[ozten]

Our team has thought a lot about this.

There are a bunch of angles to answer this from.

Short answer (assuming native browser, native webmail provider): The malicious website would have to fake browser chrome and fake the user's webmail login flow.

Long answers: Search through the mailing list and get involved! https://groups.google.com/forum/?fromgroups#!forum/mozilla.d...

[darxius]

Thanks for the link ozten, I'll definitely follow the mailing list. Cheers on the good work -- I'm sick of entering passwords.

[w-ll]

What if I just want to collect emails and passwords, and with a free cert and a funky domain harvest (email, password)'s? I thought the whole point was to be password less?

Second, I wanted to play a crossword puzzle. I click login and am greeted with a popup window, I put in my email, then it asks for a password (ok whatever). So now I have to go to my email, and it says that I click the link and can go play the puzzle, but then it takes me to some persona account manager thing. I go back to my email, click the link again, this time with an error an no puzzle :(

Whats new here? That you guys plan is to just store logins for people? Do you share my email with the webapp I wanted to use? Seriously, whats new here?

[callahad]

Could you try going back to the crossword and trying to log in?

If that doesn't work, it sounds like you hit a bug -- could you file that at https://github.com/mozilla/browserid/issues, please?

The password stuff was because your email provider doesn't support Persona's protocol, so it fell back to asking Mozilla to validate your identity with a challenge email (and a password, so you don't have to use a challenge email when you come back next time).