also apparently Firefox stores cookies in plaintext? I assumed Firefox stores everything with 3DES creds stored in key4.db, but no, only stored passwords are encrypted this way...
=> More informations about this toot | More toots from still@infosec.exchange
@still surprised somebody made the effort for passwords 🙃 not that it is effective against infostealers
There's no easy solution - see Chrome's efforts (for Windows) from the last weeks that were defeated within days
Each platform needs an OS-secured method for storing/retrieving including not being able to grab from memory, or modify the browser itself, etc
Or each platform needs to not allow every program, script or commands pasted off the internet the user runs unfettered access to all of their data
https://bugzilla.mozilla.org/show_bug.cgi?id=56788 and related are what you're looking for
It's a little sad to see how 24 years ago the threat model brought up was totally wrong. Though if anyone had brought up "user runs unsafe program" they'd have probably been shut down with blaming the user...
=> More informations about this toot | More toots from synotna@infosec.exchange
@synotna I still think it's mildly safer to have it encrypted. Obviously it will not be effective against infostealer, but at least it'll fend off other things that may only have low-priv filesystem access with no code execution (albeit super rare).
=> More informations about this toot | More toots from still@infosec.exchange
@still Would have required user setting master password, making it an opt-in feature which 99% of users would not do, and give a false sense of security to the remaining 1%
Agree it probably would have made sense that it was done when the passwords were done, for what that is worth
But the only real solution is to use what the OS provides, when it provides it
=> More informations about this toot | More toots from synotna@infosec.exchange This content has been proxied by September (3851b).Proxy Information
text/gemini