(previous mail sent to mozilla-dev-security instead of dev-security,
sorry for the inconvenience...)
Hello,
I hope I am at the right place. I would like to better understand the
logic which led to the current situation regarding login forms autofill.
In particular, I wonder why there is an official recommendation to
change `signon.autofillForms` default value while, at the same time,
keeping the setting out of reach of casual users.
This is not a rant or something like that, on the contrary. I'm writing
an article for my blog explaining how to better use Firefox password
manager (I encounter too often non-tech people thinking that standalone
password managers praised by tech-people are overkill for them, which I
consider right, but their decisions afterwards are usually misguided and
very poor security-wise).
The so-called "sweep attack" allows an attacker to steal users
credential for various websites by quickly and successively simulating
the login form of each targeted websites, taking advantage of the
browser autofill feature to provide the matching credential to the
attacker without any user intervention.
This attack is mainly popular on rogue WiFi access points, but the
raised of malicious software targeting ISP-provided routers I would not
be surprised to find it also applied directly in users' home.
Firefox provides a setting, `signon.autofillForms`, which when set to
`false` makes Firefox to require a user intervention before filling an
authentication form.
This setting is documented here:
http://kb.mozillazine.org/Signon.autofillFormsBy default it is set to `true`, the above mentioned documentation
recommends to change it to thwart this attack.
The reason why this value defaults to `true` is discussed in the bug
discussion attached to this KB:
https://bugzilla.mozilla.org/show_bug.cgi?id=360493#c236> we simply annoy and alienate all the users who expect autofill to work
> as it has since Firefox 1.0.
When asking non-tech people around me they seem neither "annoyed" nor
"alienated" with the flow of having to click on an login field to get
Firefox's drop down proposing to fill it automatically.
This bug being pretty old now (more than 10 years old), I wonder if such
statement still stands in todays Internet? Maybe users relation to
electronic devices has evolved since then?
The default is to have autofill enabled because of this historical
reason and the KB recommends to disable it for security reason.
While I may understand the choice for the default value, why is this
setting buried in the `about:config` screen then? Why isn't there a
checkbox in Firefox security settings allowing to enable/disable
authentication forms auto-filling?
Firefox built-in password manager targets casual users, and I feel bad
having to recommend those users to go in the `about:config` screen. I
feel also bad in keeping them from taking advantage of a nice and
well-done security feature just for the sake of avoiding to break their
"Firefox 1.0 experience".
Shouldn't `signon.autofillForms` be set to false by default? If not,
shouldn't a checkbox be proposed to allow casual users to easily change
it? And if not: why?
I'm sure this has been largely discussed in the past and there are good
reasons behind those choices, so I just would like to understand the
*why* because the current situation (default value = true, recommend
users to change it but bury the setting to prevent any easy change)
doesn't currently makes any sense to me.
I must miss something, thank you by advance for pointing me in the right
direction!
Regards,
Simon.
--
WhiteWinterWolf
https://www.whitewinterwolf.com_______________________________________________
dev-security mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-security