Firefox also has an option of using an alternative security module for the password manager that is Federal Information Processing Standard (FIPS) 140-1 compliant. It also uses PKCS#5 for password based encryption. As it relates to the Password Manager Firefox makes use of Public Key Cryptography Standard (PKCS) #11 which defines an API for third party security modules that are either software or hardware based. ![]() Note that files locations were previously addressed in section 4.1.įirefox uses the Network Security Services API to perform its cryptographic operations. Relevant files: Certificates (Signed Public Keys) stored as certN.db, Private Key Database stored as keyN.db, and Security Modules stored as secmod.db Requirements for Access: User logged in and the Master Password (if set) (Each URL entry ends with period on separate to line)Įncryption: TripleDES (CBC mode) Īccess: Network Security Services (NSS) API username, email, userid, etc.)Įncrypted and Base64 encoded value of above information Storage Construct: Text File (signons.txt)įormat: ASCII, using Base64 encoding (except URL and fields) I've finally found the information regarding the password encryption in Firefox. Otherwise a master password and clearing private data is the next best thing. If you've got a reasonably fast flash drive and won't be using too many low end computers I'd recommend people take a look at Truecrypt. Deniabilty/Privacy - A thief wouldn't even know I had Firefox on my flash drive.What I see as key advantages to Truecrypt: Performance - a lot heavier disk writing and CPU usage.Requires administrator privileges (Only needed if Truecrypt isn't already installed locally).Saying that there are downsides to using Truecrypt as a solution: There's also other potentially sensitive information like your bookmarks and information stored by extensions to be worried about. With all the new features in Firefox 3 collecting more and more personal data I'd rather not let anyone near my profile directory at all. This way I don't have to worry about sensitive data somewhere that I may have overlooked and I can enjoy the convenience of saved form history etc. I personally just put all my applications into a Truecrypt volume on my flash drive, I know quite a lot of other people do this too. I've seen far too many people being complacent with what data they leave on their flash drives. Nice guide, I'm sure it will help concerned users get a grasp of securing their profile. Please leave some comments if you think there is something missing, or to give some feedback. This is in my opinion a good trade-off between security and usability.īy using those settings, it should give you at least enough time to change your password before a thief manage to brute force your Master Password, making the stored passwords useless. ![]() The saved usernames and passwords will however be auto-completed in the login pages. Take note that because the cookies are not saved, you will lose the cookie-based website settings and the ability to auto-login to websites. This way, no cookies will be kept in Firefox, and the only way to gain access to your accounts will be to know the Master Password. ![]() To do so, we will have to use the option "Always clear my private data when I close Firefox" combined with the following options checked in the Settings: In order to avoid this, we will have to make sure that all sensitive datas and session informations will be cleared when Firefox is closed. Also, if someone move your cookies.sqlite file from Firefox Portable profile to another profile, they will be able to use the cookies to gain access to some accounts with your saved credentials. This will encrypt the passwords in the signons3.txt file so they won't be viewable without the Master Password.īecause the cookies and session informations are NOT encrypted using the Master Password, this is a security threat that could grant access to your account if you activated the auto-login options, even if there is a Master Password. Use a Master Password (Tools -> Options -> Security -> Master Password), the stronger the password is, the better (use the strength indicator, it's not there for coolness factor). The default Firefox's behavior is insecure for a roaming profile like the one used in Firefox Portable. ![]() The thief could then access some of your accounts you previously logged in. Someone stole your USB thumbdrive, which contain some sensitive data, including some passwords and/or session informations.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |