[darxius]

I haven't been keeping up to date with Persona, but doesn't this open a window for email account breaching? I can picture some malicious websites mocking the "Sign in with persona" process and gaining the email AND associated password for that account without much trouble. Unless I've misunderstood Persona's point and the password is different from the user's email password.

[ozten]

Our team has thought a lot about this.

There are a bunch of angles to answer this from.

Short answer (assuming native browser, native webmail provider): The malicious website would have to fake browser chrome and fake the user's webmail login flow.

Long answers: Search through the mailing list and get involved! https://groups.google.com/forum/?fromgroups#!forum/mozilla.d...

[darxius]

Thanks for the link ozten, I'll definitely follow the mailing list. Cheers on the good work -- I'm sick of entering passwords.

[w-ll]

What if I just want to collect emails and passwords, and with a free cert and a funky domain harvest (email, password)'s? I thought the whole point was to be password less?

Second, I wanted to play a crossword puzzle. I click login and am greeted with a popup window, I put in my email, then it asks for a password (ok whatever). So now I have to go to my email, and it says that I click the link and can go play the puzzle, but then it takes me to some persona account manager thing. I go back to my email, click the link again, this time with an error an no puzzle :(

Whats new here? That you guys plan is to just store logins for people? Do you share my email with the webapp I wanted to use? Seriously, whats new here?

[callahad]

Could you try going back to the crossword and trying to log in?

If that doesn't work, it sounds like you hit a bug -- could you file that at https://github.com/mozilla/browserid/issues, please?

The password stuff was because your email provider doesn't support Persona's protocol, so it fell back to asking Mozilla to validate your identity with a challenge email (and a password, so you don't have to use a challenge email when you come back next time).