info
Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Re: Login forms autofill
42 views
Skip to first unread message
Gervase Markham
Nov 2, 2017, 12:56:49 PM11/2/17
to WhiteWinterWolf
On 02/11/17 11:23, WhiteWinterWolf wrote:
> In particular, I wonder why there is an official recommendation to
> change `signon.autofillForms` default value while, at the same time,
> keeping the setting out of reach of casual users.
The site you reference is not official, and so what is says is not an
official recommendation. It seems the Firefox developers have decided
that "true" is the correct value for this preference, and have further
decided it doesn't need UI.
Gerv
> In particular, I wonder why there is an official recommendation to
> change `signon.autofillForms` default value while, at the same time,
> keeping the setting out of reach of casual users.
The site you reference is not official, and so what is says is not an
official recommendation. It seems the Firefox developers have decided
that "true" is the correct value for this preference, and have further
decided it doesn't need UI.
Gerv
WhiteWinterWolf
Nov 2, 2017, 1:18:44 PM11/2/17
to Gervase Markham, mozilla-de...@lists.mozilla.org
but this makes things logical now,
Regards,
Simon.
--
WhiteWinterWolf
https://www.whitewinterwolf.com
Tanvi Vyas
Nov 13, 2017, 4:27:33 PM11/13/17
to WhiteWinterWolf, Gervase Markham, mozilla-de...@lists.mozilla.org
Hello Simon,
Note that we also have an additional preference - signon.autofillForms.http
- that is set to false by default. This preference turns of autofilling
passwords on HTTP pages without user interaction. The user has to select
the username in order for the password to be filled. The reason this
preference was added was to prevent attacks like the one you reference.
Thanks!
~Tanvi
> _______________________________________________
> dev-security mailing list
> dev-se...@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-security
>
Note that we also have an additional preference - signon.autofillForms.http
- that is set to false by default. This preference turns of autofilling
passwords on HTTP pages without user interaction. The user has to select
the username in order for the password to be filled. The reason this
preference was added was to prevent attacks like the one you reference.
Thanks!
~Tanvi
> dev-security mailing list
> dev-se...@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-security
>
WhiteWinterWolf
Nov 14, 2017, 6:03:20 AM11/14/17
to Tanvi Vyas, Gervase Markham, mozilla-de...@lists.mozilla.org
Hello Tanvi,
I already knew this setting, it highlights the desire from Mozilla to
keep the autofill feature active as much as possible, even if this means
security trade-offs:
- Initial issue: autofill fills credential even on forms submitting to
unusual third-party websites, some people expressed some concerns that
the autofill feature should be disabled but instead Firefox was modified
to more closely scrutinize the authentication form submission URL before
automatically filling it.
- Then it appeared that an attacker in control of the DNS answers can
keep the original URL while still redirecting automatic the
authentication forms submission to its own servers, so the setting you
mention has been added to limit autofilling to HTTPS forms.
- Then it appeared that JavaScript can be used to change the submission
URL once the authentication form has been automatically filled. I've
just checked with Firefox 52.4.0 on Linux Debian, Firefox is still
vulnerable to this attack: an attacker just has to change the submission
URL after Firefox automatically filled users credentials to send them to
any arbitrary HTTPS URL (frankly, I thought this was solved a long time
ago and reinforces me even more in my opinion).
- Would even Firefox be modified to handle automatically filled
authentication forms as a special case and turn some properties
read-only from JavaScript, potentially breaking some websites by the
way, this wouldn't prevent attacks relying on malicious or leaked CA
certificates for instance, + any additional techniques than the ones
mentioned above which most likely *will* be discovered in the future, as
long as browsers provide such functionality.
In my opinion, as a rule a web page should *never* be able to
automatically extract sensitive information from the browser's database
without user's consent.
- You can try to filter the form and submission URLs, the protocols, the
JavaScript methods, server certificates and I don't know what else and
still leave gaping holes in the process.
- Or you can simply require the user to click on an authentication form
to fill it. Problem solved.
In my opinion, the second option is both more secure, easier to
implement and more user friendly. But that's just my opinion.
Regards,
Simon.
--
WhiteWinterWolf
https://www.whitewinterwolf.com
I already knew this setting, it highlights the desire from Mozilla to
keep the autofill feature active as much as possible, even if this means
security trade-offs:
- Initial issue: autofill fills credential even on forms submitting to
unusual third-party websites, some people expressed some concerns that
the autofill feature should be disabled but instead Firefox was modified
to more closely scrutinize the authentication form submission URL before
automatically filling it.
- Then it appeared that an attacker in control of the DNS answers can
keep the original URL while still redirecting automatic the
authentication forms submission to its own servers, so the setting you
mention has been added to limit autofilling to HTTPS forms.
- Then it appeared that JavaScript can be used to change the submission
URL once the authentication form has been automatically filled. I've
just checked with Firefox 52.4.0 on Linux Debian, Firefox is still
vulnerable to this attack: an attacker just has to change the submission
URL after Firefox automatically filled users credentials to send them to
any arbitrary HTTPS URL (frankly, I thought this was solved a long time
ago and reinforces me even more in my opinion).
- Would even Firefox be modified to handle automatically filled
authentication forms as a special case and turn some properties
read-only from JavaScript, potentially breaking some websites by the
way, this wouldn't prevent attacks relying on malicious or leaked CA
certificates for instance, + any additional techniques than the ones
mentioned above which most likely *will* be discovered in the future, as
long as browsers provide such functionality.
In my opinion, as a rule a web page should *never* be able to
automatically extract sensitive information from the browser's database
without user's consent.
- You can try to filter the form and submission URLs, the protocols, the
JavaScript methods, server certificates and I don't know what else and
still leave gaping holes in the process.
- Or you can simply require the user to click on an authentication form
to fill it. Problem solved.
In my opinion, the second option is both more secure, easier to
implement and more user friendly. But that's just my opinion.
Regards,
Simon.
WhiteWinterWolf
https://www.whitewinterwolf.com
0 new messages