Roger Clarke's Web-Site
© Xamax Consultancy Pty Ltd, 1995-2018
|Identity Matters||Other Topics||Waltzing Matilda||What's New|
Exposure Draft of 17 July 2011
Roger Clarke **
© Xamax Consultancy Pty Ltd, 2011
Available under an AEShareNet licence or a Creative Commons licence.
This document is at http://www.rogerclarke.com/II/BrowserID-1107.html
The Mozilla BrowserID initiative has been greeted with enthusiasm by some commentators. An assessment of its characteristics concludes that its design is seriously threatening to individual freedoms, and the scheme should be avoided by consumers and by service-providers interested in serving consumers' needs.
In July 2011, Mozilla announced an identity authentication mechanism based on email-addresses and digital signatures. Its intention is to embed the facility in Mozilla browser-functionality, and to provide an at least interim identity-server in the meantime.
On reading the ArsTechnica article (15 July 2011) that publicised the announcement, I felt a number of concerns about the initiative, and expressed them to Lauren Weinstein, and the comments were published on his Privacy Forum.
This document expands on my original expression of concern. It is based on a critical reading of 'How BrowserID Works', of c. 3 July 2011, mirrored here.
It addresses firstly general concerns about any scheme of this nature, and then some specific concerns about BrowserID in particular.
It is important for many personal, social, economic and political reasons to sustain separation of a person's multiple identities in an electronic world.
During the first two decades of the Internet era, it was sufficient for people to have the option of separating their multiple identities. However, a wide variety of assaults are being conducted on individual freedoms, by governments and business alike, and a considerable amount of invasive technology is being developed in support of those assaults. It is therefore necessary to shift from separation of identities as an option to separation of identities as the norm and the default.
It is vital for a number of personal, social, economic and political reasons to sustain anonymous communications and anonymous access to information in an electronic world. Examples of such reasons include personal safety, freedom to innovate (technically, economically, socially and culturally), whistleblowing, and freedom of speech under repressive regimes (Clarke 2009).
During the first two decades of the Internet era, it was adequate to exploit accidental and incidental features of Internet technologies in order to achieve anonymity. As technologists, governments and corporations tighten the noose on information flows and communications, it has become necessary to design into the Internet features that support anonymity.
All schemes for 'identity management' need to be assessed for their impact on these interests.
A digital signature scheme offers some advantages over a password-based authentication mechanism; but it also involves a considerable range of downsides (Greenleaf & Clarke 1997, Clarke 2001, Clarke 2004).
When a person uses a persistent email-address, they generate a set of communication-flows that expose a great deal about the person's attitudes, activities and behaviour, and of the network of contacts the person has, and of attitudes, activities and behaviour of the person's correspondents. To the extent that the traffic, the archive, or parts of them are retained by persons other than the individual, it is likely to be available to a range of further organisations, and is likely to be exploited by them.
When a person makes persistent use of a particular web-browser on a particular device, they generate a stream of data about the information they have accessed, from which much can be inferred about their interests and their behaviour. Web-browsers are identified with a high degree of probability by means of 'fingerprinting' techniques (Eckersley 2010). To the extent that the traffic, the archive, or parts of them are retained by persons other than the individual, it is likely to be available to a range of further organisations, and is likely to be exploited by them.
When a person makes persistent use of a particular web-browser on a particular device to access web-sites for which a username is required, they associate a stream of data with that particular identity. Usernames are no longer limited to secure eCommerce and eGovernment sites and Internet banking. Many organisations are imposing login constraints variously in order to sell content on a subscription basis, and to lock in users and create walled gardens. So there is a substantial growth in the proportion of the Web access to which is conditional on the provision of a username.
When a person us required to authenticate using a digital signature rather than a password, they may be caused, tempted to or required to use a persistent public key and/or a persistent certificate-identifier. This provides a further identifier correlated with the rest of the set of identifiers.
When a person uses an Internet-connected device for any purpose (i.e. not only email and web-browsing, but also, for example, VoIP, playing a no-longer-personal music-library, and IP-TV), they do so by means of an IP-address, which may be more or less persistent. Each IP-address is in principle associable with a physical location. The associaton may achieved in real-time, or with a moderate delay. With data retention requirements increasingly imposed on ISPs, the association may be able to be achieved retrospectively over an extended period.
Depending on how IPv6 is implemented, an IP-address may carry, or be able to be readily associated with, a unique identifier of the physical device that was used.
In some theoretical primaeval state, a person's email-address(es), web-browser 'fingerprint(s)', username(s), IP-address(es) and device-ID(s) could be independent and uncorrelated. On the other hand, email-messages carry the IP-address, and so does web-traffic; and a site that a person logs into has access to all of the browser fingerprint, username, possibly public key, and IP-address, and possibly, using IPv6, device-ID(s). Technological features have therefore resulted in organisations incidentally achieving a very high degree of correlation among a person's various identifiers.
Organisations have discovered that the richness of the information streams that have been thereby gained about each user is capable of exploitation in a variety of ways. In recent years, new business models have become entirely dependent on these rich, correlated streams of personal data.
It has become common for schemes to make use of an email-address as a username. This has the effect of tightly tying the email-address, and the IP-address from which mail is sent, into the already very rich streams of personal data.
Each player has a great deal of personal data available for exploitation. It is liable to be used for purposes other than its original purpose, and liable to be disclosed to organisations not contemplated by the user as part of the original actions and relationships that gave rise to the data. Corporations have written enormous scope for such exploitation into the Terms of Service that they impose on consumers, SMEs and in many cases also large corporations and government agencies (Clarke 2010). Because of the serious inadequacies of the data protection laws applicable to the dominant service-providers, all of these highly sensitive archives of personal data are porous, and traffickable among business enterprises and government agencies.
Each player has a honey-pot of exploitable data that attracts further parties. This creates the probability of attacks by hackers. The quality of data-centre security against such attacks has been demonstrated many times to be low, and hence a proportion of these attacks will be successful. The honey-pot also attracts law enforcement and national security agencies (LEANS). They may use judicially-issued search warrants to gain access. However, many LEANS have been granted the powers to self-issue 'warrants', have blanket authorisation to gain access, and/or enjoy exemptions from 'computer crimes' laws and hence can perform or commission break-ins.
A further cluster of difficulties arises from the inherent insecurity of consumer computing devices, and the lack of means whereby users can even properly understand the problems, let alone deal with them (Clarke & Maurushat 2007, Clarke 2008).
In short, the current directions of Internet technologies are grossly hostile even to identity separation, let alone anonymity. People who value their privacy need to do their best to avoid usernames based on email-addresses, use large numbers of email-addresses, each for a short period of time, change browsers and browser-settings frequently, force changes in IP-address as often as practicable, and routinely use available tools for identity-obfuscation and IP-address-obfuscation.
To what extent do the 'generic concerns' outlined in the previous section apply to Mozilla's BrowserID initiative.
1. The BrowserID initiative is of the category described and deprecated in the preceding section. By design, it entrenches the consolidation of email-address and username, and their correlation with a public key, a browser-signature and an IP-address.
2. To the extent that a BrowserID 'identity server' is used rather than the certificate being managed within and by the browser, the scheme could enable use from multiple browsers on multiple devices, and hence could enable the correlation of each browser that the person uses, on each device that they use, with all of the other identifiers.
3. The BrowserID short description declares four 'key design features', one of which is "Ownership-Based Authentication". The term is misleading. Authentication is based, initially, on the demonstrated ability to login to the email service. Authentication is based, subsequently, on the demonstrated ability to access the relevant browser's functionality.
4. Given the incidence of malware on consumer devices, the 'Ownership' metaphor is inappropriate. A more suitable notion is 'virtual possession'. Two or even multiple entities may enjoy 'Virtual Possession'. Moreover, the fact that possession is shared with an unauthorised local process, and even by an unauthorised remote process or individual, may be unknown to the user. Given the high quality of rootkits, it may even be effectively unknowable.
5. The BrowserID short description states that a 'Primary Identity Authority' (for which Yahoo! mail and gmail are given as examples) "directly vouches for its users' identities". This is misleading.
Firstly, the purpose of many such schemes is to provide local, not global, assurance, and no undertakings are given to 'relying parties'. Secondly, such assurance as may be provided relates not to any assertion about the user's identity, but only to the existence of such an identity, and the fact that, at some time in the (perhaps recent) past, the (or a) device had satisfied whatever authentication test the organisation applied to the account (which is in most cases a relatively low level of authentication, a password).
6. The BrowserID short description states that the private key is "cached by the browser for the duration of the session". In the absence of a secure component within the consumer device, the private signing key is exposed to processes running in the device during that time. This creates the risk of private-key capture and hence (very convincing) masquerade. This could be a boon for organisations seeking to 'plant' electronic evidence, but it would not be good for the justice system.
7. The BrowserID short description implies that certificate currency is determined by the elapsed time since it was last used. It is unclear whether the user has any capacity to control the term of certificate validity, e.g. to ensure long validity (for convenience), or force short-term validity or single-use (as a security measure).
8. The security of the scheme is entirely dependent on the design specifications and implementation of processes in the browser, including the private-key generation routine and the protection of the key in storage. No mention is made of independent certification of the design and implementation of the browser's security features.
9. The effectiveness of any digital signature scheme is entirely dependent on parties on whom other parties rely providing warranties and indemnities, and securing insurance to cope with systemic failures. No mention is made of warranties and indemnities to underpin the scheme.
The BrowserID initiative appears to be merely yet another in the long line of seriously flawed 'identity management' schemes built around digital signature technology, and based on ill-considered and privacy-threatening assumptions about both technology and human needs.
Clarke R. (2001) 'The Fundamental Inadequacies of Conventional Public Key Infrastructure' Proc. Conf. ECIS'2001, Bled, Slovenia, 27-29 June 2001, at http://www.rogerclarke.com/II/ECIS2001.html
Clarke R. (2004) 'Identity Management: The Technologies,Their Business Value, Their Problems, Their Prospects' Xamax Consultancy Pty Ltd, March 2004, 70 pp., from http://www.xamax.com.au/EC/IdMngt.html
Clarke R. (2008) 'A Risk Assessment Framework for Mobile Payments' Proc. 21st Bled eCommerce Conf., June 2008, pp. 63-77, PrePrint at http://www.rogerclarke.com/EC/MP-RAF.html
Clarke R. (2009) 'Dissidentity The Political Dimension of Identity and Privacy' Identity in the Information Society 1, 2 (April 2009), DOI 10.1007/s12394-009-, PrePrint at http://www.rogerclarke.com/DV/Dissidentity.html
Clarke R. (2010) 'Internet Users' Second-Party Exposure' Xamax Consultancy Pty Ltd, December 2010, at http://www.rogerclarke.com/EC/IU-SPE-1012.html
Clarke R. & Maurushat A. (2007) 'The Feasibility of Consumer Device Security' J. of Law, Information and Science 18 (2007), PrePrint at http://www.rogerclarke.com/II/ConsDevSecy.html
Eckersley P. (2010) 'Web Browsers Leave 'Fingerprints' Behind as You Surf the Net', Electronic Frontiers Foundation, May 2010, at http://www.eff.org/press/archives/2010/05/13
Greenleaf G.W. & Clarke R. (1997) 'Privacy Implications of Digital Signatures' Invited Address, IBC Conference on Digital Signatures, Sydney, 12 March 1997, at http://www.rogerclarke.com/DV/DigSig.html
Roger Clarke is Principal of Xamax Consultancy Pty Ltd, Canberra. He is also a Visiting Professor in the Cyberspace Law & Policy Centre at the University of N.S.W., and a Visiting Professor in the Research School of Computer Science at the Australian National University.
The content and infrastructure for these community service pages are provided by Roger Clarke through his consultancy company, Xamax.
From the site's beginnings in August 1994 until February 2009, the infrastructure was provided by the Australian National University. During that time, the site accumulated close to 30 million hits. It passed 50 million in early 2015.
Sponsored by Bunhybee Grasslands, the extended Clarke Family, Knights of the Spatchcock and their drummer
Xamax Consultancy Pty Ltd
ACN: 002 360 456
78 Sidaway St, Chapman ACT 2611 AUSTRALIA
Tel: +61 2 6288 6916
Created: 17 July 2011 - Last Amended: 17 July 2011 by Roger Clarke - Site Last Verified: 15 February 2009
This document is at www.rogerclarke.com/II/BrowserID-1107.html