Suggested Security Improvement

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

Suggested Security Improvement

Mozilla - Security mailing list
Dear Team,

Thank you for your great work so far. I love your products.

One problem scenario I would like to raise about both Firefox and
Thunderbird/Daily security:

I boot up my machine and log in. I then start Firefox and thunderbird
log in and enter my master passwords. As I use them all the time, I
never close them and never need to re-enter my master passwords ever
again; at least until I reboot. As I only ever reboot my machine when a
software update needs a reboot, this leaves my browser and email open to
attack to anyone who has access to my desktop. Whether I leave my desk
and forget to lock my screen or if anyone hacks my machine.

In this scenario, anyone who gets access to my desktop  immediately has
access to all my web pages and emails. It is very rare that I am not
running both all the time for convenience.  The websites I visit can
easily be found through my bookmarks and web page history and the
password manager just fills in the username and password. Depending on
how the password reset page is written reset this could allow the
attacker to change my passwords and steal my identity.

This access could be because of carelessness or because a key logger has
stolen my password or many other hacks.

A suggested solution.

Add a sleep feature that requires me to re-enter my master passwords to
all products with a master password on a regular basis.

It is not just desktops that need a sleep function but anything with a
master password.

I suggest a default value of signing in at least at the start of every
working day, but configurable to fit the paranoia of your customers. 
This would lock down my browser and email even if someone got access to
my desktop. For instance while I was absent or after hacking my machine.

This problems could be solved by user's good habits closing their email
or browser when not in use. However, it is easier to remain secure if
the software enforces good habits by locking you out of your browser and
email automatically.

Robin Murison
P.S. On a completely different subject: Could you explain why Yahoo.com 
reckons that Thunderbird's login mechanism is insecure?
_______________________________________________
dev-security mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-security