Firefox 0.9.3 false safety

[devpon]

When I go to Saved Password, there is a + in a box, expand and go to View Save Password -> Remove All. Would that not remove the passwords.

[lepricaun]

Firefox 1.0PR is a lot better in a lot of areas and also needs a lot of improvement. It's not going to stop me from using it though. A few well-used techniques guarding privacy (aka, no passwords being stored) will hamper subversion...

i also have the latest version running now, but i also never store passwords.

Care to elaborate? I'm interested in the differences between the two browsers' approach to this feature.

as soon as i can tell you exactly how they are stored in IE. i have been able to trace it back to the registry, and in such a key, that you can not access with regedit / regedit32.
but even if you have that key, the passwords still aren't stored in plain text.

I find that hard to believe since you yourself are having trouble decrypting it. It's not "in a flash". Instead of wildly guessing at what goes on during the encryption/decryption sequence, why not just go get the source?

well, i doubt that it will take long if you have the right encryption method.
and like stated before by MsMittens, i'm not the only one who thinks it is base64, the only difference i can think of is that they've added some other string to the base64 string.

well i'm still searching for the source, but i'm not able to find it, but as soon as i have it, i will go and study it

One other thing I'd like to mention in comparison to IE's method of safety versus Firefox. How long has IE been out? It wasn't even MS' product and it hasn't changed in over two years. FF has them definitely beat on updates, extensions, themes, and various other areas and I'd put my faith (and have) into a browers that's being updated regularly, has a Security Bounty Program for reporting bugs and exploits, AND allows me to customize it fully...

i know Firefox is a LOT better then IE, but like i said before, even IE has this done better. for the rest i'll choose FF above IE anytime.

it's not like i hate it, i'm still using it, but i just don't like the way it stores passwords.

[chsh]

Originally posted here by lepricaun
as soon as i can tell you exactly how they are stored in IE. i have been able to trace it back to the registry, and in such a key, that you can not access with regedit / regedit32.
but even if you have that key, the passwords still aren't stored in plain text.

How do you know? You don't know how the passwords are stored, you just said so yourself. Is it just me, or is this "I know without knowing" getting a bit silly?
So what, FF doesn't use the registry. The registry isn't exactly a secure thing you know, and it doesn't exist on other platforms. FF went with a cross-platform friendly method of storing their info, they encrypt it, and you are calling it an insecurity? Granted, this started out as a bitch about a bug in FF0.9.3 which really should've just entailed looking up a bug in bugzilla and then finding out you should upgrade, but now it's turned into a whole other deal. Give up the whole "I don't like how firefox does this, it's bad" garbage, and either explain in detail how IE does it better, or quit posting wild assumption.

well, i doubt that it will take long if you have the right encryption method.
and like stated before by MsMittens, i'm not the only one who thinks it is base64, the only difference i can think of is that they've added some other string to the base64 string.

well i'm still searching for the source, but i'm not able to find it, but as soon as i have it, i will go and study it

I linked it to you. It's not a painstaking search.

i know Firefox is a LOT better then IE, but like i said before, even IE has this done better. for the rest i'll choose FF above IE anytime.

How do you know IE has done it better? Just because it's using "security through obscurity" and hiding somewhere in the registry doesn't make it more secure.

[lepricaun]

Chill off chsh, let's keep this a normal and mature thread.

IE stores the passwords in the registry encrypted and hidden.
YES they are harder to find then the ones FF stores --> conclusion --> IE does a better job IMHO.
is this so hard to grasp?
ok, i don't know exactly how you can retrieve them by IE, but i also don't by FF, still i'm a lot closer to retrieving them from FF then i am from IE. and i've been trying this for IE for about 6 months now (on and off), FF took me 5 minutes to figure out how it works (without the source). and to figure out they haven't done it as good (or even worse then) IE.

[chsh]

Originally posted here by lepricaun
Chill off chsh, let's keep this a normal and mature thread.

Since when is asking for you to do some research a sign that I am excited about something, and acting immature? Seems to me that baseless statements are a touch more immature than asking for proof, but hey, to each his own.

IE stores the passwords in the registry encrypted and hidden.
YES they are harder to find then the ones FF stores --> conclusion --> IE does a better job IMHO.
is this so hard to grasp?

It is not any more hidden as an app (and a user) can access the registry just as well it can a file.

ok, i don't know exactly how you can retrieve them by IE, but i also don't by FF, still i'm a lot closer to retrieving them from FF then i am from IE. and i've been trying this for IE for about 6 months now (on and off), FF took me 5 minutes to figure out how it works (without the source). and to figure out they haven't done it as good (or even worse then) IE.

It's a measure of security through obscurity, it isn't more or less secure, it's simply different. When you can come out and say "I cracked the encryption firefox uses on signons.txt in 12 hours, and the encryption IE uses took much longer", and provide the data to back it up, it will be a meaningful statement. Until then I don't see how you can reliably comment on one or the other. In fact, your notion that simply hiding something in the registry makes it "more secure" than writing it to a file is almost laughable.

By the way, since you've been trying for so long, perhaps you'd be interested in this page, and this one (the result of 2 minutes of googling) that shows that form field entries are stored in: HKEY_CURRENT_USER under Software\Microsoft\InternetExplorer\IntelliForms, or, when there is no current user, it's stored in: HKEY_LOCAL_MACHINE with the same path.

[!mitationRust]

Originally posted here by lepricaun

i know Firefox is a LOT better then IE, but like i said before, even IE has this done better. for the rest i'll choose FF above IE anytime.

I don't see why it so hard to lock down IE and run it on a "less privileged" account.
"PS. "experience" = anecdotal evidence, which really has no place in a technical discussion."

[lepricaun]

By the way, since you've been trying for so long, perhaps you'd be interested in this page, and this one (the result of 2 minutes of googling) that shows that form field entries are stored in: HKEY_CURRENT_USER under Software\Microsoft\InternetExplorer\IntelliForms, or, when there is no current user, it's stored in: HKEY_LOCAL_MACHINE with the same path.

i know those keys, but i don't think they are stored there.
use RegMon from sysinternals to see what strings IE visits when using the passwords, the above strings aren't touched.

Since when is asking for you to do some research a sign that I am excited about something, and acting immature? Seems to me that baseless statements are a touch more immature than asking for proof, but hey, to each his own.

there's nothing wrong for asking for research, it was they way you asked that came over to me as assultive (is this a word?).
but like i said, i DID research, and yes i'm convinced that when i have found out which encryption it is exactly for FF you can crack it within 12 hours, but this also goes for IE so that doesn't say that much.

I don't see why it so hard to lock down IE and run it on a "less privileged" account.

this goes for every program, not just IE.

PS. "experience" = anecdotal evidence, which really has no place in a technical discussion.

no you right, but unfortunately no one here can tell me more about this subject so i'm all alone here

[!mitationRust]

Originally posted here by lepricaun
this goes for every program, not just IE.

Yep, it's a beautiful feature.

[chsh]

Originally posted here by lepricaun
i know those keys, but i don't think they are stored there.
use RegMon from sysinternals to see what strings IE visits when using the passwords, the above strings aren't touched.

How about this then: You and I collaborate and research this further, with the goal of determining which way each browser stores the info. I just got an eval copy of XP Pro, so I will load it up tonight, install the latest of both browsers, and then go to some news sites, sign up using dummy account names, and try and store all this crap. You do the same with the browsers, and then we can compare notes. We will have hard data and observations about how each does it, which will be way more valuable than hearsay and guesswork IMO. There may be reasons RegMon might not work, although I'm unsure. I will play with it tonight.

[lepricaun]

i like that idea, one disadvantage tho, i have to work late this week, so my time to spend behind my computer is very limited.

but i will surely try and figure it out

i'll keep you posted too :lol: