info
Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
remembering passwords
14 views
Skip to first unread message
rifter
Feb 5, 2012, 10:11:40 AM2/5/12
to support...@lists.mozilla.org
I've been annoyed by this for awhile, but I thought I would take a
stab at asking to see if there is a solution.
If you log in to a site, firefox pops up a little box asking if you
want to save the password. However, many sites immediately redirect
you to a new page after you log in. If that happens, the box goes
away. I can usually not get to that box fast enough, and it is
impossible to get there fast enough if the page I'm going to is
encrypted because of course there is another dialog.
What's the solution here? I could swear that way back in the 3.x days
the popup for saving the password stuck around until you addressed it,
but I could be wrong.
An example of this is meetup.com although there are a lot of pages
that act like this.
stab at asking to see if there is a solution.
If you log in to a site, firefox pops up a little box asking if you
want to save the password. However, many sites immediately redirect
you to a new page after you log in. If that happens, the box goes
away. I can usually not get to that box fast enough, and it is
impossible to get there fast enough if the page I'm going to is
encrypted because of course there is another dialog.
What's the solution here? I could swear that way back in the 3.x days
the popup for saving the password stuck around until you addressed it,
but I could be wrong.
An example of this is meetup.com although there are a lot of pages
that act like this.
Ron Hunter
Feb 5, 2012, 11:16:42 AM2/5/12
to
detected. As long as you don't click, you can still respond to it.
Peter
Feb 5, 2012, 3:13:02 PM2/5/12
to
probably safer than keeping passwords on your hard drive and a lot
easier to manage.
Ron Hunter
Feb 6, 2012, 3:25:14 AM2/6/12
to
kept on a remote site. Even if they are encrypted, I fail to see this
as more secure. I greatly prefer keeping MY data on MY computer. I
haven't seen any scheme for keeping passwords that is easier to manage
than what is built into FF/TB, but am open to something better. Will
check out LastPass.
rifter
Feb 6, 2012, 4:29:00 PM2/6/12
to Firefox help community
> support-firefox mailing list
> support...@lists.mozilla.org
> https://lists.mozilla.org/listinfo/support-firefox
> To unsubscribe, send an email to
> support-fir...@lists.mozilla.org?subject=unsubscribe
>
Unfortunately that is absolutely not true. If it was true, I would
not be asking the question. As I said, the page redirects you as soon
as you submit a password, and once it does, the button goes away.
It's not waiting for a click at all. Why don't you try it and see?
rifter
Feb 6, 2012, 4:36:39 PM2/6/12
to Firefox help community
>> _______________________________________________
>> support-firefox mailing list
>> support...@lists.mozilla.org
>> https://lists.mozilla.org/listinfo/support-firefox
>> To unsubscribe, send an email to
>> support-fir...@lists.mozilla.org?subject=unsubscribe
>>
> Unfortunately that is absolutely not true. If it was true, I would
> not be asking the question. As I said, the page redirects you as soon
> as you submit a password, and once it does, the button goes away.
> It's not waiting for a click at all. Why don't you try it and see?
>
Also, even if it was true it would not help much since there is a
>> support-firefox mailing list
>> support...@lists.mozilla.org
>> https://lists.mozilla.org/listinfo/support-firefox
>> To unsubscribe, send an email to
>> support-fir...@lists.mozilla.org?subject=unsubscribe
>>
> Unfortunately that is absolutely not true. If it was true, I would
> not be asking the question. As I said, the page redirects you as soon
> as you submit a password, and once it does, the button goes away.
> It's not waiting for a click at all. Why don't you try it and see?
>
modal dialog in the way. You can't click on the door hanger without
getting rid of it.
In any case, is there even a workaround for this? Is catching the
ephemeral doorhanger before it decides to run away the only way to do
this? Why does it go away in the first place instead of waiting for a
click like a regular dialog would?
Chris Ilias
Feb 6, 2012, 5:21:40 PM2/6/12
to
On 12-02-06 4:36 PM, _rifter_ spoke thusly:
don't have a meetup account, so I can't test it.
One thing to look for is if there is a key icon to the left of the site
icon. Clicking on that will bring back the doorhanger.
--
Chris Ilias <http://ilias.ca>
Mailing list/Newsgroup moderator
> On 2/6/12, rifter<rifter...@gmail.com> wrote:
>> On 2/5/12, Ron Hunter<rphu...@charter.net> wrote:
>>> The door hanger (name for this dialog) remains until a mouse click is
>>> detected. As long as you don't click, you can still respond to it.
>>
>> On 2/5/12, Ron Hunter<rphu...@charter.net> wrote:
>>> The door hanger (name for this dialog) remains until a mouse click is
>>> detected. As long as you don't click, you can still respond to it.
>>
>> Unfortunately that is absolutely not true. If it was true, I would
>> not be asking the question. As I said, the page redirects you as soon
>> as you submit a password, and once it does, the button goes away.
>> It's not waiting for a click at all. Why don't you try it and see?
>
> Also, even if it was true it would not help much since there is a
> modal dialog in the way. You can't click on the door hanger without
> getting rid of it.
> In any case, is there even a workaround for this? Is catching the
> ephemeral doorhanger before it decides to run away the only way to do
> this? Why does it go away in the first place instead of waiting for a
> click like a regular dialog would?
Can you oe anyone else provide a different website where this happens? I
>> not be asking the question. As I said, the page redirects you as soon
>> as you submit a password, and once it does, the button goes away.
>> It's not waiting for a click at all. Why don't you try it and see?
>
> Also, even if it was true it would not help much since there is a
> modal dialog in the way. You can't click on the door hanger without
> getting rid of it.
> In any case, is there even a workaround for this? Is catching the
> ephemeral doorhanger before it decides to run away the only way to do
> this? Why does it go away in the first place instead of waiting for a
> click like a regular dialog would?
don't have a meetup account, so I can't test it.
One thing to look for is if there is a key icon to the left of the site
icon. Clicking on that will bring back the doorhanger.
--
Chris Ilias <http://ilias.ca>
Mailing list/Newsgroup moderator
rifter
Feb 6, 2012, 6:44:47 PM2/6/12
to Firefox help community
> _______________________________________________
> support-firefox mailing list
> support...@lists.mozilla.org
> https://lists.mozilla.org/listinfo/support-firefox
> To unsubscribe, send an email to
> support-fir...@lists.mozilla.org?subject=unsubscribe
>
Soureforge does it, too. There are a whole lot of sites that do this.
> support-firefox mailing list
> support...@lists.mozilla.org
> https://lists.mozilla.org/listinfo/support-firefox
> To unsubscribe, send an email to
> support-fir...@lists.mozilla.org?subject=unsubscribe
>
Again all it takes is that the site redirects you to a new page when
you submit your login credentials. It seems to me that the dialog is
acting like you went to a whole new site, so it goes away.
Bob Henson
Feb 7, 2012, 6:41:32 AM2/7/12
to
--
Bob
Tetbury, Gloucestershire, UK
Treat each day like it's your last - one day you'll be right.
Axel Grude
Feb 7, 2012, 2:42:09 PM2/7/12
to support...@lists.mozilla.org
the screen before I submit if I suspect it is one of these sites. It adds an Edit/New
button to the Password Manager, and then you simply use the Guess from Current Page"
to create the password entry, before you submit.
Ax
Axel Grude
Feb 7, 2012, 2:43:36 PM2/7/12
to
mechanisms, even if you have passwords stored in Password Manager.
I use QuickPasswords as a workaround.
Axel
Axel Grude
Feb 7, 2012, 2:45:17 PM2/7/12
to
the passwords on your local drive.
Ax
Axel Grude
Feb 7, 2012, 2:42:09 PM2/7/12
to support...@lists.mozilla.org
On 06/02/12 21:36, rifter wrote:
Chris Ilias
Feb 7, 2012, 5:11:33 PM2/7/12
to
On 12-02-06 6:44 PM, _rifter_ spoke thusly:
the doorhanger stayed.
Screenshot: <http://ilias.ca/screenshots/fx-meetup.png>
So let's figure out what's different about your setup. Go to
Help-->Troubleshooting_Information, then click [Copy all to Clipboard].
Open a reply to this post, and go to Edit-->Paste to paste the info from
your Troubleshooting Information page.
If this is happening on many sites for you, you may have malware installed.
> On 2/6/12, Chris Ilias<nm...@ilias.ca> wrote:
>> On 12-02-06 4:36 PM, _rifter_ spoke thusly:
>>> On 2/6/12, rifter<rifter...@gmail.com> wrote:
>>>> On 2/5/12, Ron Hunter<rphu...@charter.net> wrote:
>>>>> The door hanger (name for this dialog) remains until a mouse click is
>>>>> detected. As long as you don't click, you can still respond to it.
>>>>
>>>> Unfortunately that is absolutely not true. If it was true, I would
>>>> not be asking the question. As I said, the page redirects you as soon
>>>> as you submit a password, and once it does, the button goes away.
>>>> It's not waiting for a click at all. Why don't you try it and see?
>>>
>>> Also, even if it was true it would not help much since there is a
>>> modal dialog in the way. You can't click on the door hanger without
>>> getting rid of it.
>>> In any case, is there even a workaround for this? Is catching the
>>> ephemeral doorhanger before it decides to run away the only way to do
>>> this? Why does it go away in the first place instead of waiting for a
>>> click like a regular dialog would?
>>
>> Can you oe anyone else provide a different website where this happens? I
>> don't have a meetup account, so I can't test it.
>>
>> One thing to look for is if there is a key icon to the left of the site
>> icon. Clicking on that will bring back the doorhanger.
>
>> On 12-02-06 4:36 PM, _rifter_ spoke thusly:
>>> On 2/6/12, rifter<rifter...@gmail.com> wrote:
>>>> On 2/5/12, Ron Hunter<rphu...@charter.net> wrote:
>>>>> The door hanger (name for this dialog) remains until a mouse click is
>>>>> detected. As long as you don't click, you can still respond to it.
>>>>
>>>> Unfortunately that is absolutely not true. If it was true, I would
>>>> not be asking the question. As I said, the page redirects you as soon
>>>> as you submit a password, and once it does, the button goes away.
>>>> It's not waiting for a click at all. Why don't you try it and see?
>>>
>>> Also, even if it was true it would not help much since there is a
>>> modal dialog in the way. You can't click on the door hanger without
>>> getting rid of it.
>>> In any case, is there even a workaround for this? Is catching the
>>> ephemeral doorhanger before it decides to run away the only way to do
>>> this? Why does it go away in the first place instead of waiting for a
>>> click like a regular dialog would?
>>
>> Can you oe anyone else provide a different website where this happens? I
>> don't have a meetup account, so I can't test it.
>>
>> One thing to look for is if there is a key icon to the left of the site
>> icon. Clicking on that will bring back the doorhanger.
>
> Soureforge does it, too. There are a whole lot of sites that do this.
> Again all it takes is that the site redirects you to a new page when
> you submit your login credentials. It seems to me that the dialog is
> acting like you went to a whole new site, so it goes away.
I decided to create an account on meetup to test this. When I tested it,
> Again all it takes is that the site redirects you to a new page when
> you submit your login credentials. It seems to me that the dialog is
> acting like you went to a whole new site, so it goes away.
the doorhanger stayed.
Screenshot: <http://ilias.ca/screenshots/fx-meetup.png>
So let's figure out what's different about your setup. Go to
Help-->Troubleshooting_Information, then click [Copy all to Clipboard].
Open a reply to this post, and go to Edit-->Paste to paste the info from
your Troubleshooting Information page.
If this is happening on many sites for you, you may have malware installed.
Lucas B. Cohen
Feb 8, 2012, 8:21:37 AM2/8/12
to support...@lists.mozilla.org
On 2012.02.07 20:45, Axel Grude wrote:
> Use Saved Password Editor and QuickPasswords. At least they are open
> sourced and keep the passwords on your local drive.
Makes much sense to me. Personally, I'm nervous at the idea of using a
> Use Saved Password Editor and QuickPasswords. At least they are open
> sourced and keep the passwords on your local drive.
password manager that integrates, or even communicates in any way with
such an exposed (to malicious code) piece of software as my web browser.
I use KeePassX, a standalone program (with the added benefit that it's
cross-platform) and do the old copy and paste thing with anything
remotely sensitive.
rifter
Feb 9, 2012, 12:41:37 AM2/9/12
to Firefox help community
> _______________________________________________
> support-firefox mailing list
> support...@lists.mozilla.org
> https://lists.mozilla.org/listinfo/support-firefox
> To unsubscribe, send an email to
> support-fir...@lists.mozilla.org?subject=unsubscribe
>
I'm pretty sure this isn't something that is caused by malware, and it
> support-firefox mailing list
> support...@lists.mozilla.org
> https://lists.mozilla.org/listinfo/support-firefox
> To unsubscribe, send an email to
> support-fir...@lists.mozilla.org?subject=unsubscribe
>
has been happening for at least a couple of years on firefox in
varying configurations for me. Maybe it's something they finally
fixed in the version you have, in which case upgrading would fix me.
I will look into the extensions the others mentioned. Meanwhile if
there is indeed something that is in my setup that is actually
affecting this, it might help the others who have indicated this
happens to them, too.
Application Basics
Name
Firefox
Version
9.0.1
User Agent
Mozilla/5.0 (X11; Linux i686; rv:9.0.1) Gecko/20100101 Firefox/9.0.1
Profile Directory
Open Containing Folder
Enabled Plugins
about:plugins
Build Configuration
about:buildconfig
Crash Reports
about:crashes
Memory Use
about:memory
Extensions
Name
Version
Enabled
ID
Add to Search Bar
2.0
true
add-to-s...@maltekraus.de
HTTPS-Everywhere
1.2.2
true
https-ev...@eff.org
NoScript
2.2.9
true
{73a6fe31-595d-460b-a920-fcc0f8843232}
Modified Preferences
Name
Value
accessibility.typeaheadfind.flashBar
0
browser.link.open_newwindow
2
browser.places.importBookmarksHTML
false
browser.places.smartBookmarksVersion
2
browser.startup.homepage
file:///usr/share/indexhtml/index.html
browser.startup.homepage_override.buildID
20111222033305
browser.startup.homepage_override.mstone
rv:9.0.1
extensions.lastAppVersion
9.0.1
gfx.blacklist.direct2d
2
gfx.blacklist.layers.direct3d10
2
gfx.blacklist.layers.direct3d10-1
2
gfx.blacklist.layers.direct3d9
2
gfx.blacklist.layers.opengl
2
gfx.blacklist.suggested-driver-version
Mesa 7.10.3
gfx.blacklist.webgl.angle
2
gfx.blacklist.webgl.opengl
2
network.cookie.prefsMigrated
true
places.database.lastMaintenance
1328748882
places.history.expiration.transient_current_max_pages
26094
places.history.expiration.transient_optimal_database_size
41749052
print.tmp.printerfeatures.PostScript/default.can_change_colorspace
false
print.tmp.printerfeatures.PostScript/default.can_change_downloadfonts
false
print.tmp.printerfeatures.PostScript/default.can_change_jobtitle
false
print.tmp.printerfeatures.PostScript/default.can_change_num_copies
true
print.tmp.printerfeatures.PostScript/default.can_change_orientation
true
print.tmp.printerfeatures.PostScript/default.can_change_paper_size
true
print.tmp.printerfeatures.PostScript/default.can_change_plex
false
print.tmp.printerfeatures.PostScript/default.can_change_printincolor
true
print.tmp.printerfeatures.PostScript/default.can_change_resolution
false
print.tmp.printerfeatures.PostScript/default.can_change_spoolercommand
true
print.tmp.printerfeatures.PostScript/default.colorspace.0.name
default
print.tmp.printerfeatures.PostScript/default.colorspace.count
1
print.tmp.printerfeatures.PostScript/default.has_special_printerfeatures
true
print.tmp.printerfeatures.PostScript/default.orientation.0.name
portrait
print.tmp.printerfeatures.PostScript/default.orientation.1.name
landscape
print.tmp.printerfeatures.PostScript/default.orientation.count
2
print.tmp.printerfeatures.PostScript/default.paper.0.height_mm
210
print.tmp.printerfeatures.PostScript/default.paper.0.is_inch
false
print.tmp.printerfeatures.PostScript/default.paper.0.name
A5
print.tmp.printerfeatures.PostScript/default.paper.0.width_mm
148
print.tmp.printerfeatures.PostScript/default.paper.1.height_mm
297
print.tmp.printerfeatures.PostScript/default.paper.1.is_inch
false
print.tmp.printerfeatures.PostScript/default.paper.1.name
A4
print.tmp.printerfeatures.PostScript/default.paper.1.width_mm
210
print.tmp.printerfeatures.PostScript/default.paper.2.height_mm
420
print.tmp.printerfeatures.PostScript/default.paper.2.is_inch
false
print.tmp.printerfeatures.PostScript/default.paper.2.name
A3
print.tmp.printerfeatures.PostScript/default.paper.2.width_mm
297
print.tmp.printerfeatures.PostScript/default.paper.3.height_mm
279
print.tmp.printerfeatures.PostScript/default.paper.3.is_inch
true
print.tmp.printerfeatures.PostScript/default.paper.3.name
Letter
print.tmp.printerfeatures.PostScript/default.paper.3.width_mm
215
print.tmp.printerfeatures.PostScript/default.paper.4.height_mm
355
print.tmp.printerfeatures.PostScript/default.paper.4.is_inch
true
print.tmp.printerfeatures.PostScript/default.paper.4.name
Legal
print.tmp.printerfeatures.PostScript/default.paper.4.width_mm
215
print.tmp.printerfeatures.PostScript/default.paper.5.height_mm
431
print.tmp.printerfeatures.PostScript/default.paper.5.is_inch
true
print.tmp.printerfeatures.PostScript/default.paper.5.name
Tabloid
print.tmp.printerfeatures.PostScript/default.paper.5.width_mm
279
print.tmp.printerfeatures.PostScript/default.paper.6.height_mm
254
print.tmp.printerfeatures.PostScript/default.paper.6.is_inch
true
print.tmp.printerfeatures.PostScript/default.paper.6.name
Executive
print.tmp.printerfeatures.PostScript/default.paper.6.width_mm
190
print.tmp.printerfeatures.PostScript/default.paper.count
7
print.tmp.printerfeatures.PostScript/default.plex.0.name
default
print.tmp.printerfeatures.PostScript/default.plex.count
1
print.tmp.printerfeatures.PostScript/default.resolution.0.name
default
print.tmp.printerfeatures.PostScript/default.resolution.count
1
print.tmp.printerfeatures.PostScript/default.supports_colorspace_change
false
print.tmp.printerfeatures.PostScript/default.supports_downloadfonts_change
false
print.tmp.printerfeatures.PostScript/default.supports_jobtitle_change
false
print.tmp.printerfeatures.PostScript/default.supports_orientation_change
true
print.tmp.printerfeatures.PostScript/default.supports_paper_size_change
true
print.tmp.printerfeatures.PostScript/default.supports_plex_change
false
print.tmp.printerfeatures.PostScript/default.supports_printincolor_change
true
print.tmp.printerfeatures.PostScript/default.supports_resolution_change
false
print.tmp.printerfeatures.PostScript/default.supports_spoolercommand_change
true
privacy.cpd.downloads
false
privacy.cpd.formdata
false
privacy.cpd.history
false
privacy.cpd.sessions
false
privacy.donottrackheader.enabled
true
privacy.sanitize.migrateFx3Prefs
true
security.warn_entering_secure
true
security.warn_entering_weak.show_once
false
security.warn_leaving_secure
true
security.warn_submit_insecure
true
security.warn_viewing_mixed.show_once
false
Graphics
Adapter Description
Tungsten Graphics, Inc -- Mesa DRI Intel(R) 915GM x86/MMX/SSE2
Driver Version
1.4 Mesa 7.10.2
WebGL Renderer
Blocked for your graphics driver version. Try updating your
graphics driver to version Mesa 7.10.3 or newer.
GPU Accelerated Windows
0/1. Blocked for your graphics driver version. Try updating
your graphics driver to version Mesa 7.10.3 or newer.
Chris Ilias
Feb 9, 2012, 4:01:57 AM2/9/12
to
On 12-02-09 12:41 AM, _rifter_ spoke thusly:
With a clean profile, the way it works is like this:
* clicking on "log in" causes the login prompt to appear as an XML (I
think) pop-up, keeping you on the same browser page.
* no warning about entering or leaving an secure page
* after login, the doorhanger appears and stays as the XML pop-up is
gone, and you are given the meetup homepage.
With your setup, there are a few factors, when put together cause this
issue.
* NoScript causes the login prompt to appear as a separate page.
* Leaving the secure login page (because NoScript forced it to become a
separate page), a warning comes up, because you have the preference
"security.warn_leaving_secure" set to true. You need to click on that
warning, which causes the doorhanger to go away.
On the first try, the key icon still appeared to the left of the site
icon. After a couple more tries, the key icon no longer appeared. It
turns out, that was caused by a cookie.
To get the prompt on meetup:
1. Go to meetup.com
2. Go to Tools-->Page_Info
3. Select the Security panel.
4. Click on [View Cookies]. That should give you a list of meetup.com
cookies.
5. Select the cookie called "MEETUP_SEGMENT".
6. Click [Remove Cookie].
7. Close the cookies window, and the Page Info window, then try logging
in again.
8. After logging in and being redirected, the key icon should still
appear to the left of the site icon. Click on the key icon to get the
"remember password" doorhanger back.
Setting "security.warn_leaving_secure" back to the default value of
false will also cause the doorhanger to stay.
> On 2/7/12, Chris Ilias<nm...@ilias.ca> wrote:
>
>> I decided to create an account on meetup to test this. When I tested it,
>> the doorhanger stayed.
>> Screenshot:<http://ilias.ca/screenshots/fx-meetup.png>
>>
>> So let's figure out what's different about your setup. Go to
>> Help-->Troubleshooting_Information, then click [Copy all to Clipboard].
>> Open a reply to this post, and go to Edit-->Paste to paste the info from
>> your Troubleshooting Information page.
>>
>> If this is happening on many sites for you, you may have malware installed.
>
>
>> I decided to create an account on meetup to test this. When I tested it,
>> the doorhanger stayed.
>> Screenshot:<http://ilias.ca/screenshots/fx-meetup.png>
>>
>> So let's figure out what's different about your setup. Go to
>> Help-->Troubleshooting_Information, then click [Copy all to Clipboard].
>> Open a reply to this post, and go to Edit-->Paste to paste the info from
>> your Troubleshooting Information page.
>>
>> If this is happening on many sites for you, you may have malware installed.
>
> I'm pretty sure this isn't something that is caused by malware, and it
> has been happening for at least a couple of years on firefox in
> varying configurations for me. Maybe it's something they finally
> fixed in the version you have, in which case upgrading would fix me.
> I will look into the extensions the others mentioned. Meanwhile if
> there is indeed something that is in my setup that is actually
> affecting this, it might help the others who have indicated this
> happens to them, too.
>
>
> has been happening for at least a couple of years on firefox in
> varying configurations for me. Maybe it's something they finally
> fixed in the version you have, in which case upgrading would fix me.
> I will look into the extensions the others mentioned. Meanwhile if
> there is indeed something that is in my setup that is actually
> affecting this, it might help the others who have indicated this
> happens to them, too.
>
>
> User Agent
> Mozilla/5.0 (X11; Linux i686; rv:9.0.1) Gecko/20100101 Firefox/9.0.1
>
> Mozilla/5.0 (X11; Linux i686; rv:9.0.1) Gecko/20100101 Firefox/9.0.1
>
> Extensions
>
> Name
>
> Version
>
> Enabled
>
> ID
>
> Add to Search Bar
> 2.0
> true
> add-to-s...@maltekraus.de
>
> HTTPS-Everywhere
> 1.2.2
> true
> https-ev...@eff.org
>
> NoScript
> 2.2.9
> true
> {73a6fe31-595d-460b-a920-fcc0f8843232}
>
> Modified Preferences
>
>
> Name
>
> Version
>
> Enabled
>
> ID
>
> Add to Search Bar
> 2.0
> true
> add-to-s...@maltekraus.de
>
> HTTPS-Everywhere
> 1.2.2
> true
> https-ev...@eff.org
>
> NoScript
> 2.2.9
> true
> {73a6fe31-595d-460b-a920-fcc0f8843232}
>
> Modified Preferences
>
> accessibility.typeaheadfind.flashBar
> 0
>
> browser.link.open_newwindow
> 2
>
> browser.places.importBookmarksHTML
> false
>
> browser.places.smartBookmarksVersion
> 2
>
> browser.startup.homepage
> file:///usr/share/indexhtml/index.html
>
>
> 0
>
> browser.link.open_newwindow
> 2
>
> browser.places.importBookmarksHTML
> false
>
> browser.places.smartBookmarksVersion
> 2
>
> browser.startup.homepage
> file:///usr/share/indexhtml/index.html
>
>
> privacy.cpd.downloads
> false
>
> privacy.cpd.formdata
> false
>
> privacy.cpd.history
> false
>
> privacy.cpd.sessions
> false
>
> privacy.donottrackheader.enabled
> true
>
> privacy.sanitize.migrateFx3Prefs
> true
>
> security.warn_entering_secure
> true
>
> security.warn_entering_weak.show_once
> false
>
> security.warn_leaving_secure
> true
>
> security.warn_submit_insecure
> true
>
> security.warn_viewing_mixed.show_once
> false
I tried to replicate as much of that as I could. Firefox 9.0.1 on Ubuntu.
> false
>
> privacy.cpd.formdata
> false
>
> privacy.cpd.history
> false
>
> privacy.cpd.sessions
> false
>
> privacy.donottrackheader.enabled
> true
>
> privacy.sanitize.migrateFx3Prefs
> true
>
> security.warn_entering_secure
> true
>
> security.warn_entering_weak.show_once
> false
>
> security.warn_leaving_secure
> true
>
> security.warn_submit_insecure
> true
>
> security.warn_viewing_mixed.show_once
> false
With a clean profile, the way it works is like this:
* clicking on "log in" causes the login prompt to appear as an XML (I
think) pop-up, keeping you on the same browser page.
* no warning about entering or leaving an secure page
* after login, the doorhanger appears and stays as the XML pop-up is
gone, and you are given the meetup homepage.
With your setup, there are a few factors, when put together cause this
issue.
* NoScript causes the login prompt to appear as a separate page.
* Leaving the secure login page (because NoScript forced it to become a
separate page), a warning comes up, because you have the preference
"security.warn_leaving_secure" set to true. You need to click on that
warning, which causes the doorhanger to go away.
On the first try, the key icon still appeared to the left of the site
icon. After a couple more tries, the key icon no longer appeared. It
turns out, that was caused by a cookie.
To get the prompt on meetup:
1. Go to meetup.com
2. Go to Tools-->Page_Info
3. Select the Security panel.
4. Click on [View Cookies]. That should give you a list of meetup.com
cookies.
5. Select the cookie called "MEETUP_SEGMENT".
6. Click [Remove Cookie].
7. Close the cookies window, and the Page Info window, then try logging
in again.
8. After logging in and being redirected, the key icon should still
appear to the left of the site icon. Click on the key icon to get the
"remember password" doorhanger back.
Setting "security.warn_leaving_secure" back to the default value of
false will also cause the doorhanger to stay.
Axel Grude
Feb 15, 2012, 2:55:29 PM2/15/12
to
or open source - (maybe free / donation based / ad based) software.
The browser should not be exposed to malicious code in the chrome context (where your
addons run) as long as you install your addons from AMO. Code downloaded from the web
is not allowed to run in chrome so it doesn't get access to your password store anyway.
Axel
Lucas B. Cohen
Feb 15, 2012, 3:17:27 PM2/15/12
to support...@lists.mozilla.org
On 2012.02.15 20:55, Axel Grude wrote:
> On 08/02/12 13:21, Lucas B. Cohen wrote:
>> Personally, I'm nervous at the idea of using a
>> password manager that integrates, or even communicates in any way with
>> such an exposed (to malicious code) piece of software as my web browser.
>> I use KeePassX, a standalone program (with the added benefit that it's
>> cross-platform) and do the old copy and paste thing with anything
>> remotely sensitive.
> On 08/02/12 13:21, Lucas B. Cohen wrote:
>> Personally, I'm nervous at the idea of using a
>> password manager that integrates, or even communicates in any way with
>> such an exposed (to malicious code) piece of software as my web browser.
>> I use KeePassX, a standalone program (with the added benefit that it's
>> cross-platform) and do the old copy and paste thing with anything
>> remotely sensitive.
> The browser should not be exposed to malicious code in the chrome
> context (where your addons run) as long as you install your addons from
> AMO. Code downloaded from the web is not allowed to run in chrome so it
> doesn't get access to your password store anyway.
Hopefully it doesn't ! I was thinking about a situation where a software
> context (where your addons run) as long as you install your addons from
> AMO. Code downloaded from the web is not allowed to run in chrome so it
> doesn't get access to your password store anyway.
vulnerability in the browser is exploited (buffer overflow and such),
malicious *machine* code gets executed, and the design safeguards you
mention get bypassed.
Of course, at this point, anything is possible, but I believe it's more
realistic to expect an attacker to just target the built-in password
store to try and harvest sensitive credentials, instead of scanning
around for various running password managers and trying to hijack their
process.
Axel Grude
Feb 16, 2012, 9:04:35 AM2/16/12
to
party password manager all bets might be off.
Just keep the OS well patched and run some antivirus monitoring + personal firewall;
at this stage I would be more concerned about downloaded software and online
Javascript / cookies / social engineering / XSS, the likelyhood of getting intruders
or leaking personal infos that way are a lot higher (unless you use an unpatched system).
Ron Hunter
Feb 16, 2012, 10:00:44 AM2/16/12
to
the one website I have tried it on. This is on the beta channel (FF 11).
Lucas B. Cohen
Feb 16, 2012, 10:35:42 AM2/16/12
to support...@lists.mozilla.org
I still believe there's a higher probability of having the Firefox
built-in password store being the target of an attack, than a separate one.
(All the add-ons that were mentioned earlier in the thread do exploit
the same Firefox-provided password store, don't they ?)
>
> Just keep the OS well patched and run some antivirus monitoring +
> personal firewall; at this stage I would be more concerned about
> downloaded software and online Javascript / cookies / social engineering
> / XSS, the likelyhood of getting intruders or leaking personal infos
> that way are a lot higher (unless you use an unpatched system).
In the end I guess it depends on personal use patterns and exposure to
> Just keep the OS well patched and run some antivirus monitoring +
> personal firewall; at this stage I would be more concerned about
> downloaded software and online Javascript / cookies / social engineering
> / XSS, the likelyhood of getting intruders or leaking personal infos
> that way are a lot higher (unless you use an unpatched system).
risk. I'm keep my systems patched, selectively run scripts using
NoScript, selectively load content with RequestPolicy. The concrete risk
of having my password store attacked is probably marginal at that point,
but in would only take a single zero-day out there to have it all
compromised. It seems that keeping my password store in a separate
process is an extension of the security principle of least
privilege/privilege separation/etc, which is a basic security rule.
In fact, the one thing I'm not doing, which I would consider now that I
think of it, is using a separate user account to run Firefox. I recall a
piece of software call DropMyRights used to make it easy to do it with IE...
Axel Grude
Feb 16, 2012, 2:21:07 PM2/16/12
to
(the AMO editors) for security holes. In all cases strict security checks (such as,
not storing passwords in the config database or submitting them unencrypted etc.) and
of course the "no surprise" policy apply.
Something we cannot guarantee for any 3rd party software.
> In the end I guess it depends on personal use patterns and exposure to
> risk. I'm keep my systems patched, selectively run scripts using
> NoScript, selectively load content with RequestPolicy. The concrete risk
> of having my password store attacked is probably marginal at that point,
> but in would only take a single zero-day out there to have it all
> compromised.
there are any practical exploits out "in the wild". So it is quite unlikely. Much more
likely that you run some script downloaded from a third party or apps store that
hasn't got the same security measures as Mozilla.
By the way I have just started using RequestPolicy for the last 2 weeks, is it always
that painful? I seem to have to allow the same rule over and over again. Some wildcard
rules (like allow foo.com to request data from foo.net) or better in-page controls in
there would be nice.
> It seems that keeping my password store in a separate
> process is an extension of the security principle of least
> privilege/privilege separation/etc, which is a basic security rule.
>
> In fact, the one thing I'm not doing, which I would consider now that I
> think of it, is using a separate user account to run Firefox. I recall a
> piece of software call DropMyRights used to make it easy to do it with IE...
Axel
Ron Hunter
Feb 16, 2012, 2:32:46 PM2/16/12
to
security, but my security, in the end, is MY responsibility. If I
choose to have my passwords kept on my computer, then that is for ME to
decide. If I want to publish the darn things in the newspaper, it's on
me. So, about Mozilla and 'empowering the user his way' or sentiments
to that effect, how about an OPTION (with suitable warnings) to save my
passwords in spite of the website, and the browser, trying to prevent it?
Lucas B. Cohen
Feb 16, 2012, 3:05:53 PM2/16/12
to support...@lists.mozilla.org
The "CNET Editors' review" is tragic, though : "The beauty of this
utility is you can log on as an administrator". Way to defeat the
purpose of user security education.
Lucas B. Cohen
Feb 16, 2012, 3:24:35 PM2/16/12
to support...@lists.mozilla.org
On 2012.02.16 20:21, Axel Grude wrote:
> By the way I have just started using RequestPolicy for the last 2 weeks,
> is it always that painful? I seem to have to allow the same rule over
> and over again. Some wildcard rules (like allow foo.com to request data
> from foo.net) or better in-page controls in there would be nice.
Are you browsing in Private Mode ? RequestPolicy can memorize authorized
> is it always that painful? I seem to have to allow the same rule over
> and over again. Some wildcard rules (like allow foo.com to request data
> from foo.net) or better in-page controls in there would be nice.
sources, thankfully (such as, typically, a site to its CDN domain). It
even comes packaged with a selection of authorized ones. It gives you
the choice between "allow requests from foo.baz to bar.org", and
"__temporarily__ allow requests from foo.baz to bar.org". Unless you're
in Private Mode, where you'll only be offered the latter.
Not sure what you mean by "better in-page controls". I'm satisfied with
using the context menu to allow cross-domain loading.
But even then, It certainly isn't always fun to browse with this add-on.
I certainly wouldn't recommend it to non "basic" users. However I find
that in addition to the protection it offers, and the speeding up of
webpage loading, it's a very educational tool to see how websites are built.
It's also interesting to see that some sites are actually *more* easy to
read without anykind of graphics or stylesheet. News sites, often, just
display the article in plaintext that way, instead of drowning it in
tons of menus, banners, social buttons and whatnot.
One thing that RequestPolicy has shown me lately, and that's been
irritating me, is that 99% of webmasters seem to not bother to harness
the power of DNS when setting up a CDN. Virtually all sites register a
second domain (like foo-static.com, barcdncom, etc.) instead. I can't
understand what the benefit of that is.
On my paranoid days, I start thinking web giants are trying to get rid
of same origin policy altogether by making it look outdated, sacrificing
security for content presentation that is more valuable for them. (And
on cynical days, I notice that the cost of an extra domain name is much
lower than the salary of a DNS admin who could setup glue records to
point to the CDN provider's NS...)
0 new messages