Language Selection

English French German Italian Portuguese Spanish

Password Management Concerns with IE and Firefox

Filed under
Security

This two-part paper presents an analysis of the security mechanisms, risks, attacks, and defenses of the two most commonly used password management systems for web browsers, found in Internet Explorer and Firefox. The article specifically addresses IE 6 and 7 and Firefox 1.5 and 2.0. Attention is devoted to the following areas:

  • Password storage mechanisms: The means of safeguarding usernames and passwords on the local file system through encryption (addressed in part 1).

  • Attacks on Password Managers: The methods of subverting or bypassing safeguards (partially addressed in part 1; continued in part 2).
  • False sense of security: Users employing password managers without any awareness of the risk factors (discussed in part 2).
  • Usability: Features that enhance or deter the usability of security features (discussed in part 2).
  • Mitigation and Countermeasures: Actions that can be taken by users and corporations to reduce the risk (part 2).

Internet Explorer and Firefox together amass roughly ninety-five percent of all browser market share. [ref 1] AutoComplete [ref 2] and Password Manager [ref 3] are the features that store web form usernames, passwords, and URLs for Internet Explorer (since version 4), and Firefox (since version 0.7), respectively.

Each browser has helpful features to aid the user from being tasked with remembering different usernames and passwords as a means of authentication for web sites. Thus when navigating to a URL such as http://www.gmail.com where form input fields are present, both IE and Firefox will prompt the user if he or she wants to save their username and password. When the user re-visits the same web site the browser will automatically fill the fields.

Although these features greatly simplify the responsibility of the user, they also introduce security considerations that are addressed in the next few sections.

Part One
Part Two

More in Tux Machines

Leftovers: OSS

  • Q&A: Ulf Lundgren on how open source is just the ticket
    Transticket provides the ticketing and commerce platforms used by Sweden's biggest sporting and entertainment events such as the ATP Tennis Tour, the Swedish Hockey League and SkyView, the rail system taking visitors to the top of Ericsson Globe in Stockholm, the world's largest spherical building.
  • Will open source save the Internet of Things?
    To some degree, open source is already present throughout the Internet of Things value chain. Cloud apps that collect and analyze data are heavily dependent on open source software and standards, for example.
  • EspoCRM: A lightweight open source customer relationship manager
    Customer relationship management (CRM) tools come in many different flavors, though not every application can meet the need of every customer. Often, large and complicated tools are overkill for smaller businesses, while some smaller tools require customization to meet specific needs. I would like to share with you the open source tool EspoCRM, which is designed to meet the needs of small and medium businesses.
  • How the current intellectual property landscape impacts open source
    Meet Doug Kim. He's a computer engineer-turned-lawyer who chairs the Intellectual Property Practice Group at McNair Law Firm in Columbia, South Carolina. Doug's practice includes patent preparation and prosecution, trademark, service mark preparation and prosecution, and securing copyright registrations in areas that include Geographical Information Systems (GIS), software, books, music, product packaging, and distribution. He has expertise in software, method, and mechanical patents as well as open source licensing.
  • Open Source Github under Chinese attack
    Open source coding site GitHub said it was fending off a days-long DoS attack that had caused intermittent outages for the social coding site. China has been identified as the source of the attack and the software being hit is banned behind the bamboo curtain. It would appear that someone is taking pro-active censorship steps by taking down the entire site..
  • COIS, the UK arm of Open Forum Europe distributes ODF toolkit for Document Freedom Day week
    A new toolkit is being launched to target faster public sector adoption of Open Document Format. Released today by the Community for Open Interoperability Standards (the UK arm of Open Forum Europe), the toolkit contains a folder of principles and infographic for Government Technology leaders to use in educating public sector workers on the options and opportunities for ODF use. This publication joins global Document Freedom Day week celebrations of Open Standards, which numbers 58 events in 30 countries this year. The toolkit arrives as UK Government moves to comply with use of ODF 1.2 across departments, following a change in Cabinet Office policy in July last year.
  • Is Hadoop Replacing the Data Warehouse? Survey Says Not So Much
    Snowflake Computing, a cloud data warehousing company that only recently emerged from startup stealth mode, has announced the results of an independent, national survey of more than 315 technology and analytics professionals with responsibility for corporate data initiatives. Conducted by Dimensional Research, the goal of the research was to understand the state of the data warehouse and Big Data initiatives – including experiences, challenges and trends in data warehousing and data analytics.
  • Q&A: StackStorm’s Evan Powell Talks DevOps, Automation and OpenStack
    StackStorm’s toolset is 100 percent open source and used to tie together environments with the aid of a rules engine, workflows, audit and access controls, and more.

Linux in hi-rel is growing, says McPherson

Xilinx has joined the Linux Foundation, the industry organisation supporting growth of Linux and collaborative development. The FPGA firm’s interest indicates how Linux is expanding its footprint beyond consumer and computing markets and in high reliability industrial, automotive and aerospace systems. The theme of this year’s Embedded Linux Conference, which is sponsored by The Linux Foundation, was ‘Drones, Things and Automotive.’ Read more

BQ Aquaris E4.5 Ubuntu Edition First-Time Boot - Video

Today we take a quick look at the first time boot and configuration of the BQ Aquaris E4.5 Ubuntu Edition smartphone. Those of you who watched our unboxing video of the first ever Ubuntu Phone device, would know that it takes some time for the operating system to start when used for first time. Read more