[Desktop-packages] [Bug 41179]
(In reply to Jan Horak from comment #130) > [:gsvelto] are you willing to participate on the reviews? I'd love to help but I'm not a peer of this part of our codebase so I can't review patches for it. Reading Brian Smith's and Justin Dolske's comments I think that we'd like to address bug 973759 first so that the master password does actually provide reasonable protection. Personally I'm a user of this particular feature and I'd like to see something like comment 94 being implemented but I'm not the one calling the shots here. -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to firefox in Ubuntu. https://bugs.launchpad.net/bugs/41179 Title: Integrate with Gnome Keyring Status in Mozilla Firefox: Won't Fix Status in firefox package in Ubuntu: Triaged Bug description: For a really good Gnome integration, it would be great to have the ability to save passwords in the Gnome keyring. A similar thing has been proposed for Epiphany: see https://launchpad.net/malone/bugs/3467. To manage notifications about this bug go to: https://bugs.launchpad.net/firefox/+bug/41179/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 217300]
(In reply to David Webb from comment #111) > Does this sound reasonable? Yes, it sounds like a good idea but also material for a follow-up. Let's open a separate bug for that so that we don't make the patch here too large or we'll never be done with it :) -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to firefox in Ubuntu. https://bugs.launchpad.net/bugs/217300 Title: Seahorse integration Status in The Mozilla Firefox Browser: Confirmed Status in “firefox” package in Ubuntu: Confirmed Bug description: Binary package hint: firefox The Seahorse SSH integration totally rocks! Would it be possible to integrate Firefox with Seahorse to manage web site passwords or the Firefox master password? To manage notifications about this bug go to: https://bugs.launchpad.net/firefox/+bug/217300/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 41179]
(In reply to David Webb from comment #111) > Does this sound reasonable? Yes, it sounds like a good idea but also material for a follow-up. Let's open a separate bug for that so that we don't make the patch here too large or we'll never be done with it :) -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to firefox in Ubuntu. https://bugs.launchpad.net/bugs/41179 Title: Integrate with Gnome Keyring Status in The Mozilla Firefox Browser: Confirmed Status in “firefox” package in Ubuntu: Won't Fix Status in “xulrunner-1.9” package in Ubuntu: Won't Fix Status in “xulrunner-1.9.1” package in Ubuntu: Triaged Bug description: For a really good Gnome integration, it would be great to have the ability to save passwords in the Gnome keyring. A similar thing has been proposed for Epiphany: see https://launchpad.net/malone/bugs/3467. To manage notifications about this bug go to: https://bugs.launchpad.net/firefox/+bug/41179/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 217300]
Created attachment 790711 Refreshed patch (In reply to jhorak from comment #109) > Okay, it seems that we're moving in circles. Who's going to decide which > approach to choice? I can implement storing password to system keyrings but > I won't do this without clear statement from Mozilla what they would like > more. I still prefer storing only master password because of loose coupling. I am also in favor of storing the master password in the keyring as it seems the less intrusive approach and the most likely to land soon. It might not be a perfect solution but it improves the usability of the master password a lot. Besides once the harness is in place it will be easier to change the behavior (to store a random password, add a salt or whatever else). The only thing that we might want to change compared with the existing patch (of which I'm reattaching a refreshed version again) is probably in the UI part where we probably want the option to be shown in the same dialog as the master password instead of on a separate pop-up. I've looked at the password manager log and it seems to me that Justin Dolske comes up often both as a contributor and a reviewer so I'm needinfo'ing him here as he's both a Firefox and Toolkit peer in the hope he's the right person to ask. Justin could you have a look at the approach we're taking here or point us to someone who could help out with this? -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to firefox in Ubuntu. https://bugs.launchpad.net/bugs/217300 Title: Seahorse integration Status in The Mozilla Firefox Browser: Confirmed Status in “firefox” package in Ubuntu: Confirmed Bug description: Binary package hint: firefox The Seahorse SSH integration totally rocks! Would it be possible to integrate Firefox with Seahorse to manage web site passwords or the Firefox master password? To manage notifications about this bug go to: https://bugs.launchpad.net/firefox/+bug/217300/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 41179]
Created attachment 790711 Refreshed patch (In reply to jhorak from comment #109) > Okay, it seems that we're moving in circles. Who's going to decide which > approach to choice? I can implement storing password to system keyrings but > I won't do this without clear statement from Mozilla what they would like > more. I still prefer storing only master password because of loose coupling. I am also in favor of storing the master password in the keyring as it seems the less intrusive approach and the most likely to land soon. It might not be a perfect solution but it improves the usability of the master password a lot. Besides once the harness is in place it will be easier to change the behavior (to store a random password, add a salt or whatever else). The only thing that we might want to change compared with the existing patch (of which I'm reattaching a refreshed version again) is probably in the UI part where we probably want the option to be shown in the same dialog as the master password instead of on a separate pop-up. I've looked at the password manager log and it seems to me that Justin Dolske comes up often both as a contributor and a reviewer so I'm needinfo'ing him here as he's both a Firefox and Toolkit peer in the hope he's the right person to ask. Justin could you have a look at the approach we're taking here or point us to someone who could help out with this? -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to firefox in Ubuntu. https://bugs.launchpad.net/bugs/41179 Title: Integrate with Gnome Keyring Status in The Mozilla Firefox Browser: Confirmed Status in “firefox” package in Ubuntu: Won't Fix Status in “xulrunner-1.9” package in Ubuntu: Won't Fix Status in “xulrunner-1.9.1” package in Ubuntu: Triaged Bug description: For a really good Gnome integration, it would be great to have the ability to save passwords in the Gnome keyring. A similar thing has been proposed for Epiphany: see https://launchpad.net/malone/bugs/3467. To manage notifications about this bug go to: https://bugs.launchpad.net/firefox/+bug/41179/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 217300]
(In reply to Brian Smith (:briansmith), was bsm...@mozilla.com (:bsmith) from comment #94) > 1) I see in the patch that this is a build option that is off by default. I > would prefer it to be ON by default for all Linux desktop builds, and if > libsecret isn't available at runtime, then we just don't use it and we > disable the Firefox UI related to the Gnome Keyring. Is there anything > inherently wrong with doing it this way? It shouldn't be a problem if we can dynamically load the library at runtime. > 3) The Gnome keyring should never store/protect a password that the user > entered. Instead, it should store a randomly-generated key (e.g. 32 bytes of > randomness from nsIRandomGenerator, or similar). NSS's protection of the > master password is very weak, and also users will almost always choose > relatively weak passwords, so using a random key as the NSS password is > important. This has a drawback however: if for some reason you lose your keyring then you loose all your saved passwords. It also means that you can't move your profile across machines unless you also move the keyring (or write down the random-generated password). If the master password by itself is week wouldn't it be better to generate a random salt and store it in plain-text in the profile and then use the master password + salt for the encryption? That would improve the effectiveness of the resulting encryption while keeping a password that cannot be remembered by the user. Would there be any downsides to doing it this way? -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to firefox in Ubuntu. https://bugs.launchpad.net/bugs/217300 Title: Seahorse integration Status in The Mozilla Firefox Browser: Confirmed Status in “firefox” package in Ubuntu: Confirmed Bug description: Binary package hint: firefox The Seahorse SSH integration totally rocks! Would it be possible to integrate Firefox with Seahorse to manage web site passwords or the Firefox master password? To manage notifications about this bug go to: https://bugs.launchpad.net/firefox/+bug/217300/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 217300]
(In reply to Brian Smith (:briansmith), was bsm...@mozilla.com (:bsmith) from comment #95) > Shouldn't the users that care about protecting their passwords be using > full-disk encryption with a system password already? Why don't we just > remove the master password mechanism on Linux completely, and rely on users > use of operating-system-level protection of their whole profile? Full-disk encryption won't be available to whoever is storing its data on a computer he/she doesn't control. For example you might have to keep your profile on a shared drive when working in an office (alas that's a situation I have been in multiple times) and for those use cases providing a way to encrypt your saved passwords is very important. -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to firefox in Ubuntu. https://bugs.launchpad.net/bugs/217300 Title: Seahorse integration Status in The Mozilla Firefox Browser: Confirmed Status in “firefox” package in Ubuntu: Confirmed Bug description: Binary package hint: firefox The Seahorse SSH integration totally rocks! Would it be possible to integrate Firefox with Seahorse to manage web site passwords or the Firefox master password? To manage notifications about this bug go to: https://bugs.launchpad.net/firefox/+bug/217300/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 217300]
Created attachment 785385 Refreshed patch This is a refreshed version of attachment 713868; the changes were fairly minimal as noted in comment 91 and comment 92. Besides adjusting a few rejections it was just a matter of importing nsIFile.h to get it working. I've done some light testing on my box, adding and removing the master password as well as externally deleting it from the key-ring and it seems to work fine. Adrien, if you want to pick this up you can start working using this patch; otherwise I'd be keen on finishing this myself as this is a feature I've been sorely missing. -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to firefox in Ubuntu. https://bugs.launchpad.net/bugs/217300 Title: Seahorse integration Status in The Mozilla Firefox Browser: Confirmed Status in “firefox” package in Ubuntu: Confirmed Bug description: Binary package hint: firefox The Seahorse SSH integration totally rocks! Would it be possible to integrate Firefox with Seahorse to manage web site passwords or the Firefox master password? To manage notifications about this bug go to: https://bugs.launchpad.net/firefox/+bug/217300/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 41179]
Created attachment 785385 Refreshed patch This is a refreshed version of attachment 713868; the changes were fairly minimal as noted in comment 91 and comment 92. Besides adjusting a few rejections it was just a matter of importing nsIFile.h to get it working. I've done some light testing on my box, adding and removing the master password as well as externally deleting it from the key-ring and it seems to work fine. Adrien, if you want to pick this up you can start working using this patch; otherwise I'd be keen on finishing this myself as this is a feature I've been sorely missing. -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to firefox in Ubuntu. https://bugs.launchpad.net/bugs/41179 Title: Integrate with Gnome Keyring Status in The Mozilla Firefox Browser: Confirmed Status in “firefox” package in Ubuntu: Won't Fix Status in “xulrunner-1.9” package in Ubuntu: Won't Fix Status in “xulrunner-1.9.1” package in Ubuntu: Triaged Bug description: For a really good Gnome integration, it would be great to have the ability to save passwords in the Gnome keyring. A similar thing has been proposed for Epiphany: see https://launchpad.net/malone/bugs/3467. To manage notifications about this bug go to: https://bugs.launchpad.net/firefox/+bug/41179/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 41179]
(In reply to Brian Smith (:briansmith), was bsm...@mozilla.com (:bsmith) from comment #95) > Shouldn't the users that care about protecting their passwords be using > full-disk encryption with a system password already? Why don't we just > remove the master password mechanism on Linux completely, and rely on users > use of operating-system-level protection of their whole profile? Full-disk encryption won't be available to whoever is storing its data on a computer he/she doesn't control. For example you might have to keep your profile on a shared drive when working in an office (alas that's a situation I have been in multiple times) and for those use cases providing a way to encrypt your saved passwords is very important. -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to firefox in Ubuntu. https://bugs.launchpad.net/bugs/41179 Title: Integrate with Gnome Keyring Status in The Mozilla Firefox Browser: Confirmed Status in “firefox” package in Ubuntu: Won't Fix Status in “xulrunner-1.9” package in Ubuntu: Won't Fix Status in “xulrunner-1.9.1” package in Ubuntu: Triaged Bug description: For a really good Gnome integration, it would be great to have the ability to save passwords in the Gnome keyring. A similar thing has been proposed for Epiphany: see https://launchpad.net/malone/bugs/3467. To manage notifications about this bug go to: https://bugs.launchpad.net/firefox/+bug/41179/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 41179]
(In reply to Brian Smith (:briansmith), was bsm...@mozilla.com (:bsmith) from comment #94) > 1) I see in the patch that this is a build option that is off by default. I > would prefer it to be ON by default for all Linux desktop builds, and if > libsecret isn't available at runtime, then we just don't use it and we > disable the Firefox UI related to the Gnome Keyring. Is there anything > inherently wrong with doing it this way? It shouldn't be a problem if we can dynamically load the library at runtime. > 3) The Gnome keyring should never store/protect a password that the user > entered. Instead, it should store a randomly-generated key (e.g. 32 bytes of > randomness from nsIRandomGenerator, or similar). NSS's protection of the > master password is very weak, and also users will almost always choose > relatively weak passwords, so using a random key as the NSS password is > important. This has a drawback however: if for some reason you lose your keyring then you loose all your saved passwords. It also means that you can't move your profile across machines unless you also move the keyring (or write down the random-generated password). If the master password by itself is week wouldn't it be better to generate a random salt and store it in plain-text in the profile and then use the master password + salt for the encryption? That would improve the effectiveness of the resulting encryption while keeping a password that cannot be remembered by the user. Would there be any downsides to doing it this way? -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to firefox in Ubuntu. https://bugs.launchpad.net/bugs/41179 Title: Integrate with Gnome Keyring Status in The Mozilla Firefox Browser: Confirmed Status in “firefox” package in Ubuntu: Won't Fix Status in “xulrunner-1.9” package in Ubuntu: Won't Fix Status in “xulrunner-1.9.1” package in Ubuntu: Triaged Bug description: For a really good Gnome integration, it would be great to have the ability to save passwords in the Gnome keyring. A similar thing has been proposed for Epiphany: see https://launchpad.net/malone/bugs/3467. To manage notifications about this bug go to: https://bugs.launchpad.net/firefox/+bug/41179/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 41179]
I think the idea of using the native keyring to store the master password is sound. I'd be glad to try and implement it for gnome-keyring once I've got some spare time on my hands. -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to firefox in Ubuntu. https://bugs.launchpad.net/bugs/41179 Title: Integrate with Gnome Keyring Status in The Mozilla Firefox Browser: Confirmed Status in “firefox” package in Ubuntu: Won't Fix Status in “xulrunner-1.9” package in Ubuntu: Won't Fix Status in “xulrunner-1.9.1” package in Ubuntu: Triaged Bug description: For a really good Gnome integration, it would be great to have the ability to save passwords in the Gnome keyring. A similar thing has been proposed for Epiphany: see https://launchpad.net/malone/bugs/3467. To manage notifications about this bug go to: https://bugs.launchpad.net/firefox/+bug/41179/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp