Firefox password safety?
February 21, 2005 3:28 PM Subscribe
How safe is it for me to store passwords in Firefox?
The threat model I'm worried about is a bug in Firefox's site containment stuff letting Javascript / Java from one website somehow get at the stored password for another website. I'm the only one with physical access to my machine, so I'm not concerned about an unauthorized person at the keyboard. And I'm not worried about a trojan stealing passwords: if it's gonna do that, it's gonna run a keysniffer too. A master password doesn't seem to be much help to me.
The threat model I'm worried about is a bug in Firefox's site containment stuff letting Javascript / Java from one website somehow get at the stored password for another website. I'm the only one with physical access to my machine, so I'm not concerned about an unauthorized person at the keyboard. And I'm not worried about a trojan stealing passwords: if it's gonna do that, it's gonna run a keysniffer too. A master password doesn't seem to be much help to me.
Ummm... sorry if I don't understand the question, but does this bug actually exist? Are you thinking it does? Or worrying if what to do if it would exist?
posted by ALongDecember at 5:15 PM on February 21, 2005
posted by ALongDecember at 5:15 PM on February 21, 2005
If you're storing passwords, set a master password. But as smackfu pointed out, if you're this paranoid no system is safe enough; why are you trusting HTTPS?
posted by ubernostrum at 6:28 PM on February 21, 2005
posted by ubernostrum at 6:28 PM on February 21, 2005
Best answer: The probability of that sort of flaw turning up is relatively small, I think. In fact, since javascript getting access to stuff it shouldn't is the first thing that comes to mind when you think of web browser security, I'd guess it's among the least likely types of bugs to come up. Look at the ones that have been reported lately: Lots of not-very-exploitable stuff in the same general realm, showing that lots of attention is paid to this area, but nothing anywhere near as serious as local files being readable or form values from other sites being available to javascript.
Within the given constraints on mode of attack, I don't think saving passwords is any measurablly greater risk than is using a web browser at all.
I agree that the master password does nothing against non-clueless attackers.
posted by sfenders at 6:50 PM on February 21, 2005
Within the given constraints on mode of attack, I don't think saving passwords is any measurablly greater risk than is using a web browser at all.
I agree that the master password does nothing against non-clueless attackers.
posted by sfenders at 6:50 PM on February 21, 2005
the master password does nothing against non-clueless attackers.
well, other than slow them down a little, or deter them if they're lazy, which can be useful.
posted by sfenders at 6:52 PM on February 21, 2005
well, other than slow them down a little, or deter them if they're lazy, which can be useful.
posted by sfenders at 6:52 PM on February 21, 2005
Why do you say the master password does nothing - do you know that it uses a weak or useless encryption to store the rest of the passwords? Or are you saying that any master password system does nothing useful?
It's not obvious from looking at the Firefox documentation what kind of encryption they use.
posted by mistersix at 12:54 AM on February 22, 2005
It's not obvious from looking at the Firefox documentation what kind of encryption they use.
posted by mistersix at 12:54 AM on February 22, 2005
Sorry, my comment about the master password wasn't really appropriate. It does (if it's implemented well, which I'll assume it is) serve to stop someone with read-only access to your filesystem from getting your passwords. Some types of remote exploits (such as via a web server, most commonly) can give this kind of access, so it's some benefit.
If you're not running Firefox on a machine that's also an internet-accessible server, the security benefit is IMO small enough that it's not worth the bother, unless you want to kep your passwords away from your non-hacker roommate.
posted by sfenders at 5:08 AM on February 22, 2005
If you're not running Firefox on a machine that's also an internet-accessible server, the security benefit is IMO small enough that it's not worth the bother, unless you want to kep your passwords away from your non-hacker roommate.
posted by sfenders at 5:08 AM on February 22, 2005
Best answer: Stored passwords are not, to the best of my knowledge, available to Javascript in even the most extreme circumstances. It's just not exposed in the object model.
So, your real security concerns are on two grounds:
- Someone getting file-level access to your machine, getting the file, and decrypting it. I'd say, if someone already has file-level access to your machine, you've got bigger problems than your Firefox password list. If you run a web or file server on your desktop, keep it locked down.
- Someone walking up to your machine and getting your passwords. Firefox keeps the actual passwords hidden from the user, so again, it would require someone having the means to get at your filesystem and copy a specific file to another location, etc. Same deal as above, really.
Short answer: Use common sense in keeping your machine locked down. You're fine storing passwords in Firefox.
posted by mkultra at 7:32 AM on February 22, 2005
So, your real security concerns are on two grounds:
- Someone getting file-level access to your machine, getting the file, and decrypting it. I'd say, if someone already has file-level access to your machine, you've got bigger problems than your Firefox password list. If you run a web or file server on your desktop, keep it locked down.
- Someone walking up to your machine and getting your passwords. Firefox keeps the actual passwords hidden from the user, so again, it would require someone having the means to get at your filesystem and copy a specific file to another location, etc. Same deal as above, really.
Short answer: Use common sense in keeping your machine locked down. You're fine storing passwords in Firefox.
posted by mkultra at 7:32 AM on February 22, 2005
but, afaik, firefox is written in c. so like any c software, there's the possibility of pointer errors that allow you to break encapsulation. so there might be some way for javascript to tickle an error and gain access. this sounds pretty unlikely - no more likely than finding an error in any other piece of software written in c - except for one thing that struck me just now. if there were some way to encode the search for such an attack then by placing the search code in javascript you get massively distributed computing and so shorten the search time.
for example, maybe you want to see what combination of javascript commands produces an unexpected error (one that might lead to memory access). perhaps you could write code that generates javascript code at random, executes it, and reports back to your server when it finds an unexpected error. running random code is generally a very inefficient way of finding errors, but by distributing the work over everyone's browser you gain access to many machines and so might make it efficient.
this is very hand-waving. i'm not saying such an attack is possible, or something to worry about. it just struck me as an interesting idea.
posted by andrew cooke at 8:57 AM on February 22, 2005
for example, maybe you want to see what combination of javascript commands produces an unexpected error (one that might lead to memory access). perhaps you could write code that generates javascript code at random, executes it, and reports back to your server when it finds an unexpected error. running random code is generally a very inefficient way of finding errors, but by distributing the work over everyone's browser you gain access to many machines and so might make it efficient.
this is very hand-waving. i'm not saying such an attack is possible, or something to worry about. it just struck me as an interesting idea.
posted by andrew cooke at 8:57 AM on February 22, 2005
The security problems of C are over-rated. You can write security holes in any language.
Automated searches for buffer overflows are not uncommon. Someone found some holes in MSIE that way last year, iirc.
posted by sfenders at 9:12 AM on February 22, 2005
Automated searches for buffer overflows are not uncommon. Someone found some holes in MSIE that way last year, iirc.
posted by sfenders at 9:12 AM on February 22, 2005
c has weak typing which makes it easier to have security holes than in a language with consistent types. sure, you can write bad code in any language, but c has one extra trap - one that has proved, time and time again, to be a problem. and yet people contain to spout platitudes like yours.
also, you missed my main point - that the automated search would be distributed and therefore much more powerful.
posted by andrew cooke at 9:41 AM on February 22, 2005
also, you missed my main point - that the automated search would be distributed and therefore much more powerful.
posted by andrew cooke at 9:41 AM on February 22, 2005
Distributed resources aren't required for the kind of testing I was thinking of. Personally I have done some tests of that kind only once, on a web application; four test clients were more than enough. The barrier to testing more complicated scenarios was application complexity, not computing resources, and I think that would be even more the case if you were testing something as complex as an implementation of javascript. Running through a range of parameters to all the functions in the API for instance would not, I think, require distributed computing. Generating code to test more complex cases would be interesting, but hard to do in a comprehensive way, and the errors you'd have to detect to make it worthwhile would probably be more subtle than your average segv, which should be caught by simpler means. Cool idea though, if you have a better idea than I do about what "random code" would mean.
c has one extra trap - one that has proved, time and time again, to be a problem. and yet people contain to spout platitudes like yours.
Ahem. PHP, Perl, C++, C, SQL, all have their own unique tricks and problems. I'm sure most languages do, though I'm having a hard time thinking of one for Java. C has more than one extra trap, but they are all so well-known by now that there's no excuse for falling into them.
I don't know too many other popular languages, but I grant you that some are inherently easier to write secure code in, as I think Java is. Some are also just plain easier to write any code at all in, like Perl.
Please note that I did not say it wasn't true that C has problems. I do think the severity of its defects are often over-stated.
posted by sfenders at 11:25 AM on February 22, 2005
c has one extra trap - one that has proved, time and time again, to be a problem. and yet people contain to spout platitudes like yours.
Ahem. PHP, Perl, C++, C, SQL, all have their own unique tricks and problems. I'm sure most languages do, though I'm having a hard time thinking of one for Java. C has more than one extra trap, but they are all so well-known by now that there's no excuse for falling into them.
I don't know too many other popular languages, but I grant you that some are inherently easier to write secure code in, as I think Java is. Some are also just plain easier to write any code at all in, like Perl.
Please note that I did not say it wasn't true that C has problems. I do think the severity of its defects are often over-stated.
posted by sfenders at 11:25 AM on February 22, 2005
How likely is it that some attack would be able to break out of the Java/JavaScript sandboxes to get to the passwords? It's supposed to be very unlikely, since they're specifically designed and scrutinized to prevent that sort of thing. Of course, anything is possible. But really, it's not that useful to focus solely on the Java/JavaScript angle when there are probably many other security holes still present that would allow the machine to be compromised.
So, is it OK to use the saved password feature or not? In my opinion it is, because although there are scenarios where having the stored passwords would be bad, they are not compelling enough to merit the extra effort needed to implement a more sophisticated system. If someone does "get root" on the machine, the stored passwords will make it trivial to get all the passwords at once, where using a keylogger, etc., would be more difficult. But for most people, no one has any motivation to target them in particular, and if some kind of wide-scale attack does take place where thousands of peoples' Firefox passwords are compromised, then a lot of people will be dealing with how to cope with the fallout from that problem, not just you.
posted by mcguirk at 11:43 AM on February 22, 2005
So, is it OK to use the saved password feature or not? In my opinion it is, because although there are scenarios where having the stored passwords would be bad, they are not compelling enough to merit the extra effort needed to implement a more sophisticated system. If someone does "get root" on the machine, the stored passwords will make it trivial to get all the passwords at once, where using a keylogger, etc., would be more difficult. But for most people, no one has any motivation to target them in particular, and if some kind of wide-scale attack does take place where thousands of peoples' Firefox passwords are compromised, then a lot of people will be dealing with how to cope with the fallout from that problem, not just you.
posted by mcguirk at 11:43 AM on February 22, 2005
This thread is closed to new comments.
A post-it would be more secure in your situation.
posted by smackfu at 4:02 PM on February 21, 2005