info
Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Suggested Security Improvement
70 views
Skip to first unread message
Robin Murison
Oct 22, 2018, 12:59:16 PM10/22/18
to dev-se...@lists.mozilla.org
Dear Team,
Thank you for your great work so far. I love your products.
One problem scenario I would like to raise about both Firefox and
Thunderbird/Daily security:
I boot up my machine and log in. I then start Firefox and thunderbird
log in and enter my master passwords. As I use them all the time, I
never close them and never need to re-enter my master passwords ever
again; at least until I reboot. As I only ever reboot my machine when a
software update needs a reboot, this leaves my browser and email open to
attack to anyone who has access to my desktop. Whether I leave my desk
and forget to lock my screen or if anyone hacks my machine.
In this scenario, anyone who gets access to my desktop immediately has
access to all my web pages and emails. It is very rare that I am not
running both all the time for convenience. The websites I visit can
easily be found through my bookmarks and web page history and the
password manager just fills in the username and password. Depending on
how the password reset page is written reset this could allow the
attacker to change my passwords and steal my identity.
This access could be because of carelessness or because a key logger has
stolen my password or many other hacks.
A suggested solution.
Add a sleep feature that requires me to re-enter my master passwords to
all products with a master password on a regular basis.
It is not just desktops that need a sleep function but anything with a
master password.
I suggest a default value of signing in at least at the start of every
working day, but configurable to fit the paranoia of your customers.
This would lock down my browser and email even if someone got access to
my desktop. For instance while I was absent or after hacking my machine.
This problems could be solved by user's good habits closing their email
or browser when not in use. However, it is easier to remain secure if
the software enforces good habits by locking you out of your browser and
email automatically.
Robin Murison
P.S. On a completely different subject: Could you explain why Yahoo.com
reckons that Thunderbird's login mechanism is insecure?
Thank you for your great work so far. I love your products.
One problem scenario I would like to raise about both Firefox and
Thunderbird/Daily security:
I boot up my machine and log in. I then start Firefox and thunderbird
log in and enter my master passwords. As I use them all the time, I
never close them and never need to re-enter my master passwords ever
again; at least until I reboot. As I only ever reboot my machine when a
software update needs a reboot, this leaves my browser and email open to
attack to anyone who has access to my desktop. Whether I leave my desk
and forget to lock my screen or if anyone hacks my machine.
In this scenario, anyone who gets access to my desktop immediately has
access to all my web pages and emails. It is very rare that I am not
running both all the time for convenience. The websites I visit can
easily be found through my bookmarks and web page history and the
password manager just fills in the username and password. Depending on
how the password reset page is written reset this could allow the
attacker to change my passwords and steal my identity.
This access could be because of carelessness or because a key logger has
stolen my password or many other hacks.
A suggested solution.
Add a sleep feature that requires me to re-enter my master passwords to
all products with a master password on a regular basis.
It is not just desktops that need a sleep function but anything with a
master password.
I suggest a default value of signing in at least at the start of every
working day, but configurable to fit the paranoia of your customers.
This would lock down my browser and email even if someone got access to
my desktop. For instance while I was absent or after hacking my machine.
This problems could be solved by user's good habits closing their email
or browser when not in use. However, it is easier to remain secure if
the software enforces good habits by locking you out of your browser and
email automatically.
Robin Murison
P.S. On a completely different subject: Could you explain why Yahoo.com
reckons that Thunderbird's login mechanism is insecure?
0 new messages