I want to bring everyone's attention to our paper -- Automated Password
Extraction Attack on Modern Password Managers (attached in this email).
This is still a working copy and we can use some useful feedback :)
Thanks,
On Sun, Apr 15, 2012 at 11:21 PM, Tanvi Vyas ta...@mozilla.com wrote:
There are some great ideas here. I think we should create a feature
page for at least #12 and add it to the Security Roadmap. I also think
we can do #5.
To go into detail...
On 4/11/12 12:54 AM, Jesse Ruderman wrote:
1) If a site sends an STS header, and the user has any data (cookies,
On Fri, 13 Apr 2012 16:25:26 +0300
Henri Sivonen wrote:
(Dunno how important this
concern is. That is, I don't know how realistic it is for a MITM to
gain the capability to fake non-EV certificates but not to gain the
capability to fake EV certificates.)
EV certs are pointless except for
On Apr 13, 2012, at 6:25 AM, Henri Sivonen wrote:
On Wed, Apr 11, 2012 at 10:54 AM, Jesse Ruderman jruder...@gmail.com wrote:
A wifi MITM attacker can steal all the passwords you have saved on
http sites, by sending you to fake versions of each site and watching
what the browser fills into
A wifi MITM attacker can steal all the passwords you have saved on
http sites, by sending you to fake versions of each site and watching
what the browser fills into the form.
You're safe iff you initially saved the password from an https page,
or if the site now uses STS, or maybe if you're
/HighlightCleartextPasswords
this won't help in the case of autofill though
thanks !
ian
- Original Message -
From: Jesse Ruderman jruder...@gmail.com
To: dev-security@lists.mozilla.org
Sent: Wednesday, April 11, 2012 12:54:53 AM
Subject: stealing saved passwords
A wifi MITM attacker can steal all
Message -
From: Jesse Ruderman jruder...@gmail.com
To: dev-security@lists.mozilla.org
Sent: Wednesday, April 11, 2012 12:54:53 AM
Subject: stealing saved passwords
A wifi MITM attacker can steal all the passwords you have saved on
http sites, by sending you to fake versions of each site
On 4/11/12 12:54 AM, Jesse Ruderman wrote:
1) If a site sends an STS header, and the user has any data (cookies,
passwords, etc) that are not https-only, immediately mark that data as
https-only. (This helps if a site uses STS, but the user's privacy
settings cause the password storage to
