New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add option to hash BrowserID usernames #2
Conversation
(i.e. not expose email address to harvesters and other attacks)
Add option to hash BrowserID usernames
Looks good. I'll roll this into an Iris Couch update ASAP, because the example app has also stopped working as you pointed out. @maxogden warned me against making an example implementation at all. Almost everything in /_browserid is unnecessary. Maybe he was right after all. |
Out of curiosity why wasn't something like sha1sum used for encrypting the email addresses? It's good enough for FOAF: That would solve the disclosure problem without making hashes that are dependent on each CouchDB instances salt. Thoughts? |
Actually I think that is a serious problem. It breaks the replication model for CouchDB. We should be able to replicate @thedod, what do you think? Is there a way to balance email address privacy with the ability to get a deterministic "username" value? |
Plain unseeded Sha1sum has the gravatar vulnerability: if you have a guess, it's simple and computationally cheap to verify (even without rainbow tables). It's not necessarily a problem when If you have some other app where you do want consistency across servers (and maybe even the ability to sync Server-specific BrowserID hashing started as a compromise out of necessity (the mix between CouchApp's total transparency and BrowserID's choice of email as id is a privacy hazard otherwise). However - the side effect of "the unbearable lightness of trolling" turns out to be a promising feature [IMHO]. If/when I start working on the OpenID plugin, I believe I'll add an option to hash the id (although OpenID doesn't really require this): it's hell for data miners, and for some applications - this is a blessing ;) |
Those are all excellent points. Is the following statement true? If users trust each other with a common _users database, then they I wonder if we could exploit that. Somehow copy the salt value (and Another thought is that each application has different needs. It might But I think you are right, BrowserID is optimized for applications On Wed, Dec 7, 2011 at 1:50 AM, Nimrod S. Kerrett
Iris Couch |
Been pondering all this for a bit. First, it's a great discussion and I would like to continue this conversation further (as we do have a BrowserID's long term goal (afaik) is to have e-mail providers do the At any rate, I do think another venue is better, and I am very Thanks again for kicking this off, TheDod. See you both 'round the |
It wouldn't work (unless the end user is tricky). BrowserID, as a single-sign-on (SSO) service won't let you be logged in at the same time as different ids (email addresses) in different browser tabs. OpenID is an SSO too, but there are many providers, so I can have an SSO environment as gay, another one as a cancer patient, etc. If I understand correctly, even in the future (when BrowserID plans to allow for non-mozilla identity providers), an end user has a single identity [at least simultaneously] all over the BrowserID world. The way I see it, this violates tho basic human right to troll :)
Maybe I'll join it mid January (traveling at the moment and don't want to bum-rush my mailbox). If you feel like raising the identity issue at the mailing list before I'm back, I've written some text about it, and people are welcome to contact me via github messaging or here. Maybe we can try and discuss this via mingle itself ;) |
If there's a config option in the browserid called hash_secret, usernames become a hash of the BrowserID email, with hash_secret as salt. If hash_secret doesn't exist - it works just like before (username is the BrowserID email address).