Language Selection

English French German Italian Portuguese Spanish

Password Management Concerns with IE and Firefox

Filed under
Security

This two-part paper presents an analysis of the security mechanisms, risks, attacks, and defenses of the two most commonly used password management systems for web browsers, found in Internet Explorer and Firefox. The article specifically addresses IE 6 and 7 and Firefox 1.5 and 2.0. Attention is devoted to the following areas:

  • Password storage mechanisms: The means of safeguarding usernames and passwords on the local file system through encryption (addressed in part 1).

  • Attacks on Password Managers: The methods of subverting or bypassing safeguards (partially addressed in part 1; continued in part 2).
  • False sense of security: Users employing password managers without any awareness of the risk factors (discussed in part 2).
  • Usability: Features that enhance or deter the usability of security features (discussed in part 2).
  • Mitigation and Countermeasures: Actions that can be taken by users and corporations to reduce the risk (part 2).

Internet Explorer and Firefox together amass roughly ninety-five percent of all browser market share. [ref 1] AutoComplete [ref 2] and Password Manager [ref 3] are the features that store web form usernames, passwords, and URLs for Internet Explorer (since version 4), and Firefox (since version 0.7), respectively.

Each browser has helpful features to aid the user from being tasked with remembering different usernames and passwords as a means of authentication for web sites. Thus when navigating to a URL such as http://www.gmail.com where form input fields are present, both IE and Firefox will prompt the user if he or she wants to save their username and password. When the user re-visits the same web site the browser will automatically fill the fields.

Although these features greatly simplify the responsibility of the user, they also introduce security considerations that are addressed in the next few sections.

Part One
Part Two

More in Tux Machines

More on Mozilla Voice Recognition and Firefox Woes

Funding for Dremio and Matrix.org

BSD: OpenBSD, Benchmarking LLVM/Clang, and AMD Zen Scheduler Model Lands In LLVM

  • Blog about my blog
     

    I want to try it again, and this time I decided to create a self-hosted blog. Something that runs on my own server and with httpd, the web server that I wrote for OpenBSD.  

    [...]

    i That's why I decided to write my articles, including this one, in Markdown and use another tool such as lowdown to generate the XML pages for sblg.

     
  • Benchmarking LLVM/Clang's New AMD Zen Scheduler Model
    Just prior to LLVM 5.0 being branched yesterday, the AMD Zen scheduler model finally landed in LLVM and has the potential of boosting the performance of generated binaries targeting AMD's Zen "znver1" architecture. Here are some benchmarks of LLVM Clang 4.0 compared to the latest LLVM Clang compiler code when testing with both generic x86-64 optimizations and then optimized builds for the first-generation Zen CPUs, tested on a Ryzen 7 processor.
  • AMD Zen Scheduler Model Lands In LLVM, Makes It For LLVM 5.0
    It was coming down to the wire for the new AMD Zen scheduler model in LLVM 5.0 but now it's managed to land just hours before the LLVM 5.0 branching. The new Zen "znver1" scheduler model for LLVM was published by AMD in patch form last week and now this morning it's been merged to mainline LLVM. Funny enough, thanks to an Intel developer with commit rights to LLVM due to the AMD contributor not having access.

OSS: VirtualBox, AMD EPYC Platform Letdown, Choosing FOSS, Open Source Blockchain Project, and RcppAPT 0.0.4

  • VirtualBox 5.1.24 Brings a Better Support for AMD Ryzen CPUs
    VirtualBox is a free and an open-source application for virtualization on x86 platforms. VirtualBox development team has announced a new maintenance release VirtualBox 5.1.24. The recent release of VirtualBox brought more support for AMD Ryzen processors to run certain guests such as Microsoft Windows XP. Emulating more SSE2 instructions. Fixing multiple issues with the graphical user interface for KDE Plasma, and black screen on reboot for multi-screen setup under certain conditions.
  • AMD EPYC Platform Security Processor Code Will Not Be Open Source
    AMD EPYC has been getting some bad word of mouth due to what Intel has been trying to portray but much has been cleared out in the official presentation. Many users that are worried about security have asked AMD to open source the AMD EPYC Platform security processor code. That will not be the case according to AMD. AMD EPYC Platform security processor is designed to keep the user safe from attacks because the OS can’t see what the PSP or IME is doing. Similarly, the user will also not know what the chips are doing. That is all great if the chip is keeping the user safe but it also means that if the defenses are breached then the user will not realize that as well.
  • Open Source: To Use Or Not To Use (And How To Choose)
    You'd like to use open source software, but you're not sure what criteria you should use when deciding whether to rely on it for a specific project or not. I have a long, complicated history with open source software.
  • Japanese Online Giant GMO Launches Open Source Blockchain Project
    Internet giant GMO Internet Inc. of Japan today announced the launch of the GMO Blockchain Open Source Software Project (GMO Blockchain OSS). The system will allow users to develop programs using blockchain as open source. In a first attempt by the company using this platform, the company has developed an open source medical record sharing system and launched it on July 6th, 2017.
  • RcppAPT 0.0.4