Comments on Rational Relational: Assumption is The Mother of All Fuckups - Firefox ...

OK, if a bad person had access to your computer, t...

2008-10-09T20:54:34.562+02:00

OK, if a bad person had access to your computer, this would be a bad thing. Nothing new, right?

I mean, that person could as well switch Java on and surf to a malicious website to get your PC infected (with a Trojan horse, for example), so that encryption doesn't help you anymore!
So why should Firefox give you the illusion your passwords were save, by encrypting them?

When my browser tells me it "remembers" an information (like a password), then my intuition tells me, that information has to be stored somewhere and that it can be received easily. Like, your surfing history, cookies, and, by the way, ANY OTHER DATA ON YOUR HARD DRIVE can be easily read out and even manipulated in no time by anyone who has physical access to your running computer! This person could also directly infect your PC (with a Trojan horse, for example) and/or manipulate it in every possible way! To prevent this (I don't know if this is really totally possible at all) you'd have to take FAR MORE steps than simply configuring your browser right! Or, on the other hand, you could just log off from your windows session (press Windows key + L), or turn on a password protected screen saver or whatever, when you leave your running computer for a short time. This would NOT be absolutely secure, but already much more secure than encrypting your passwords!

Encrypting your passwords could only act as a child-proof lock!

The only real security purpose imaginable to me would be, if someone breaks into your home and accesses your computer you could prevent him/her from easily reading out your passwords, but ONLY if you realize that your PC has been accessed and immediately delete and reinstall your hole system, in order to destroy any Trojan horse!
But for that scenario it would make MUCH more sense to encrypt your whole hard drive (free programs for that purpose are available on the net), so again, consider password encryption to be a child-proof lock and only use it for that single purpose!

Yeah, I know you can do this, this is why I said "...

2008-02-23T16:47:42.579+02:00

Yeah, I know you can do this, this is why I said "somewhat mitigated if you place a master-password over the configuration". :)

For most users, the default configuration is the only configuration - and they assume it works a certain way, which it doesn't really.

In case you didn't know, then (since, like, foreve...

2008-02-22T17:56:24.110+02:00

In case you didn't know, then (since, like, forever) you can set a master password on your Firefox profile and then all your sensitive details would be encrypted.

Then, the first time a sensitive detail is needed (in a session), you're prompted for the password.

In your Preferences, go to Security and then check Use Master Password.

In fact, I can almost swear that the first time you're prompted to save a password and you accept that offer, you're also offered to set a master password.

You're right, just hashing it one-way is wrong, bu...

2008-02-18T19:51:52.856+02:00

You're right, just hashing it one-way is wrong, but it doesn't prevent the password managements system (whatever it is) to encrypt it in some form, which people assume is not easily accessible as it is here.

This may be somewhat besides the point, but it's i...

2008-02-18T18:55:05.148+02:00

This may be somewhat besides the point, but it's important to point out that passwords can't be saved in a encrypted or otherwise mangled fashion (i.e. hashed). This is because the passwords' plaintext must be available for use when preparing the request, be it HTTP, HTTPS or otherwise.