Hallo Mozilla-Privacy-Team, I've got one question to ask and one proposal to make.
First the question: Why are Firefox and Thunderbird still using 3DES for the encryption of saved passwords. I know that 3DES is to this day a secure form of encryption, but it is though considerable weaker than AES, Serpent or Twofish. Especially since Mozilla uses AES in Sync for the online-encryption of user's data it puzzles me, that 3DES is still used for offline purposes. The second topic is a proposal and one that I think is of importance. As it happens, Firefox offers users to encrypt his or hers passwords by using a masterpassword. If you are not a privacy-fanatic this is in link with the usage of an encryption a good and well working solution - but it is not a mandatory-to-use option. From many not-so-into-computers-people in my circle of friends I know, that the vast majority doesn't use a masterpassword. Most of them don't even know that something like that even exists or for what it could be useful. This would not be a big problem, if password-saving without using a master password wouldn't be the default setting in Firefox. As I see it, this is a negligent set of default settings. Firefox offers all necessary tools to protect privacy, but they are so hidden (at least for not-so-into-computers-people), that only users who already can take care for themselves can put them to good use. On the other hand, those people who are most vulnerable to attacks, because they don't have enough knowledge to care for protection, are left alone with the worst possible set of settings: unencrypted localy saved passwords. Wouldn't it be more appropiate and safer for users, to mandatory bind the usage of password saving to the usage of a master password - or elsewise deny the users password saving at all? I'm looking forward hearing from you, best regards J from Germany _______________________________________________ dev-privacy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-privacy
