Firefox 70 released [LWN.net]

Firefox 70 released

Posted Oct 23, 2019 7:47 UTC (Wed) by kragil (guest, #34373)
In reply to: Firefox 70 released by josh
Parent article: Firefox 70 released

Storing all your passwords in one place, what could possibly go wrong.

to post comments

Firefox 70 released

Posted Oct 23, 2019 14:19 UTC (Wed) by mathstuf (subscriber, #69389) [Link] (12 responses)

I think you missed this part:

> for novice users

Personally, I need passwords outside the browser, so a browser-based password manager is immediately off my list. But, it seems reasonable for most people.

Firefox 70 released

Posted Oct 23, 2019 19:34 UTC (Wed) by josh (subscriber, #17465) [Link] (11 responses)

I need occasional passwords outside the browser too, so I copy them out of Firefox when I need them.

Firefox 70 released

Posted Oct 24, 2019 0:08 UTC (Thu) by mathstuf (subscriber, #69389) [Link] (10 responses)

I envy you that you just have passwords to deal with :) . TOTP secrets, SSH keys, support for doing this on Android (and acting as an autofiller there). Is Firefox on Android going to register as an autofiller? Will it act as an ssh-agent? gpg-agent? TOTP seems a little silly to store beside the password database (at least behind a single password).

Personally, I use a LUKS-encrypted USB key with some udev properties, automount rules, and udiskie to get it to act the way I want (mount on-demand once unlocked, unmount after a short inactivity window, mount at a static location, etc.) as the backing store (this is duplicated and geographically backed up as well). I don't think Firefox is going to be able to replace all the use cases I have for it (which includes storing credentials for things that store passwords in static files like cargo, fedpkg, or copr via symlinks).

Firefox 70 released

Posted Oct 24, 2019 17:46 UTC (Thu) by josh (subscriber, #17465) [Link] (9 responses)

> TOTP secrets

I use an authenticator app for those.

> SSH keys

Those aren't passwords, so I don't expect a password manager to handle those. Those just go in my home directory in the normal place.

> support for doing this on Android

I use Firefox on Android, and it syncs passwords to there.

> (and acting as an autofiller there). Is Firefox on Android going to register as an autofiller?

That would be nice, and I'd love to see that. But in the meantime, I just use an extension that provides a password manager UI for Firefox for Android, and it has a "copy password" option. I can then paste into an app.

Firefox 70 released

Posted Oct 24, 2019 18:58 UTC (Thu) by mathstuf (subscriber, #69389) [Link] (7 responses)

> I use an authenticator app for [TOTP secrets].

With access to the password store and TOTP secrets essentially guarded by just a PIN code or fingerprint (and the same one at that), I don't find a compelling argument that having both on a device is actually using two factors (or does Firefox Sync make you unlock it after each use?). All my password database applications are set up to require a password on any use (with a longer timeout where it makes sense). The TOTP secrets are just guarded by either the Yubikey (which is a thing-you-have) that has a remembered password on my trusted devices (so that just stealing it isn't an end-of-the-world problem) or is stored on an encrypted USB drive (using the aforementioned setup). That actually keeps the thing-you-have property of the second factor.

> I use Firefox on Android, and it syncs passwords to there.

I use Klar (the always-private-browsing-mode variant) which doesn't as my main browser. I also have the Android variant installed, but mainly for just having an easy way to share pages through it to my other machines via Firefox Sync. Granted, not a problem for most :) .

In any case, it seems that I'll need to figure out some other syncing mechanism for Android since things like Syncthing (which I use) and Dropbox are basically dead with the new API restrictions that will be required next year (the Q API doesn't allow direct filesystem access and Google has been raising the minimum allowed version about a year after it was introduced). Hopefully F-Droid can extend my usage until a new solution is found, but I have low hopes for Google being reasonable here.

Firefox 70 released

Posted Oct 25, 2019 18:24 UTC (Fri) by raven667 (guest, #5198) [Link] (6 responses)

> having both on a device is [not] actually using two factors

Sure, that's true but it's better than TOTP over SMS (hi @jack) and even SMS TOTP is better than not and prevents millions of account takeovers. I too have TOTP tokens on a Yubikey (to make it easier to switch between phone, laptop and desktop) but even getting people to use a password manager at all is a pretty heavy lift and more inconvenience that many will tolerate, so anything that makes it easier lowers the bar for use and raises the bar for minimum security, its something that scales to improve the security for billions of people, in a way that complex multi-step procedure does not.

Firefox 70 released

Posted Oct 25, 2019 18:48 UTC (Fri) by apoelstra (subscriber, #75205) [Link] (4 responses)

> even SMS TOTP is better than not and prevents millions of account takeovers

Maybe. But it causes phone accounts to be taken over, and unlike the situation online accounts, this cannot be prevented by conscientious users. The fact that many websites (especially American banks) *require* SMS based 2FA has been a massive detriment to my security, and the security of many people I know.

Firefox 70 released

Posted Oct 28, 2019 18:51 UTC (Mon) by raven667 (guest, #5198) [Link] (3 responses)

> Maybe. But it causes phone accounts to be taken over, and unlike the situation online accounts, this cannot be prevented by conscientious users.

Is security something that only conscientious users should enjoy, or something that should be baked into the defaults. I understand that SMS 2FA puts more strain on the phone system's security, but it also puts more strain on attackers and slows them down too.

> SMS based 2FA has been a massive detriment to my security

Compared to passwords alone without any second factor? SMS 2FA is worse than just bare passwords, is that your claim?Needing to do SIM cloning to intercept SMS is a significantly higher bar than just compromising the Cat Fancy blog comment system and trying all the creds on Bank of America website or similar. Its not that its impossible to beat, we both know it isn't, but whether it's better than the status quo. Password managers and random shared secrets are better than using shared common passwords across many sites, SMS 2FA is better, Phone 2FA is better still and an external token is best.

Firefox 70 released

Posted Oct 28, 2019 21:11 UTC (Mon) by mathstuf (subscriber, #69389) [Link] (1 responses)

I think the issue is that companies add SMS 2FA and say they're done. Supporting the more secure variants is still necessary for those who want to be more secure. But too often I've seen response along the lines of "but we have it already" and having to explain why it's not sufficient for me is exhausting. I should probably push hard on my financial institutions (e.g., Fidelity finally has SMS which I did enable, but while other methods are possible across their setup, they're not available for my account type).

Firefox 70 released

Posted Oct 28, 2019 22:31 UTC (Mon) by pizza (subscriber, #46) [Link]

Plus, even putting aside the security flaws inherent to SMS, reliable SMS delivery is not a given -- for example, during international travel. Or should your phone suffer a catastrophic failure. Or both simultaneously.

Firefox 70 released

Posted Oct 29, 2019 20:56 UTC (Tue) by apoelstra (subscriber, #75205) [Link]

> Is security something that only conscientious users should enjoy, or something that should be baked into the defaults.

Of course security should not be limited to conscientious users, but SMS 2FA strictly increases the conscientiousness you need to be secure. With 1FA you need to use strong unique passwords; with SMS 2FA you also need to use non-public throwaway phone numbers. I know several people personally who have had their numbers ported, which led to multiple simultaneous account compromises (even when using unique passwords), not to mention being extremely inconvenient.

> I understand that SMS 2FA puts more strain on the phone system's security, but it also puts more strain on attackers and slows them down too.

It doesn't seem to put any strain on the phone system's security. Phone companies are happy to let attackers port arbitrary numbers with basically no resistance and then absolve themselves of all responsibility. As far as I know no legal system in the world holds them accountable for this.

Firefox 70 released

Posted Oct 26, 2019 12:45 UTC (Sat) by mathstuf (subscriber, #69389) [Link]

The main problem I have with TOTP-over-SMS is that I can't back it up. I have TOTP secrets encrypted and geographically backed up. I can't do that with my SIM card (well, at least not without SIM hijacking or swapping myself). Not to mention the lack of trust I have for telephone companies in the first place.

As for getting people to use password managers, I have gotten my family onto LastPass. They also have Yubikeys now, but that involves some more instruction over time and hasn't been as easy for them to start using. Now that U2F is more widely available, hopefully there will be some time over the holidays to get that working for them.

Firefox 70 released

Posted Oct 25, 2019 8:37 UTC (Fri) by christoph.gysin (guest, #57794) [Link]

> > (and acting as an autofiller there). Is Firefox on Android going to register as an autofiller?

> That would be nice, and I'd love to see that. But in the meantime, I just use an extension that provides a password manager UI for Firefox for Android, and it has a "copy password" option. I can then paste into an app.

It's already there, and it's called Firefox Lockwise. For both iOS and Android.