LWN: Comments on "The Firefox password manager vulnerability"

The Firefox password manager vulnerability

techhelp — 2008-10-14T23:07:27+00:00

Firefox seems to have this problem with some sites that require a password to log in. There is a very good thread on it at net tech guide (Firefox password problems) Hope this helps

The Firefox password manager vulnerability

riches2rags — 2007-12-12T22:27:24+00:00

Bear in mind, that if the user has been brought to a "poser" web site, no password manager
client-side bug is gonna matter if he/she is clicking "OK" anyway. The data has been
deliberately sent (ie. exposed). The client maintained list is not, in and of itself,
compromised. The hidden form field phishing is a bit less culpable for the client. Simplest
solution might be to add a "paranoia" setting to the PM that presents a DB exposing the fqdn
about to receive the sensitive submission asking "Are you sure this is a valid authentication
request?<continue><cancel>
The onus is on the user to double check the validity of the transaction one last time.
IMHO, any truly sensitive authentication should be using encrypted transmission with mutual
trust verification anyway, or the user should seriously consider doing business elsewhere.

The Firefox password manager vulnerability

activesolutions — 2007-04-19T21:32:07+00:00

Try this one:

http://www.geocities.com/ramix_info/

It's written in Java, so the OS doesn't matter, and uses blowfish encryption.

Why is the server-side fix not sufficient?

gerv — 2006-12-07T00:40:59+00:00

> The way "most smaller sites" apply security fixes is "not at all".

Then they have bigger problems than input type="password". You worry about your password getting out; if they get hacked, every bit of information you've given them gets out, not just your password.

Either sort of fix would require security updates from someone. The server-side fix doesn't reduce the functionality of a useful browser feature; the client-side fix would.

Gerv

Why is the server-side fix not sufficient?

walles — 2006-12-05T10:56:01+00:00

The way "most smaller sites" apply security fixes is "not at all". Since it's my password that gets out that way, this isn't acceptable IMO.

I don't care if somebody develops a new web browser with this problem, since that wouldn't affect me.

As long as *I* keep using Firefox, I only care about getting Firefox fixed. If somebody else uses some other browser, it's up to them to worry about that browser's security issues.

The Firefox password manager vulnerability

alspnost — 2006-12-04T23:41:47+00:00

Well, there's PasswordSafe on Windoze, which seems good. On Linux, I just use a nice GPG-encrypted file, which ought to be good enough for most people.

The Firefox password manager vulnerability

k8to — 2006-12-03T16:02:48+00:00

I believe your parent is referring to the idea of having a password which is never set, but it is merely pre-arranged.

That is, a one-time password system where both parties can generate an unending linear set of passwords, so each password is generated by, and known to both parties in advance, but is only disclosed the once to authenticate. Traditional passwords become less secure as they are used. One-time passwords are discarded on use, so there is no lessening of security.

The downside of one-time passwords of course is they take even more effort than regular passwords, and at the rate at which passwords (ab)use is multiplying, I think neither is sustainable.

Post-It notes

k8to — 2006-12-03T15:55:01+00:00

As the post you are responding to pointed out, post-it notes are useful because access to them is restricted to a physical domain, which can be quite small. A post it note on my computer here, for example, will be viewable by myself and a few close friends who visit my apartment. The risk is _quite_ small, and it would be fine for most applications.

The Firefox password manager vulnerability

bluefoxicy — 2006-12-03T05:17:32+00:00

For transparency's sake, a Slashdot comment on my would-be version. Not quite identical (I was thinking automating the password send with JavaScript), but worked off the browser-fills-in-the-password theory.

No I'm not trying to take credit; I hadn't dreamed it could be solved by a password manager change, or considered vanilla phishing, or user-triggered non-javascript buttoneering, or any of that.

The Firefox password manager vulnerability

bluefoxicy — 2006-12-03T04:34:43+00:00

I've been meaning to implement this hack for months; gather a hundred or so passwords; devise a fix; and ship the whole shebang to MySpace and (sans-passwords) BugTraq. Never got around to it though...

Good show. I'm glad to see the first real-world occurrence was benign; it'd be just awful if someone had gathered user ID/password pairs and used the unattributed but often correct assumption that they're going to be the same for Amazon/Ebay/etc.

Why is the server-side fix not sufficient?

gerv — 2006-12-03T02:01:39+00:00

"So how do you intend to get "most smaller sites" to update to CMS without this problem?"

In the same way they upgrade to get any other security fix?

"And make sure nobody ever develops a new CMS with this problem?"

How do you plan to make sure nobody ever develops a new web browser with this problem?

Gerv

Why is the server-side fix not sufficient?

walles — 2006-12-02T10:50:50+00:00

So how do you intend to get "most smaller sites" to update to CMS without this problem? And make sure nobody ever develops a new CMS with this problem?

I still think fixing one web browser sounds easier than fixing "a small number of major sites" and "most smaller sites".

Why is the server-side fix not sufficient?

gerv — 2006-12-02T01:55:10+00:00

But it's not "all web sites". It's a small number of major sites (eBay, mySpace) which include "rich" user-generated content of this sort. Most smaller sites use a packaged CMS; these can be fixed if necessary.

Gerv

The Firefox password manager vulnerability

vmole — 2006-12-01T21:46:24+00:00

If you use a palm device, keyring works well. There's a jPilot plugin, so you can sync with your PC and have access to the passwords both from your palm pilot and jpilot.

The Firefox password manager vulnerability

nevyn — 2006-12-01T17:12:22+00:00

For windows see the one Bruce Schneider started and oversees. For GNOME there's Revelation (and the older gringotts, which is pretty unmaintained and isn't as nice to use, IMO).

Personally I get firefox to remember all my web passwd's, as well as having them in revelation, they are all unique and 90+% of them it wouldn't matter if they were compromised for a few days. Like OMG someone stole my mailman admin passwd, stop the press.

Why is the server-side fix not sufficient?

walles — 2006-12-01T08:22:14+00:00

Fixing one web browser is easier than fixing all web sites.

Why is the server-side fix not sufficient?

gerv — 2006-11-30T21:38:40+00:00

"Several of the comments maintain that it is completely a server-side issue and that sites must take steps to insure that what they serve does not contain this kind of content. Unfortunately for Firefox users and developers, that simplistic approach will not suffice."

Why not? It suffices for JavaScript - that is, if a site includes user-supplied JavaScript in a page, Firefox currently doesn't promise to protect the user from anything it might do, and sites are quite happy to say "Yes, it's our responsibility to filter out script". And that is a good deal harder than filtering out <input type="password">... No-one would blame Firefox if MySpace allowed script and then malicious users started stealing login cookies.

People who place user-supplied content onto their website pages need to do filtering anyway - and, if they are smart, it'll be whitelist-based. We've just discovered one new thing they have to filter for.

The Firefox password manager vulnerability

rriggs — 2006-11-30T21:05:29+00:00

Actually passwords are fine _provided they're used only once_. The point being that disclosing a password for any reason compromises it, even if the reason is to gain access to the password-protected service.

Unless I misunderstand what you are saying, your logic is flawed. One has to disclose the password to set it in the first place.

The Firefox password manager vulnerability

jstAusr — 2006-11-30T20:59:35+00:00

Does anyone use a stand alone password manager? Are there any good ones? I don't like storing the passwords in the browser because I don't see how that could ever be safe, but I am unable to remember them all either. Isn't an encrypted file to be used in case of brain malfunction just as good as anything else?

Post-It notes

emkey — 2006-11-30T17:53:17+00:00

Post its are never a good idea. Why have passwords if they are? Passwords exists to limit access and provide auditing. Making it easy for somebody in your group or company to use your identity is not a good thing.

The main reason I don't store passwords beyond the obvious security issues is that I WILL forget a password if I don't have to type it in regularly.

The Firefox password manager vulnerability

k8to — 2006-11-30T15:37:48+00:00

I agree. Part of the problem is that so much "web security" is valueless. Some of it is valueless to the user, but not the site. Some of it is just plain valueless in its entirety.

The spawn of unnecessary 'security' is what begat this feature to paper over the problem. I think it's just fine that hackers will find out my login is "user" and my password is "password" at all these silly web domains.

Sure, some people do end up using this feature where security is actually important, but I think the crying wolf that websites do unnecessarily might be as big a security problem, in the long run, as anything else.

Post-It notes

Richard_J_Neill — 2006-11-30T13:11:34+00:00

Often, post-it notes are quite sensible for storing passwords. It all depends on who has physical access, and for domestic users, writing the password down is no bad thing, especially if it helps them remember it. Of course it depends on what the password is for, but in most cases, if someone can break into your house, you have bigger problems than losing your passwords!

The real danger is when a user uses the same password in multiple different places. Then, say their slashdot login might also work for their bank.

The Firefox password manager vulnerability

khim — 2006-11-30T09:13:08+00:00

Previous answer was much better then your long tirada. Have you even read the article ?

The problem happens not when the wrong site shows the form. Problem happens when "trusted" site allow HTML in posts! Then you can put form with TARGET="malicious site" and fqdn or not fqdn - password will be sent to cracker...

The Firefox password manager vulnerability

nix — 2006-11-30T09:11:38+00:00

From the look of
kdelibs-3.5.5/khtml/html/html_formimpl.cpp:calculateAutoFillKey()
(svnversion 606559), it uses
that part of the URL before the first occurrence of a match to the regex
[,;!], followed by a # and the name of the form element. This seems
vulnerable to me under situations where URL parameters determine privilege
boundaries :/

(Why [,;!] and not ?, I wonder? The comment in the code implies that this
is working around a `potential security issue' but doesn't say what that
issue *is*.)

The Firefox password manager vulnerability

beejaybee — 2006-11-30T08:47:28+00:00

What we really need is something like a smartcard which will generate one-time passwords and automatically communicate the next valid password to the service provider once access has been granted.

Firefox has fallen into the "convenience trap" here & urgently needs to be fixed. The quick (?) hack of copying the Opera "magic wand" procedure is probably the best mechanism for low to medium security requirements in the short term.

The Firefox password manager vulnerability

mms — 2006-11-30T08:22:48+00:00

I have to disagree on this straight-forward "yes". Konqueror does not
match the domain name, but instead seems to use the entire, fqdn. And,
unlike IE, it won't help you if the fqdn does not match, even if you fill
the form with a valid username.

So, is Konqueror vulnerable to this very problem? I'm not really sure.

The Firefox password manager vulnerability

roelofs — 2006-11-30T03:59:43+00:00

The best thing is, you can actually put a passpoem there.

An epic passpoem!

The Firefox password manager vulnerability

rsw — 2006-11-30T03:26:39+00:00

One possible solution is to move away from passwords as an authentication key. Why can't servers generate an SSL certificate based on the username? Of course, then there would be an issue of carrying the certificates around wherever access is required, but perhaps something like Schnieir's pass safe equivalent could be used.

But as an initial fix, the Firefox UI will need to change to be less automated, requiring a positive action by the user to cause the fields to be entered

The Firefox password manager vulnerability

proski — 2006-11-30T01:35:47+00:00

The best thing is, you can actually put a passpoem there.

The Firefox password manager vulnerability

NAR — 2006-11-29T23:05:52+00:00

The head might be safe against attackers, but definitely not safe against forgetting passwords (actually we use computers to store data instead of our heads). There are a couple of services in the company intranet which I use at most twice in a month, but the password expires every 60 days - I tend to ask for new passwords from IT at least once a month for one of these services.

Bye,NAR

The Firefox password manager vulnerability

johnkarp — 2006-11-29T22:47:07+00:00

Ideally, yes, people would easily remember dozens of unique psuedorandom
passwords. But even security expert Bruce Schneier
seems to acknowledge the usefulness of encrypted password databases... he
even maintains one:

http://www.schneier.com/passsafe.html

The Firefox password manager vulnerability

sward — 2006-11-29T22:45:49+00:00

Bear in mind, however, that many site passwords are not there for your security - they are there to "protect" the content on the site against unauthorized viewing. So as long as you do not use the password manager (or postit notes) for truly sensitive passwords, why would you even care about this exploit?

I agree with you, for important passwords (my email login, finances, etc.) - I don't store those at all. But I have no qualms about storing my assorted subscription logins (like lwn.net) in the password manager.

The Firefox password manager vulnerability

kirkengaard — 2006-11-29T22:21:35+00:00

On the pat yourself on the back side of things, yes, good security practice does suggest that this sort of crutch is just like writing down your passwords anywhere else. Raise your hand if you know someone who has their login written on the computer or monitor (or a post it attached thereunto). The unwary user who simply says, "Oh! A labor saving device! I hate forgetting the password for that website!" is foolish, but common.

The Firefox password manager vulnerability

stuart — 2006-11-29T21:50:11+00:00

yes

The Firefox password manager vulnerability

emkey — 2006-11-29T21:49:53+00:00

Some day people will learn that the only safe place to store passwords is in your head. I've never trusted any of these systems for anything but the most trivial use. I never will.

The Firefox password manager vulnerability

johnkarp — 2006-11-29T21:44:25+00:00

Anyone know whether Konqueror has this vulnerability?