Language Selection

English French German Italian Portuguese Spanish

Password Management Concerns with IE and Firefox

Filed under
Security

This two-part paper presents an analysis of the security mechanisms, risks, attacks, and defenses of the two most commonly used password management systems for web browsers, found in Internet Explorer and Firefox. The article specifically addresses IE 6 and 7 and Firefox 1.5 and 2.0. Attention is devoted to the following areas:

  • Password storage mechanisms: The means of safeguarding usernames and passwords on the local file system through encryption (addressed in part 1).

  • Attacks on Password Managers: The methods of subverting or bypassing safeguards (partially addressed in part 1; continued in part 2).
  • False sense of security: Users employing password managers without any awareness of the risk factors (discussed in part 2).
  • Usability: Features that enhance or deter the usability of security features (discussed in part 2).
  • Mitigation and Countermeasures: Actions that can be taken by users and corporations to reduce the risk (part 2).

Internet Explorer and Firefox together amass roughly ninety-five percent of all browser market share. [ref 1] AutoComplete [ref 2] and Password Manager [ref 3] are the features that store web form usernames, passwords, and URLs for Internet Explorer (since version 4), and Firefox (since version 0.7), respectively.

Each browser has helpful features to aid the user from being tasked with remembering different usernames and passwords as a means of authentication for web sites. Thus when navigating to a URL such as http://www.gmail.com where form input fields are present, both IE and Firefox will prompt the user if he or she wants to save their username and password. When the user re-visits the same web site the browser will automatically fill the fields.

Although these features greatly simplify the responsibility of the user, they also introduce security considerations that are addressed in the next few sections.

Part One
Part Two

More in Tux Machines

Funding for Open 'Core' Companies

'Proper' GNU/Linux on Google OSes

  • Google’s Fuchsia OS will support Linux apps
    Google’s non-Linux-based Fuchsia OS has added an emulator for running Debian Linux apps. Like its upcoming Linux emulator for Chrome OS, Fuchsia’s “Guest” app will offer tighter integration than typical emulators. Google has added a Guest app to its emergent and currently open source Fuchsia OS to enable Linux apps to run within Fuchsia as a virtual machine (VM). The Guest app makes use of a library called Machina that permits closer integration with the OS than is available with typical emulators, according to a recent 9to5Google story.
  • Here are the latest Chrome OS devices that will support Linux apps
    The ability to run Linux apps in virtual machines in Chrome is expanding beyond Google's flagship Pixelbook line of Chromebooks. The feature, for which plans were first discovered in late February, was formally announced by Google at I/O 2018. Unlike the existing solution, Crouton, support for Linux apps does not require enabling developer mode on Chrome OS, allowing users to install Linux apps without needing to sacrifice security protections. In addition to the Pixelbook, support for the new Crostini virtual machine feature has also come to the original Samsung Chromebook Plus, the detachable HP Chromebook X2, and the ASUS Chromebook Flip C101. Likewise, according to a report from xda-developers, the feature is coming to the Acer Chromebook Spin 13 and Chromebook 13, as well as 2018-era Chromeboxes, which all share the same board ID "fizz." Of these, the Acer Chromebox CX13 series and ASUS Chromebox 3 series both have multiple SKUs, maxing out with an Intel Core i7-8550U paired with 16GB RAM and 64GB storage for $750.
  • Linux App Support Is Coming To Acer Chromebook Flip C101
    Acer’s Chromebook Flip C101 is now officially the latest Chrome OS device expected to be in-line for virtualized Linux app support, following a new commit pushed to the Chromium Gerrit on June 15. That places the Flip C101 in a very select club alongside Google’s Pixelbook, the HP Chromebook x2, and the first generation Samsung Chromebook Plus. Of course, there’s no official date with regard to when Linux App support will arrive for the Chromebook Flip C101. If previous trends are followed, then it shouldn’t take too long at all for its official arrival in the Canary Channel of the OS. That comes following a commit indicating that support for the new feature has been moved from the Samsung Chromebook Plus to the devices’ shared parent board. Since only the Chromebook Plus and Chromebook Flip C101 share that board, dubbed “Gru,” that suggests that both devices will support Linux apps in a virtual environment.

Linux Foundation: New Study, Automotive Grade Linux (AGL), and Hyperledger Fabric

Graphics: AMDGPU, Nvidia, Apple's Harm to Science

  • AMDGPU DRM Driver To Finally Expose GPU Load Via Sysfs
    The AMDGPU DRM driver appears to finally be crossing the milestone of exposing the current GPU load (as a percentage) in a manner that can be easily queried via sysfs. For years I've been frustrated via the lack of standardization of sysfs/debugfs files among the DRM drivers and some seemingly basic information not being exposed in such a manner that easily benefits various desktop plug-ins, those wanting to script basic monitors/checks/etc around such outputs, and use-cases like with the Phoronix Test Suite for easily querying this information too for its sensor recording. One of the frustrations with the Radeon Linux stack has been that there wasn't a trivial way to read the GPU load usage as a percentage... There's been ways if installing third-party utilities like RadeonTool, but no universal solution nor one that doesn't require root and would be widely available.
  • Radeon Software 18.20 Stable Released With Official Ubuntu 18.04 LTS Support
    The Radeon Software "AMDGPU-PRO" 18.20 hybrid driver stack is now available with official support for Ubuntu 18.04 LTS and Red Hat Enterprise Linux 17.20. Two months after the debut of the Ubuntu 18.04 LTS "Bionic Beaver" release, the Q2'2018 Radeon Sotware for Linux driver update has arrived with support for this latest long-term support release. Radeon Software 18.20 was officially released last week but seemingly went under everyone's radar until now.
  • Nvidia Releases a Batch of Open Source Tools for AI
    Graphics processors increasingly used as hardware accelerators for deep learning applications are also being deployed with the Kubernetes cluster orchestrator as another way to accelerate the scaling of training and inference for deep learning models. The two-front approach includes Nvidia’s (NASDAQ: NVDA) release to developers this week of a Kubernetes on GPU capability aimed at enterprises training models on multi-cloud GPU clusters. Previously, Google (NASDAQ: GOOGL) launched a beta version of GPUs on its Kubernetes Engine aimed at accelerating machine learning and image processing workloads.
  • AI caramba! Nvidia devs get a host of new kit to build smart systems
    Nvidia has released a bunch of new tools for savvy AI developers in time for the Computer Vision and Pattern Recognition conference in Salt Lake City on Tuesday.
  • Chemists criticise mooted shutdown of 3D visualisation tools
    End of support for Apple’s OpenGL programming interface could pull the plug on molecular modelling software Researchers are voicing concerns over a move that may affect many 3D visualisation programs that are commonly used in computational research. Apple’s Macintosh operating systems (macOS) is set to end support for OpenGL, the programming interface frequently used to display 3D graphics in medical and scientific visualisation software, which has existed since 1992. Nearly all open source and commercial chemistry visualisation programs that are used to display atoms, molecules, bonds and protein ribbons – such as Mercury, VMD and PyMOL – use the system.