Re: Firefox? Re: Secret Storage API specification project
Ian G wrote: On 12/7/09 21:58, Anders Rundgren wrote: Nelson B Bolyard wrote: On 2009-07-12 05:51 PDT, Anders Rundgren wrote: This is an interesting project. What's not completely obvious is how this relates (or could relate) to for example Firefox. I must confess that I know absolutely nothing about NSS but I assume that the soft-token uses obfuscation and an *optional* password as the sole protection mechanism. Why would you assume such a silly thing? I'm not aware of any other methods for securing soft (file-based) secrets unless you go under the skin of the operating system. I think he means, the password and the encrypted store are next to each other on the disk, which reduces to obfuscation. Whereas, afaik, Firefox doesn't do that, it insists that the user enter a password in, so the decrypted stuff is in memory only. People who complain about that are completely right from a perfect security viewpoint, but are dead wrong from a market security viewpoint. The platform that people use is a computer as delivered according to that old IBM spec -- disk drive, memory, CPU. A tiny percentage know about things call trusted tokens, etc, but they are irrelevant to Mozilla's market. So, in this case, Mozilla's products are more or less where we want them to be: using a software encrypted store (with a stupid name) and having the user decrypt them when she starts it up. iang As I wrote in the initial posting, I know nothing about the inner workings of NSS. AFAICT, the mentioned Secret Storage project would be redundant if NSS already uses the operating system to protect secrets, particularly since NSS is said to be a part of Linux. Regarding passwords, by default Firefox does not require a password in order to use soft tokens. Anders still not enlightened -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: Firefox? Re: Secret Storage API specification project
On 2009-07-12 05:51 PDT, Anders Rundgren wrote: This is an interesting project. What's not completely obvious is how this relates (or could relate) to for example Firefox. I must confess that I know absolutely nothing about NSS but I assume that the soft-token uses obfuscation and an *optional* password as the sole protection mechanism. Why would you assume such a silly thing? -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: Firefox? Re: Secret Storage API specification project
On 12/7/09 21:58, Anders Rundgren wrote: Nelson B Bolyard wrote: On 2009-07-12 05:51 PDT, Anders Rundgren wrote: This is an interesting project. What's not completely obvious is how this relates (or could relate) to for example Firefox. I must confess that I know absolutely nothing about NSS but I assume that the soft-token uses obfuscation and an *optional* password as the sole protection mechanism. Why would you assume such a silly thing? I'm not aware of any other methods for securing soft (file-based) secrets unless you go under the skin of the operating system. I think he means, the password and the encrypted store are next to each other on the disk, which reduces to obfuscation. Whereas, afaik, Firefox doesn't do that, it insists that the user enter a password in, so the decrypted stuff is in memory only. People who complain about that are completely right from a perfect security viewpoint, but are dead wrong from a market security viewpoint. The platform that people use is a computer as delivered according to that old IBM spec -- disk drive, memory, CPU. A tiny percentage know about things call trusted tokens, etc, but they are irrelevant to Mozilla's market. So, in this case, Mozilla's products are more or less where we want them to be: using a software encrypted store (with a stupid name) and having the user decrypt them when she starts it up. iang -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto