Re: Is it possible to impersonate an identity? from Manu Sporny on 2014-02-21 (public-webpayments@w3.org from February 2014)

From: Manu Sporny <msporny@digitalbazaar.com>
Date: Fri, 21 Feb 2014 08:11:12 -0500
To: public-webpayments@w3.org
Message-ID: <53075070.6080103@digitalbazaar.com>

On 02/17/2014 08:54 AM, Melvin Carvalho wrote:
> I have a question over whether it's possible to impersonate an 
> identity, say, alice@example.com

In general, it is always possible for an identity provider to
impersonate you since they control your data (including which public
keys you use to digitally sign your information). At some point, you
have to trust /something/ with your identity online.

You can mitigate this to some degree by keeping the listing of your
public keys on a separate server, but then the question is - who
controls that server.

The only way to be truly certain is to run your own software on a
machine that you own. Even then, there are ways to impersonate your
identity (such as faking a TLS cert, intercepting your communication if
it isn't encrypted over TLS, HTTP->HTTPS HSTS hijacking, etc.

> If I have understood correctly web payments identities will be 
> compatible with Persona / BrowserID

Correct.

> Does this mean they will look up .well-known/browserid in
> example.com <http://example.com> and if not fall back to the mozilla
> server? Would that mean that mozilla could then impersonate Alice?

Yes, in that Mozilla could assert that your login identity is somewhere
that it's not. For example, they could launch this attack against you:

You login via Persona, and end up relying on Mozilla's server to do so.
Mozilla, being the evil, faceless corporation that they are (kidding!),
injects a different identity URL into the login assertion, let's say:
"http://mozilla.org/fakeidentities/melvin". The site that you're logging
in to then uses that identity, and thus all assertions end up w/ that
identity, and over time, that identity would collect all your personal
information, which they could then steal.

The likelihood that Mozilla would do this is fantastically low to
non-existent, but a less reputable company might, especially as the new
identity system starts to gain popularity.

The alternative is to rent an AWS server and run your own identity
software on there, or pick an identity service that has no reason to
forge your identity (like your national government, or a national
government that you trust).

In the end, it all boils down to trust - who do you trust with your
identity information?

-- manu

-- 
Manu Sporny (skype: msporny, twitter: manusporny, G+: +Manu Sporny)
Founder/CEO - Digital Bazaar, Inc.
blog: The Worlds First Web Payments Workshop
http://www.w3.org/2013/10/payments/

Received on Friday, 21 February 2014 13:11:46 UTC