|Security Improvements to Password Manager|
|Directly Responsible Individual||`|
|Security lead||Tanvi Vyas|
|Product marketing lead||`|
Stage 1: Definition
1. Feature overview
Hardening the Password Manager.
2. Users & use cases
- See https://www.usenix.org/conference/usenixsecurity14/technical-sessions/presentation/silver
1) Preventing active network attacks:
- For http sites (IE 11 has this security feature)
- https sites that have mixed active content
- https sites that require a cert override (chrome does this)
- in iframed sites (where the parent and frame are not same orign, or always?) (safari does this for non-same origin, chrome does this for all frames). (Open Issue - what about third party widgets that allow users to login and post comments.)
- Invisible form fields (visibility and opacity, although this isn't going to prevent clickjacking attacks to autofill the passwords)
- Bug 748193 Warn users when they are entering their passwords on HTTP sites. UX help needed for this. Some options:
- warning icon in the password field
- Fill-and-submit button is a different color
- On mouseover of the fill in submit button, the user can read a tooltip that warns them that their password can be seen in the clear.
- Bug 1118558 Flag in the Password Manager User Interface that shows all saved logins.
- See also Highlight Cleartext Passwords.
2) Preventing local attacks:
- Bug 1118549 Encryption - Explore solutions for encrypting the passwords stored locally in the password manager (for example, make use of keychain or encryption mechanisms that come with the OS).
3) Bug 1118553 Duplicate Passwords - Protecting users from password reuse attacks
- Create UI around alerting users that they are reusing the same passwords
4) Bug 1119555 HSTS: If a site is HSTS, then there is no reason to have http data for that site. Hence, if a site is marked HSTS, and the user has any data (cookies, passwords, etc) that are not https-only/secure, immediately mark that data as https-only. (Note that we'd need some way to indicate that the site has been STS for at least X weeks to prevent deleting data from a site that goes HSTS as a beta test and then goes back to non-HSTS.)
More about Autofill: If we must allow autofilling in certain cases, then we also need the following security features:
- If an identical password is stored for both the http version and https version of a specific website (or domain), and it is not used on the http site for X months, expire the http version after alerting the user. (This can help in cases where the website has upgraded to https, but the user's http password manager entry still exists and is open to attack).
- Consider not autofilling in cases where the page has multiple login forms.
- Support Credential Management Specification so websites can opt into better detection and protection.
- Prefer secure origins - If a password is stored in an http version of a site, see if the https version exists. If it does, prompt the user to redirect to the https version of the site and store their password there instead. (Issue here is that we don't always know if changing the url to https will work, or if a site is set up to have a different domain or path for their secure version)
- Bug 1118540 Secure Filling 2.0
Stage 2: Design
5. Functional specification
6. User experience design
- What should the UX be when we do not autofill?
- Today the experience is that the user first has to type the username, and then the password will be filled in. [NB: it fails utterly on "password-only" forms (where the username is known to the site already, such as by a cookie) because there's no username field interaction to trigger the fill-in]
- We could have an fill-and-submit option, so that there is still only one click for the user. Instead of clicking "submit" they would click "fill and submit". This way, we've added security without decreasing usability.
- To prevent clickjacking attacks, the UI for this could live somewhere in chrome; the user could interact with the some password manager directly instead of the webpage. Clickjacking is not our biggest threat here though, so in content would be okay too.
- What should the UX be when we alert users of duplicate passwords?
- Can we somehow expose the about:config option signon.autofill to users to prevent attacks on saved passwords in HTTPS pages (ex: XSS bugs on the victim site). Alternatively, if we come up with a fill-and-submit that is more usable than autofill, we can deploy it on both HTTP and HTTPS pages.
Stage 3: Planning
7. Implementation plan
Quality Assurance review
Stage 4: Development
Stage 5: Release
10. Landing criteria
|Theme / Goal||`|
Team status notes