovecruft
_________________________________________________________
OpenPGP: 4096R/0A6A58A14B5946ABDE18E207A3ADB67A2CDB8B35
Current Keys: https://blog.patternsinthevoid.net/isis.txt
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1154 bytes
Desc: Digital signature
URL: <http://lists.torproject.org/pipermail/tor-dev/attachments/20141027/1468e84e/attachment.sig>

More information about the tor-dev mailing list