Login forms autofill
Locked
 
|
Hello,
I hope I am at the right place. I would like to better understand the logic which led to the current situation regarding login forms autofill. In particular, I wonder why there is an official recommendation to change `signon.autofillForms` default value while, at the same time, keeping the setting out of reach of casual users. This is not a rant or something like that, on the contrary. I'm writing an article for my blog explaining how to better use Firefox password manager (I encounter too often non-tech people thinking that standalone password managers praised by tech-people are overkill for them, which I consider right, but their decisions afterwards are usually misguided and very poor security-wise). The so-called "sweep attack" allows an attacker to steal users credential for various websites by quickly and successively simulating the login form of each targeted websites, taking advantage of the browser autofill feature to provide the matching credential to the attacker without any user intervention. This attack is mainly popular on rogue WiFi access points, but the raised of malicious software targeting ISP-provided routers I would not be surprised to find it also applied directly in users' home. Firefox provides a setting, `signon.autofillForms`, which when set to `false` makes Firefox to require a user intervention before filling an authentication form. This setting is documented here: http://kb.mozillazine.org/Signon.autofillForms By default it is set to `true`, the above mentioned documentation recommends to change it to thwart this attack. The reason why this value defaults to `true` is discussed in the bug discussion attached to this KB: https://bugzilla.mozilla.org/show_bug.cgi?id=360493#c236 > we simply annoy and alienate all the users who expect autofill to work > as it has since Firefox 1.0. When asking non-tech people around me they seem neither "annoyed" nor "alienated" with the flow of having to click on an login field to get Firefox's drop down proposing to fill it automatically. This bug being pretty old now (more than 10 years old), I wonder if such statement still stands in todays Internet? Maybe users relation to electronic devices has evolved since then? The default is to have autofill enabled because of this historical reason and the KB recommends to disable it for security reason. While I may understand the choice for the default value, why is this setting buried in the `about:config` screen then? Why isn't there a checkbox in Firefox security settings allowing to enable/disable authentication forms auto-filling? Firefox built-in password manager targets casual users, and I feel bad having to recommend those users to go in the `about:config` screen. I feel also bad in keeping them from taking advantage of a nice and well-done security feature just for the sake of avoiding to break their "Firefox 1.0 experience". Shouldn't `signon.autofillForms` be set to false by default? If not, shouldn't a checkbox be proposed to allow casual users to easily change it? And if not: why? I'm sure this has been largely discussed in the past and there are good reasons behind those choices, so I just would like to understand the *why* because the current situation (default value = true, recommend users to change it but bury the setting to prevent any easy change) doesn't currently makes any sense to me. I must miss something, thank you by advance for pointing me in the right direction! Regards, Simon. -- WhiteWinterWolf https://www.whitewinterwolf.com _______________________________________________ dev-security mailing list [hidden email] https://lists.mozilla.org/listinfo/dev-security |
|
|
(previous mail sent to mozilla-dev-security instead of dev-security,
sorry for the inconvenience...) Hello, I hope I am at the right place. I would like to better understand the logic which led to the current situation regarding login forms autofill. In particular, I wonder why there is an official recommendation to change `signon.autofillForms` default value while, at the same time, keeping the setting out of reach of casual users. This is not a rant or something like that, on the contrary. I'm writing an article for my blog explaining how to better use Firefox password manager (I encounter too often non-tech people thinking that standalone password managers praised by tech-people are overkill for them, which I consider right, but their decisions afterwards are usually misguided and very poor security-wise). The so-called "sweep attack" allows an attacker to steal users credential for various websites by quickly and successively simulating the login form of each targeted websites, taking advantage of the browser autofill feature to provide the matching credential to the attacker without any user intervention. This attack is mainly popular on rogue WiFi access points, but the raised of malicious software targeting ISP-provided routers I would not be surprised to find it also applied directly in users' home. Firefox provides a setting, `signon.autofillForms`, which when set to `false` makes Firefox to require a user intervention before filling an authentication form. This setting is documented here: http://kb.mozillazine.org/Signon.autofillForms By default it is set to `true`, the above mentioned documentation recommends to change it to thwart this attack. The reason why this value defaults to `true` is discussed in the bug discussion attached to this KB: https://bugzilla.mozilla.org/show_bug.cgi?id=360493#c236 > we simply annoy and alienate all the users who expect autofill to work > as it has since Firefox 1.0. When asking non-tech people around me they seem neither "annoyed" nor "alienated" with the flow of having to click on an login field to get Firefox's drop down proposing to fill it automatically. This bug being pretty old now (more than 10 years old), I wonder if such statement still stands in todays Internet? Maybe users relation to electronic devices has evolved since then? The default is to have autofill enabled because of this historical reason and the KB recommends to disable it for security reason. While I may understand the choice for the default value, why is this setting buried in the `about:config` screen then? Why isn't there a checkbox in Firefox security settings allowing to enable/disable authentication forms auto-filling? Firefox built-in password manager targets casual users, and I feel bad having to recommend those users to go in the `about:config` screen. I feel also bad in keeping them from taking advantage of a nice and well-done security feature just for the sake of avoiding to break their "Firefox 1.0 experience". Shouldn't `signon.autofillForms` be set to false by default? If not, shouldn't a checkbox be proposed to allow casual users to easily change it? And if not: why? I'm sure this has been largely discussed in the past and there are good reasons behind those choices, so I just would like to understand the *why* because the current situation (default value = true, recommend users to change it but bury the setting to prevent any easy change) doesn't currently makes any sense to me. I must miss something, thank you by advance for pointing me in the right direction! Regards, Simon. -- WhiteWinterWolf https://www.whitewinterwolf.com _______________________________________________ dev-security mailing list [hidden email] https://lists.mozilla.org/listinfo/dev-security |
|
|
In reply to this post by WhiteWinterWolf
On 02/11/17 11:23, WhiteWinterWolf wrote:
> In particular, I wonder why there is an official recommendation to > change `signon.autofillForms` default value while, at the same time, > keeping the setting out of reach of casual users. The site you reference is not official, and so what is says is not an official recommendation. It seems the Firefox developers have decided that "true" is the correct value for this preference, and have further decided it doesn't need UI. Gerv _______________________________________________ dev-security mailing list [hidden email] https://lists.mozilla.org/listinfo/dev-security |
|
|
Le 02/11/2017 à 17:56, Gervase Markham a écrit :
> On 02/11/17 11:23, WhiteWinterWolf wrote: >> In particular, I wonder why there is an official recommendation to >> change `signon.autofillForms` default value while, at the same time, >> keeping the setting out of reach of casual users. > > The site you reference is not official, and so what is says is not an > official recommendation. It seems the Firefox developers have decided > that "true" is the correct value for this preference, and have further > decided it doesn't need UI. Thank you for your answer. This is sad (from my personal point-of-view) but this makes things logical now, Regards, Simon. -- WhiteWinterWolf https://www.whitewinterwolf.com _______________________________________________ dev-security mailing list [hidden email] https://lists.mozilla.org/listinfo/dev-security |
|
|
Hello Simon,
Note that we also have an additional preference - signon.autofillForms.http - that is set to false by default. This preference turns of autofilling passwords on HTTP pages without user interaction. The user has to select the username in order for the password to be filled. The reason this preference was added was to prevent attacks like the one you reference. Thanks! ~Tanvi On Thu, Nov 2, 2017 at 10:18 AM, WhiteWinterWolf < [hidden email]> wrote: > Le 02/11/2017 à 17:56, Gervase Markham a écrit : > >> On 02/11/17 11:23, WhiteWinterWolf wrote: >> >>> In particular, I wonder why there is an official recommendation to >>> change `signon.autofillForms` default value while, at the same time, >>> keeping the setting out of reach of casual users. >>> >> >> The site you reference is not official, and so what is says is not an >> official recommendation. It seems the Firefox developers have decided >> that "true" is the correct value for this preference, and have further >> decided it doesn't need UI. >> > > Thank you for your answer. This is sad (from my personal point-of-view) > but this makes things logical now, > > Regards, > Simon. > > -- > WhiteWinterWolf > https://www.whitewinterwolf.com > _______________________________________________ > dev-security mailing list > [hidden email] > https://lists.mozilla.org/listinfo/dev-security > dev-security mailing list [hidden email] https://lists.mozilla.org/listinfo/dev-security |
|
|
Hello Tanvi,
I already knew this setting, it highlights the desire from Mozilla to keep the autofill feature active as much as possible, even if this means security trade-offs: - Initial issue: autofill fills credential even on forms submitting to unusual third-party websites, some people expressed some concerns that the autofill feature should be disabled but instead Firefox was modified to more closely scrutinize the authentication form submission URL before automatically filling it. - Then it appeared that an attacker in control of the DNS answers can keep the original URL while still redirecting automatic the authentication forms submission to its own servers, so the setting you mention has been added to limit autofilling to HTTPS forms. - Then it appeared that JavaScript can be used to change the submission URL once the authentication form has been automatically filled. I've just checked with Firefox 52.4.0 on Linux Debian, Firefox is still vulnerable to this attack: an attacker just has to change the submission URL after Firefox automatically filled users credentials to send them to any arbitrary HTTPS URL (frankly, I thought this was solved a long time ago and reinforces me even more in my opinion). - Would even Firefox be modified to handle automatically filled authentication forms as a special case and turn some properties read-only from JavaScript, potentially breaking some websites by the way, this wouldn't prevent attacks relying on malicious or leaked CA certificates for instance, + any additional techniques than the ones mentioned above which most likely *will* be discovered in the future, as long as browsers provide such functionality. In my opinion, as a rule a web page should *never* be able to automatically extract sensitive information from the browser's database without user's consent. - You can try to filter the form and submission URLs, the protocols, the JavaScript methods, server certificates and I don't know what else and still leave gaping holes in the process. - Or you can simply require the user to click on an authentication form to fill it. Problem solved. In my opinion, the second option is both more secure, easier to implement and more user friendly. But that's just my opinion. Regards, Simon. Le 13/11/2017 à 22:27, Tanvi Vyas a écrit : > Hello Simon, > > Note that we also have an additional preference - signon.autofillForms.http > - that is set to false by default. This preference turns of autofilling > passwords on HTTP pages without user interaction. The user has to select > the username in order for the password to be filled. The reason this > preference was added was to prevent attacks like the one you reference. > > Thanks! > > ~Tanvi > > On Thu, Nov 2, 2017 at 10:18 AM, WhiteWinterWolf < > [hidden email]> wrote: > >> Le 02/11/2017 à 17:56, Gervase Markham a écrit : >> >>> On 02/11/17 11:23, WhiteWinterWolf wrote: >>> >>>> In particular, I wonder why there is an official recommendation to >>>> change `signon.autofillForms` default value while, at the same time, >>>> keeping the setting out of reach of casual users. >>>> >>> >>> The site you reference is not official, and so what is says is not an >>> official recommendation. It seems the Firefox developers have decided >>> that "true" is the correct value for this preference, and have further >>> decided it doesn't need UI. >>> >> >> Thank you for your answer. This is sad (from my personal point-of-view) >> but this makes things logical now, >> >> Regards, >> Simon. >> >> -- >> WhiteWinterWolf >> https://www.whitewinterwolf.com >> _______________________________________________ >> dev-security mailing list >> [hidden email] >> https://lists.mozilla.org/listinfo/dev-security >> > _______________________________________________ > dev-security mailing list > [hidden email] > https://lists.mozilla.org/listinfo/dev-security > -- WhiteWinterWolf https://www.whitewinterwolf.com _______________________________________________ dev-security mailing list [hidden email] https://lists.mozilla.org/listinfo/dev-security |
|
|
On Tue, Nov 14, 2017 at 12:02:40PM +0100, WhiteWinterWolf wrote:
... ... > - Would even Firefox be modified to handle automatically filled > authentication forms as a special case and turn some properties read-only > from JavaScript, potentially breaking some websites by the way, this > wouldn't prevent attacks relying on malicious or leaked CA certificates for > instance, + any additional techniques than the ones mentioned above which > most likely *will* be discovered in the future, as long as browsers provide > such functionality. in addition to all security risks there is also a potential privacy issue, websites will know that its you as soon as the login (or any other) form is autofilled even long before you hit login. Yet another method of tracking. > - Or you can simply require the user to click on an authentication form to > fill it. Problem solved. > > In my opinion, the second option is both more secure, easier to implement > and more user friendly. But that's just my opinion. makes sense in todays world. Richard -- Name and OpenPGP keys available from pgp key servers _______________________________________________ dev-security mailing list [hidden email] https://lists.mozilla.org/listinfo/dev-security |
«
Return to Mozilla - Security
|
1 view|%1 views
| Free forum by Nabble | Edit this page |