+1
Thanks for bringing this up, Jorg! I consider the master password
feature as something very important and unique to Firefox and any Gecko
based application, specifically in times of various malware that can
easily attack the database file in its well know location.
I'm adding Dana (in case she doesn't watch governance) as this issue
will likely land in the hands of PSM module peers.
-hb-
On 2019-04-05 16:02, Jörg Knobloch via governance wrote:
Hi Mitchell,
I am writing to you as a long time Firefox user and Mozilla
contributor for many years.
In the past years we have seen an amazing amount of innovation in
Firefox to make it a faster, more stable, better looking and overall
much better browser. A brilliant team of highly skilled engineers
supported by a dedicated community of volunteers have taken Firefox to
new heights.
That said, fixing a long-standing issue, the highly insecure master
password, has fallen by the wayside. As a brief summary: If the user
chooses, the master password protects site passwords, including access
to webmail, and personal certificates in Firefox. Needless to say that
gaining access to those could have some disastrous consequences. It is
well-known that the master password of Firefox can be cracked in 1-2
minutes with very basic hardware and skill set. The bug is known since
2009[1][2] and Firefox has received bad press about it, some
references here[3][4][5]. I last "poked" the issue here[6] on
dev-platform with no success. Skimming the discussion in the bugs, the
consensus appears to be: Yes it's an issue, yes, it should be fixed,
but no action follows.
So I have been wondering what is behind this. Is there a lack of
governance structures within Mozilla or lack of management structures
within the Mozilla Corporation that has not allowed for this issue to
be escalated? It would be hard to believe that Mozilla engineers do
not have the skills to fix what appears to be a very basic problem
glancing at the bugs I quoted. Even if so, an external contractor
could be hired for this task.
Or is this backdoor left open due to some undisclosed obligation? One
could start to believe this when reading the following comment[6, 2nd
in thread]: "Yes, we're looking at it, but don't have a detailed plan
or schedule to share yet". In this case it would be desirable to
officially declare the feature as insecure or even disable it. After
all, the fourth principle of the Mozilla Manifesto reads "Individuals’
security and privacy on the internet are fundamental and must not be
treated as optional".
With kind regards,
Jörg, user and contributor from Berlin, Germany.
[1] https://bugzilla.mozilla.org/show_bug.cgi?id=524403
[2] https://bugzilla.mozilla.org/show_bug.cgi?id=973759
[3]
https://www.bleepingcomputer.com/news/security/firefox-master-password-system-has-been-poorly-secured-for-the-past-9-years/
[4]
https://nakedsecurity.sophos.com/2018/03/20/nine-years-on-firefoxs-master-password-is-still-insecure/
[5]
https://fossbytes.com/firefox-master-password-weak-encryption-brute-force-one-minute/
[6]
https://groups.google.com/d/msg/mozilla.dev.platform/k2g6G2F3xo0/KLICUiJSAQAJ
_______________________________________________
governance mailing list
governance@lists.mozilla.org
https://lists.mozilla.org/listinfo/governance
_______________________________________________
governance mailing list
governance@lists.mozilla.org
https://lists.mozilla.org/listinfo/governance
