Scenario:
Someone stole your USB thumbdrive, which contain some sensitive data, including some passwords and/or session informations. The thief could then access some of your accounts you previously logged in.
Solution:
The default Firefox's behavior is insecure for a roaming profile like the one used in Firefox Portable. Here are my recommendations:
Use a Master Password (Tools -> Options -> Security -> Master Password), the stronger the password is, the better (use the strength indicator, it's not there for coolness factor). This will encrypt the passwords in the signons3.txt file so they won't be viewable without the Master Password.
because the cookies and session informations are NOT encrypted using the Master Password, this is a security threat that could grant access to your account if you activated the auto-login options, even if there is a Master Password. Also, if someone move your cookies.sqlite file from Firefox Portable profile to another profile, they will be able to use the cookies to gain access to some accounts with your saved credentials.
In order to avoid this, we will have to make sure that all sensitive datas and session informations will be cleared when Firefox is closed. To do so, we will have to use the option "Always clear my private data when I close Firefox" combined with the following options checked in the Settings:
-Saved Form and Search History
-Cache
-Cookies
-Offline Web Site Data
-Authenticated Sessions
This way, no cookies will be kept in Firefox, and the only way to gain access to your accounts will be to know the Master Password. Take note that because the cookies are not saved, you will lose the cookie-based website settings and the ability to auto-login to websites. The saved usernames and passwords will however be auto-completed in the login pages. This is in my opinion a good trade-off between security and usability.
By using those settings, it should give you at least enough time to change your password before a thief manage to brute force your Master Password, making the stored passwords useless.
Please leave some comments if you think there is something missing, or to give some feedback.
Thanks !
m-p{3}
Visit the Community page
Join our forums
Subscribe to our email newsletter
Subscribe with RSS
Follow us on Facebook
Follow us on LinkedIn
Follow us on Twitter
Follow us on Mastodon
Follow us on BlueSky
You did ask for comments,
I thought all of this was pretty well known,
I don't use it on my hard drive,
but have had it set that way on my flash since day one of 1.5
Tim
Things have got to get better, they can't get worse, or can they?
Thanks for the comment,
I'm pretty sure I won't learn anything to you and most power-users.
I hope this will become useful for users will less computer/Firefox experience, as data-thief is usually due to lack of knowledge.
How can you protect yourself if you don't know what you should protect first?
I sense from your reply that you might have taken offense
I assure you none was intended
I was sincere in my comment,
I "thought" that this was pretty well known.
That is, I am "surprised" if it is not common knowledge,
That's all I meant
Tim
Things have got to get better, they can't get worse, or can they?
Haha, there is absolutely no offense
I'm grateful you replied to my original post
This is extremely useful information for the
non-technical users, the overwhelming majority
Experience has taught me that there is no such thing as "common knowledge" where computers are involved .
Aside from the session manager and cookie issue, I would like to suggest KeePass Password Safe Portable for password management: https://portableapps.com/apps/utilities/keepass_portable
It stores all your passwords in an encrypted (AES or TwoFish) file that can easily be used on any number of locations, such as your home machine, office machine, USB drive, etc. It also has the added security measure of offering the requirement of a keyfile - without that file, even if they did somehow get the password, a would-be thief would still get absolutely nowhere.
Additionally, this program offers the advantage of working on "any" password field, not just in Firefox - you could use it in Firefox, your IM client, etc.
Besides, I think I had read somewhere that there were ways to get around Firefox's master password (sorry about the lack of a reference)...
Will keepsafe, work in a similar way to roboform? i.e. open web site and fill in password details?
Graham Yates
KeePass don't auto-fill forms at the moment, but I'm pretty sure this could be done through a communication layer between the browser and the application with an extension. Unfortunately, no one has taken the business of doing it, and I don't feel like I have neither the programming knowledge or time to do it.
There is a possibility of accessing the encrypted passwords through brute-force, but the timeframe should be big enough between the moment you discover that you lost the thumbdrive so you can do a password change.
I should verify what kind of encryption is used by the Master Password feature (AES, Twofish, Serpent ?). Somebody know that information just in case before I start searching ?
One thing I'd like to see is an extension that encrypt the cookies and session information with the Master Password key. That would be awesome for portable users like us, if the encryption is secure enough.
EDIT: Downloading Firefox 3.0 final source code, I'm really curious about this. I'll post about it later.
Yeah! If anyone could help with pointing out such an extension, or maybe write on... wow! That would be awesome!
I'm not sure what particular encryption algorithm is used but I know that the brute force time becomes impractical if you're using a password of decent complexity.
Anyone who is concerned can try brute forcing their own password:
http://www.securityxploded.com/firemaster.php
Nice guide, I'm sure it will help concerned users get a grasp of securing their profile. I've seen far too many people being complacent with what data they leave on their flash drives.
I personally just put all my applications into a Truecrypt volume on my flash drive, I know quite a lot of other people do this too. This way I don't have to worry about sensitive data somewhere that I may have overlooked and I can enjoy the convenience of saved form history etc.
With all the new features in Firefox 3 collecting more and more personal data I'd rather not let anyone near my profile directory at all. There's also other potentially sensitive information like your bookmarks and information stored by extensions to be worried about. Maybe I'm just paranoid.
Saying that there are downsides to using Truecrypt as a solution:
What I see as key advantages to Truecrypt:
If you've got a reasonably fast flash drive and won't be using too many low end computers I'd recommend people take a look at Truecrypt. Otherwise a master password and clearing private data is the next best thing.
www.truecrypt.org
Hate to break it to you, but this has been discussed so many times it makes me dizzy.
Truecrypt requires admin rights to run.
No offense to you, but as a general warning before we all run out and install our FF into a truecrpyt container.
Too many lonely hearts in the real world
Too many bridges you can burn
Too many tables you can't turn
Don't wanna live my life in the real world
No offense taken, I know that Truecrypt has been discussed to death all over the internet. However if a user doesn't know about the master password then chances are they don't know about Truecrypt either.
I did mention the administrator privilege problem in my post. You don't need administrator privileges to run it if it has been installed locally, but I know it isn't easy to convince the IT people at your work/university/cafe etc that Truecrypt is a good thing.
My concern is that I don't always have administrative privileges on some systems, which stop me from using TrueCrypt as it need a system-level driver to be executed to decrypt and encrypt on-the-fly.
I'd like to see an effort from the Mozilla team to increase the sight of the Master Password to several other items like the cookies, history and bookmarks.
If they can do it for passwords, why not for these sensitive data too ?
I've finally found the information regarding the password encryption in Firefox.
Source (securityfocus.com)
4.2.2 Firefox 0.7-1.5 and 2.0
Storage Construct: Text File (signons.txt)
Format: ASCII, using Base64 encoding (except URL and fields)
URL (clear text, i.e. www.gmail.com)
Field name (in cleartext, e.g. username, email, userid, etc.)
Encrypted and Base64 encoded value of above information
Field name (i.e. password, pass, etc.)
Encrypted and Base64 encoded value of above information
...etc... (Could have many entries for one URL)
.
(Each URL entry ends with period on separate to line)
Encryption: TripleDES (CBC mode) [ref 16]
Access: Network Security Services (NSS) API [ref 17]
Requirements for Access: User logged in and the Master Password (if set)
Relevant files: Certificates (Signed Public Keys) stored as certN.db, Private Key Database stored as keyN.db, and Security Modules stored as secmod.db [ref 18]
Note that files locations were previously addressed in section 4.1.
Firefox uses the Network Security Services API to perform its cryptographic operations. As it relates to the Password Manager Firefox makes use of Public Key Cryptography Standard (PKCS) #11 [ref 19] which defines an API for third party security modules that are either software or hardware based. It also uses PKCS#5 for password based encryption. [ref 19] Firefox also has an option of using an alternative security module for the password manager that is Federal Information Processing Standard (FIPS) 140-1 compliant. [ref 20] The Master Password is used in conjunction with a salt (found in the keyN.db file) is used to derive a Master Key. The Master Key is then in turn used to decrypt the usernames, passwords that are stored in the Password Manager.
The NSS API, although not easily tackled, has some vital functions that let Firefox or a related program to gain access to the password database. Setting the password is handled by (PK11_SetPasswordFunc), decoding base64 data (NSSBase64_DecodeBuffer), and decrypting (PK11SDR_Decrypt) allows a related program to access usernames and associated passwords; this is of course a simplified example. The real code would need to initialize NSS, declare variables, manage buffers and so forth. The security of the entire system, however, weights on the cryptographic strength of the Master Password (created by the user), and accessibility to the key3.db file (which contains the salt), and is stored in the user's profile.
The FIPS 140-1 security module can be enabled by navigating to the following location:
Firefox 1.5 on Windows:
Tools | Options | Advanced | Security Devices | NSS Internal FIPS PKCS #11
Firefox 2.0 on Windows:
Tools | Options | Advanced | Encryption | Security Devices | NSS Internal FIPS PKCS #11
Wow, that's a heck of a post. Thanks for sharing so much great info!
Nice tutorial.
Alive and kicking!
"If you were a robot, and I knew but you didn't, would you want me to tell you?"