Dear Team, Thank you for your great work so far. I love your products.
One problem scenario I would like to raise about both Firefox and Thunderbird/Daily security: I boot up my machine and log in. I then start Firefox and thunderbird log in and enter my master passwords. As I use them all the time, I never close them and never need to re-enter my master passwords ever again; at least until I reboot. As I only ever reboot my machine when a software update needs a reboot, this leaves my browser and email open to attack to anyone who has access to my desktop. Whether I leave my desk and forget to lock my screen or if anyone hacks my machine. In this scenario, anyone who gets access to my desktop immediately has access to all my web pages and emails. It is very rare that I am not running both all the time for convenience. The websites I visit can easily be found through my bookmarks and web page history and the password manager just fills in the username and password. Depending on how the password reset page is written reset this could allow the attacker to change my passwords and steal my identity. This access could be because of carelessness or because a key logger has stolen my password or many other hacks. A suggested solution. Add a sleep feature that requires me to re-enter my master passwords to all products with a master password on a regular basis. It is not just desktops that need a sleep function but anything with a master password. I suggest a default value of signing in at least at the start of every working day, but configurable to fit the paranoia of your customers. This would lock down my browser and email even if someone got access to my desktop. For instance while I was absent or after hacking my machine. This problems could be solved by user's good habits closing their email or browser when not in use. However, it is easier to remain secure if the software enforces good habits by locking you out of your browser and email automatically. Robin Murison P.S. On a completely different subject: Could you explain why Yahoo.com reckons that Thunderbird's login mechanism is insecure? _______________________________________________ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security