Comments on: Security UI in Firefox 3plus1 http://blog.johnath.com/2008/04/16/security-ui-in-firefox-3plus1/ johnath in blog form Thu, 26 Jan 2012 13:11:15 +0000 hourly 1 http://wordpress.org/?v=3.3.1 By: meandering wildly http://blog.johnath.com/2008/04/16/security-ui-in-firefox-3plus1/comment-page-1/#comment-192034 meandering wildly Tue, 05 Aug 2008 20:46:33 +0000 http://blog.johnath.com/?p=117#comment-192034 [...] think the approach in Firefox 3 is perfect, I’m not sure any of us do. I have filed bugs, and talked about things I think we could do to continue to enhance our users’ security while at the same time [...] [...] think the approach in Firefox 3 is perfect, I’m not sure any of us do. I have filed bugs, and talked about things I think we could do to continue to enhance our users’ security while at the same time [...]

]]> By: Iang (Phishing faceoff... manual trackback) http://blog.johnath.com/2008/04/16/security-ui-in-firefox-3plus1/comment-page-1/#comment-164277 Iang (Phishing faceoff... manual trackback) Mon, 12 May 2008 15:56:54 +0000 http://blog.johnath.com/?p=117#comment-164277 Jonath: I had to think a bit, but it came to me: browser hardening should be high on the agenda. As we know, the threat is widening to include attacks directly into the user's computer, and into the user's browser. Yes, this is a non-specific, non-concrete requirement, leaving implementation open for much discussion. Some people have tried to do it, and got some distance before running out of breath. Maybe this is an area where firefox internal people have a natural advantage over plugin developers? Jonath: I had to think a bit, but it came to me: browser hardening should be high on the agenda. As we know, the threat is widening to include attacks directly into the user’s computer, and into the user’s browser.

Yes, this is a non-specific, non-concrete requirement, leaving implementation open for much discussion. Some people have tried to do it, and got some distance before running out of breath. Maybe this is an area where firefox internal people have a natural advantage over plugin developers?

]]> By: Gerv http://blog.johnath.com/2008/04/16/security-ui-in-firefox-3plus1/comment-page-1/#comment-156967 Gerv Fri, 18 Apr 2008 19:23:08 +0000 http://blog.johnath.com/?p=117#comment-156967 johnath: these all look like good areas to be looking into. Of course, it's hard to judge without concrete proposals :-) But no-one's asking you for those yet. johnath: these all look like good areas to be looking into. Of course, it’s hard to judge without concrete proposals :-) But no-one’s asking you for those yet.

]]> By: Johnath http://blog.johnath.com/2008/04/16/security-ui-in-firefox-3plus1/comment-page-1/#comment-156565 Johnath Thu, 17 Apr 2008 13:38:13 +0000 http://blog.johnath.com/?p=117#comment-156565 @Bill & Ethan - You'll be happy to know that the FF3 "Allow" button does precisely that. Whitelisting a domain permanently now requires going into your security options, the default is a one-time pass. I should have mentioned that in my opening paragraph, because it's a big deal, but that list is *hardly* exhaustive. FF3 is pretty awesome. :) @Bill & Ethan – You’ll be happy to know that the FF3 “Allow” button does precisely that. Whitelisting a domain permanently now requires going into your security options, the default is a one-time pass.

I should have mentioned that in my opening paragraph, because it’s a big deal, but that list is *hardly* exhaustive. FF3 is pretty awesome. :)

]]> By: Ethan Sisson http://blog.johnath.com/2008/04/16/security-ui-in-firefox-3plus1/comment-page-1/#comment-156428 Ethan Sisson Thu, 17 Apr 2008 05:10:31 +0000 http://blog.johnath.com/?p=117#comment-156428 I agree with Bill Mill. I don't think an added "Allow only this time"/"Allow Once" button would complicate the decision for the user. I agree with Bill Mill. I don’t think an added “Allow only this time”/”Allow Once” button would complicate the decision for the user.

]]> By: Bill Mill http://blog.johnath.com/2008/04/16/security-ui-in-firefox-3plus1/comment-page-1/#comment-156332 Bill Mill Wed, 16 Apr 2008 22:13:03 +0000 http://blog.johnath.com/?p=117#comment-156332 Here's my beef: when I want to install an extension, let's say from http://getfirebug.com, I get a warning that I'm not allowed to install extentions from there, and do I want to allow that site? If I do allow it, then it gets added to my *permanent* list of exceptions. But I don't know if there'll be malware at any given site in the future! There should be a "grant temporary exception to this site" button instead of the current "grant permanent exception". Here’s my beef: when I want to install an extension, let’s say from http://getfirebug.com, I get a warning that I’m not allowed to install extentions from there, and do I want to allow that site?

If I do allow it, then it gets added to my *permanent* list of exceptions. But I don’t know if there’ll be malware at any given site in the future! There should be a “grant temporary exception to this site” button instead of the current “grant permanent exception”.

]]> By: Christian (from Denmark) http://blog.johnath.com/2008/04/16/security-ui-in-firefox-3plus1/comment-page-1/#comment-156323 Christian (from Denmark) Wed, 16 Apr 2008 21:13:00 +0000 http://blog.johnath.com/?p=117#comment-156323 When installing a certificate from the CA that is currently designated by the Danish state to issue free certificates to citizens, it involves a signed Java applet that does some stuff to your browser. On Windows it installs a security device (Crypto API) that displays a password dialog whenever the certificate is used. On Linux it just requires you to choose a strong password (> 8 characters etc.) for the built-in "Software Security Device", meaning that you have to enter this password in every browser session the first time you visit a page with a login field that is stored in the password manager (i.e. even when no certificate is involved). This is rather annoying. This is a workaround for this: https://bugzilla.mozilla.org/show_bug.cgi?id=322617 In general, the certificate may be used to access pretty sensitive data and enter legally binding contracts, so it is important that it can be protected more than passwords for random websites. Also, for people using their signature on shared computers, it would be useful if there was a easy way to use certificates stored on USB keys or USB security tokens without having to install the signature in the computer. I don't know if there is a bug filed for this. Since personal certificates are so common around here, we use them where I work as an optional authentication mechanism on websites for customers and employees. They are very easy to deal with in an Apache+PHP setup. When installing a certificate from the CA that is currently designated by the Danish state to issue free certificates to citizens, it involves a signed Java applet that does some stuff to your browser.

On Windows it installs a security device (Crypto API) that displays a password dialog whenever the certificate is used.

On Linux it just requires you to choose a strong password (> 8 characters etc.) for the built-in “Software Security Device”, meaning that you have to enter this password in every browser session the first time you visit a page with a login field that is stored in the password manager (i.e. even when no certificate is involved). This is rather annoying.

This is a workaround for this:
https://bugzilla.mozilla.org/show_bug.cgi?id=322617

In general, the certificate may be used to access pretty sensitive data and enter legally binding contracts, so it is important that it can be protected more than passwords for random websites. Also, for people using their signature on shared computers, it would be useful if there was a easy way to use certificates stored on USB keys or USB security tokens without having to install the signature in the computer. I don’t know if there is a bug filed for this.

Since personal certificates are so common around here, we use them where I work as an optional authentication mechanism on websites for customers and employees. They are very easy to deal with in an Apache+PHP setup.

]]> By: Julian http://blog.johnath.com/2008/04/16/security-ui-in-firefox-3plus1/comment-page-1/#comment-156322 Julian Wed, 16 Apr 2008 21:06:34 +0000 http://blog.johnath.com/?p=117#comment-156322 lol, I have a separate Firefox profile just for private browsing. such a mode would be perfect. lol, I have a separate Firefox profile just for private browsing. such a mode would be perfect.

]]> By: she http://blog.johnath.com/2008/04/16/security-ui-in-firefox-3plus1/comment-page-1/#comment-156306 she Wed, 16 Apr 2008 19:03:51 +0000 http://blog.johnath.com/?p=117#comment-156306 It is great to see developers being brave enough to blog AND allow comments :) It is great to see developers being brave enough to blog AND allow comments :)

]]> By: Tim McCormack http://blog.johnath.com/2008/04/16/security-ui-in-firefox-3plus1/comment-page-1/#comment-156301 Tim McCormack Wed, 16 Apr 2008 18:39:42 +0000 http://blog.johnath.com/?p=117#comment-156301 One of Big Problems in authentication is profile-sharing. People don't want/know/care to create separate OS-level profiles and switch between them, so any transparent authentication done by the browser is anywhere from annoying to dangerous to unusable. Client certificates are one of the most striking examples of this. On the other hand, the advent of client certs could be a motivating force for people to take advantage of profile separation. One of Big Problems in authentication is profile-sharing. People don’t want/know/care to create separate OS-level profiles and switch between them, so any transparent authentication done by the browser is anywhere from annoying to dangerous to unusable. Client certificates are one of the most striking examples of this.

On the other hand, the advent of client certs could be a motivating force for people to take advantage of profile separation.

]]>