MozillaZine

Suggestion: encrypt bookmarks.html file

Discussion of features in Seamonkey
leishirsute
 
Posts: 75
Joined: September 16th, 2006, 7:50 pm

Post Posted August 9th, 2014, 6:58 am

Here's why I wish bookmarks.html was encrypted.
I keep my userid/password in the bookmark entry, so that I only have to reference a bookmark's detail to get the login info if I forget it.
I wouldn't need to do this if the Seamonkey Password Manager truly allowed management of password, but it doesn't. It does not allow manual addition or editing of passwords.
Therefore, it would be great to make sure the bookmarks.html file were encrypted because folks may want to put secure information in the comment section for a bookmark.

woodrowGrant
 
Posts: 643
Joined: May 14th, 2014, 7:22 am
Location:                                    

Post Posted August 9th, 2014, 8:38 am

    :?:
    if you created a second Profile and password-protected that profile, wouldn't that work

unbeleevabull
 
Posts: 49
Joined: August 4th, 2014, 10:02 pm

Post Posted August 9th, 2014, 9:26 am

It's unlikely they will implement bookmarks encryption even as an option, so your best choice is to use the LastPass extension. The url is stored with the password so you don't even have to have the bookmark in your regular bookmarks if you would rather not.

leishirsute
 
Posts: 75
Joined: September 16th, 2006, 7:50 pm

Post Posted August 9th, 2014, 9:37 am

I've tried that technique of creating a password protected profile. I can drilldown the Seamonkey folders and still locate an unencrypted bookmarks.html at C:\Users\home\AppData\Roaming\Mozilla\SeaMonkey\Profiles\{profilename}\

In fact, I merely type bookmarks.html in the Windows 7 Explorer search to find all occurrences of unencrypted bookmarks.html files.

Thanks for the suggestion but a password protected profile doesn't secure the bookmarks.html file.

woodrowGrant
 
Posts: 643
Joined: May 14th, 2014, 7:22 am
Location:                                    

Post Posted August 9th, 2014, 10:03 am

    Last edited by woodrowGrant on August 10th, 2014, 12:49 pm, edited 2 times in total.

    trolly
    Moderator

    User avatar
     
    Posts: 39878
    Joined: August 22nd, 2005, 7:25 am

    Post Posted August 9th, 2014, 10:06 am

    What do you want to achieve with an encrypted bookmarks file that you do not get with the correct use of Windows user accounts?
    Think for yourself. Otherwise you have to believe what other people tell you.
    A society based on individualism is an oxymoron. || Freedom is at first the freedom to starve.
    Constitution says: One man, one vote. Supreme court says: One dollar, one vote.

    therube

    User avatar
     
    Posts: 17822
    Joined: March 10th, 2004, 9:59 pm
    Location: Maryland USA

    Post Posted August 9th, 2014, 10:08 am

    > bookmarks.html

    Is no longer used, actively, only for possible backup, import/export.
    Bookmarks (for a long time now) are stored in places.sqlite (a binary database file).

    You can store un/pw in a bookmark, though there are privacy issues in doing so.
    > http://joe:blow@www.example.com/
    Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball CopyURL+ FetchTextURL FlashGot NoScript

    leishirsute
     
    Posts: 75
    Joined: September 16th, 2006, 7:50 pm

    Post Posted August 9th, 2014, 2:36 pm

    therube, you have resolved my request. I saw a bookmarks.html file in the profile directory but see that modified date is 2 years old.
    trolly, you could say the same thing about password protecting a Seamonkey profile. The reason would be additional security.
    woodrowGrant, your original suggestion works since the passwords are stored in a binary database in binary format ( I checked via Unix strings command against the places.sqlite file).

    The request is closed.

    Thanks

    LordOfTheBored
     
    Posts: 236
    Joined: December 7th, 2005, 8:36 pm

    Post Posted September 9th, 2014, 4:01 am

    Personally, I assume anyone with access to the files on my hard drive already has my data.
    Not saying I do nothing for security, but... it's a case of knowing where to make your stand. You don't raise an army to fight the invaders after they've looted your city and burned it to the ground.

    Once they have access to your hard drive, they can copy the file and decrypt it at their leisure. It doesn't take years of 24/7 compute these days. Your encrypted username/password list will likely be plaintext in a matter of hours.
    Better if your account names and passwords aren't on the hard drive at all, aside from in the cookies created while you're logged in. That greatly reduces the ability for someone to acquire them.
    Which is why I disable password manager immediately on a fresh install. The better solution is to write them on paper and store them offline somewhere. Preferably in a fire safe with other important documents.


    A binary file format is not more SECURE than plain text in any meaningful form, and should not be counted on for protection.
    A poorly-documented file format is security through obscurity. It can be reverse-engineered through brute-force. A well-documented format is merely a passing annoyance, not even a speed bump.

    therube

    User avatar
     
    Posts: 17822
    Joined: March 10th, 2004, 9:59 pm
    Location: Maryland USA

    Post Posted September 9th, 2014, 5:05 am

    > A binary file format is not more SECURE than plain text in any meaningful form, and should not be counted on for protection.
    > A poorly-documented file format is security through obscurity.

    Correct.

    It may be sufficient for the users case, but cannot be considered "secure".
    Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball CopyURL+ FetchTextURL FlashGot NoScript

    leishirsute
     
    Posts: 75
    Joined: September 16th, 2006, 7:50 pm

    Post Posted May 25th, 2015, 5:37 am

    Well, I thought my request was satisfied, but I have since learned that the Security Device Password does not protect bookmarks. How can a profile be password protected as suggested in an earlier response? What does it protect? I was incorrectly under the impression that the Security Device password was the same a profile password protection.

    Please advise and thanks

    trolly
    Moderator

    User avatar
     
    Posts: 39878
    Joined: August 22nd, 2005, 7:25 am

    Post Posted May 25th, 2015, 8:11 am

    Just curious: How did you detect that bookmarks.sqlite is not encrypted?
    Think for yourself. Otherwise you have to believe what other people tell you.
    A society based on individualism is an oxymoron. || Freedom is at first the freedom to starve.
    Constitution says: One man, one vote. Supreme court says: One dollar, one vote.

    leishirsute
     
    Posts: 75
    Joined: September 16th, 2006, 7:50 pm

    Post Posted May 25th, 2015, 8:30 am

    When the Security Device password was requested, I canceled the window instead of responding with a password. The browser came up and I accessed my bookmarks without any hassle at all.

    It really doesn't help if the places.sqlite file is encrypted, if I can start the browser and access the bookmarks without the need for a password.

    LordOfTheBored
     
    Posts: 236
    Joined: December 7th, 2005, 8:36 pm

    Post Posted May 25th, 2015, 2:07 pm

    You ... REALLY shouldn't be using the bookmarks menu to store secure information.

    I am aware this post is not actually solving your problem, but that's only because your problem is making me cringe every time I think about it.

    leishirsute
     
    Posts: 75
    Joined: September 16th, 2006, 7:50 pm

    Post Posted May 25th, 2015, 3:34 pm

    It would be great if the password manager in Seamonkey would allow passwords to be saved for more than just sites that have been visited. There are times when Seamonkey does not request a password be saved when visiting a page and performing a login. From other posts I've read, the solution given to protect profile data is primarily to rely on the Windows login password.

    By the way, the places.sqlite file is not encrypted and is in text format.

    Return to SeaMonkey Features


    Who is online

    Users browsing this forum: No registered users and 1 guest