Safari and Chrome: Tied For the Worst Password Manager 218
Startled Hippo writes "Safari and Chrome are tied for the worst password manager built into a major Web browser, according to a new study on the issue produced by Chapin Information Services. One problem is that some password managers can be tricked into submitting different password credentials to different parts of the same Web site. The bug has been fixed in Firefox, but Chrome and Safari are still vulnerable to this kind of attack."
Re:I Use A Mac... (Score:5, Informative)
macs do get credit for putting the passwords where they belong: in a centralized password keychain. Firefox rolls it's own separate password manager. At various time firefox's keychain has been found to be insecure and it's separate from your other keychains. There's no simple keychain brownser interface like the centralized keychain protection system safari uses.
If you want to encrypt or hide or transport all your passwords it's easy in safari but hard in firefox since how it's done changes.
Before someone asks (Score:5, Informative)
"How can this be exploited" when some subtree memeber of a domain can read credentials that should only be given to the top level member, read http://www.linuxjournal.com/content/understanding-kaminskys-dns-bug [linuxjournal.com].
To save the others the hassle, allow me to sketch something. It's trivial to get the domain a000001.amazon.com under your control. It is, believe me, if you don't, just read it up. Well, maybe not exactly a0000001... but something to the quality of $foo.amazon.com can easily be made to point back to a webpage you control.
Next, create a page for the internets most sought after resource: pr0n. Do like the missionaries, spread the word, unlike them you have ICQ and spam at your disposal to get people to visit your page. On this page, refer to $foo.amazon.com
Then have $foo.amazon.com ask for the credentials.
It's not so much that the threat of hijacking a "real" domain name (i.e. amazon.com itself) is too big after a few ISPs toughened their DNS lookups when the patches didn't come quickly. Few ISPs are left that are actually vulnerable to having their caches completely rewritten. Subdomains can still be hijacked (even after the half-assed patch we got lately), and in combination with browsers that send credentials to whatever subdomain, it's a serious security problem.
Re:I Use A Mac... (Score:4, Informative)
Windows is an ambiguous case. As best I understand it, MS decided not to implement a flexible system for centralized storage of third party passwords because they wanted everybody to use their
Different passwords in different areas? (Score:4, Informative)
And that's a "trick" because...? Surely there are times when you want to have different passwords in different areas. I've got basic HTTP authentication on an admin area of one of my sites. From there I've then got a number of tools, at least one of which requires a separate login. There's situations like that where you want different passwords for different areas.
What annoys me with password managers at the moment is Firefox filling in too many passwords! If you record a password for one set of login forms and then go to any other page on the same domain with a password box with a text box just above it then Firefox blindly guesses that they're a login box (even if they're called "foo" and "bar" when you recorded the details for the fields "username" and "password"). That can really start to cock up some of your settings in things like phpBB's admin control panel if you don't notice what it has auto-filled.
Re:Aha! (Score:3, Informative)
Re:I Use A Mac... (Score:2, Informative)
I have no idea about Windows, but there are several such applications available for Linux or any other unices.
For Gnome users, there is Gnome Keyring, and I believe the equivalent for KDE is KDE Wallet. I dare say there are others I haven't heard of.
Re:MAJOR browser? (Score:1, Informative)
Re:Why focus on Chrome? (Score:1, Informative)
A quick googling of Chapin Information Services (no quotes) will give the following article:
http://www.info-svc.com/news/11-21-2006/
It took this company/group/person 2 years to go from one scary result in Firefox to quantified results in 3 browsers. While the threat is valid, I would take the metrics with a grain of salt.
Re:Never use password managers (Score:3, Informative)
And if you leave that lying around I think you should be more worried about card numbers being pinched.
Re:Please! (Score:4, Informative)
Clear your saved passwords *for their site*:
Part 1: Delete all saved passwords for www.info-svc.com
Re:I Use A Mac... (Score:2, Informative)
No, seriously? Linux FF is always faster for me than Windows FF. And Gnome integration + QT4 theme makes it look nice with KDE.
Re:Never use password managers (Score:1, Informative)
No, because slashdot logs IPs.
Re:Aha! (Score:3, Informative)
That's a quotation by Archimedes [wikipedia.org]: "Give me a place to stand and with a lever I will move the whole world."
Re:I Use A Mac... (Score:4, Informative)
In real life, near all OS X native browsers and even commercial password manager 1Password uses keychain. On Gnome and KDE, only their own default browsers use their subsystems.
Apple made it somehow easy to integrate with keychain no matter how your application is coded in whatever language. Even AppleScript/OSAScript "Apps" use Keychain very effectively.
Firefox and Opera doesn't use it because they don't feel like it, that is all. I mean, that is why both browsers can't be "tried" on a up and running OS X since nobody would bother to type in 200 passwords while they got them recorded elsewhere and perfectly used by Omniweb etc.