The perils of saving passwords in your web browser

Web browsers want to make your life easier, which is why they all offer to store web site userids and passwords. But if you thought this was a safe way to store passwords, you’d be wrong. Still, some browsers handle this better than others.

Lock Your Computer

First of all, regardless of which web browser you use, if a person has access to your computer while you are logged in, and you allow your browser to store passwords, you should assume that the person now knows all your web site passwords. Simple techniques can be used to trick any web browser into displaying otherwise obfuscated (e.g. ‘*****’) passwords as plain text. This is yet another reason – as if you needed one – to always lock your computer when you walk away from it. Most operating systems have a setting that locks your computer for you after a period of inactivity. This is the only way to be at all secure; access to your logged-in computer potentially gives intruders access not only to your passwords, but also to all of your documents.

Password saving features in web browsers

Given the above, does it even make sense to worry about how your web browser handles saved passwords? There are arguments for both points of view. From my perspective, security should be layered: getting past one security hurdle shouldn’t open up everything. So if you allow your browser to save passwords, you should consider using the browser’s settings to secure those passwords. The four browsers I use handle passwords with varying degrees of security:

  • Firefox: Prompts to store passwords. By default, shows your saved passwords to anyone who looks in the settings. You can set up a master password to control access to the stored passwords; you will be prompted for the master password once per session, and when you try to show your passwords.
  • Opera: Prompts to store passwords. Doesn’t show passwords anywhere. You can set up a master password to control access to the stored passwords, which you will be prompted for once per session and at set intervals.
  • Internet Explorer: Prompts to store passwords. Doesn’t show passwords anywhere. No master password.
  • Google Chrome: Prompts to store passwords. Shows passwords to anyone who looks in the settings. No master password.

Google Chrome stands out in this list, since it both shows your passwords, and has no master password feature. Elliot Kember recently wrote about this, describing Chrome’s password handling as ‘insane’. I’m not sure I would go that far, but Chrome clearly needs a master password feature.

I’d like to see all web browsers show a prominent warning to any user who uses a password saving feature: “WARNING: saved passwords can be retrieved extremely/relatively easily. Always lock your computer when you leave it unattended.”

Update 2013Aug11: Here’s Google’s response.

Update 2013Aug25: Tim Berners-Lee (the person who invented the World Wide Web) weighs in. tl;dr – he agrees that Chrome should at least have a master password.

Web advertising networks: the next malware attack vector?

Researchers speaking recently at the Black Hat Briefings in Las Vegas showed that the Javascript used by most advertising networks could be compromised by a malicious third party. The malicious code could then run in any web browser configured to allow advertising.

Hold on. Wouldn’t the people responsible for the advertising networks and the associated Javascript notice the problem and fix it? Possibly. But not always. If you’re like me, you’ve seen more than a few messed up web ads. A seriously broken web ad can prevent a web page from displaying properly or cause it to load very slowly. It’s one of the many reasons why people use script blocking technology like NoScript.

It’s difficult to predict whether malware purveyors will start using the ad networks like this. But if they do, you can bet we’ll see a surge in script and ad-blocking software installations. Since advertising is the primary source of revenue on the web, this will get the attention of the advertisers, who would hopefully then institute better quality control.

The back-room wrangling that dictates your online experience

Okay, so this isn’t exactly news, in the sense of being new. But it is interesting. And it most definitely does matter, to anyone who uses the Internet.

If you’ve ever wondered why Youtube videos are suddenly buffering, or why that download is taking so long, you probably assumed that the server was overloaded, or your Internet provider was having infrastructure issues. But there may be a deeper cause.

A handful of organizations – mostly commercial in nature – provide the backbone of the Internet: the network hardware that makes up the core of the net. Since its inception, these organizations have engaged in negotiations about how they move data amongst themselves. When the commercial web got off the ground, these negotiations began to involve large amounts of money. As with all negotiations, all parties try to get what they want for the least amount of effort and expense. The difference is that in these negotiations, when one party is unhappy with the results, they can make their feelings known by downgrading the service they provide.

All of these negotiations happen without much fanfare, and the fights ebb and flow according to changing technology and the rise and fall of the fortunes of individual companies. The net effect for Internet consumers is inexplicable changes in Internet speeds.

Ars Technica has a terrific overview of this process and its ramifications. It’s a long read, but well worthwhile. Maybe you can read it while you’re wating for that Youtube video to finish buffering…

Canada’s new anti-spam law

Canada is late to the game when it comes to anti-spam laws, but with the recent passing of the “Canadian Anti-Spam Legislation” (CASL), it’s about to get a lot harder for spammers to do their work here (yes, I’m in Canada).

As with other anti-spam laws, the focus of CASL is consent. The following activities will become illegal with the new law: sending a commercial electronic message to a recipient without the recipient’s consent; installing software on a recipient’s computing device without their consent; and altering electronic messages during transmission without the recipient’s consent.

Other activities that will become illegal with the new law include: collection of personal information through access to computing devices; and harvesting electronic addresses from the Internet through automated methods for the purposes of building bulk email recipient lists.

There is no set timeline for enforcement of CASL to begin, but it should be within a few months, and certainly by the end of 2013. Once the law becomes official (comes into force), immediate compliance is expected. However, there will be a three year transitional period during which consent may be assumed for existing relationships.

Several different agencies will be involved in enforcement of the new law: the CRTC, the Competition Bureau, and the Office of the Privacy Commissioner.

Additional highlights:

  • Any commercial electronic message is assumed to be illegal, although there are exceptions.
  • Potential recipients of commercial electronic messages cannot be added to recipient lists automatically. Explicit consent to receive such messages must be given by the potential recipient. In other words, commercial email list subscription must be “opt-in” instead of “opt-out”.
  • Software must not be installed automatically on customer computers. This part of the law is meant to curtail the forced installation of unwanted software along with other (wanted) software.

The new law will present serious challenges to commercial organizations, so it would be wise for all such organizations to begin assessing its impact immediately. Penalties will typically take the form of very steep fines: up to ten million dollars.

An official FAQ for the new law is available.

Microsoft says “your privacy is our priority” (unless the NSA is involved)

Over at TechDirt, a post by Tim Cushing details a recent leak published by The Guardian, showing that Microsoft values your privacy, unless the NSA comes calling. When the NSA asks for your ‘private’ information, Microsoft is happy to hand it over. This means that nothing you say on Skype, Outlook.com, Skydrive or Hotmail is safe from prying eyes.

Microsoft is quick to point out that nothing they’ve done is illegal, but that’s really the problem, isn’t it?

Updates for Flash

Version 11.8.800.94 of Flash was announced today. As always, “[t]hese updates address vulnerabilities that could cause a crash and potentially allow an attacker to take control of the affected system.” For a more complete change list for this version, see the Flash Player 11.8 Release Announcement on the Flash Runtime Announcements page.

A patch for Internet Explorer 10 that includes a new version of Flash (also 11.8.800.94) was released by Microsoft today as well.

An update for Flash in Chrome should also become available from Google in the near future. The new version of Flash in Chrome will be 11.8.800.97.

Rants and musings on topics of interest. Sometimes about Windows, Linux, security and cool software.