Suggestion: encrypt bookmarks.html file

[leishirsute]

Here's why I wish bookmarks.html was encrypted.
I keep my userid/password in the bookmark entry, so that I only have to reference a bookmark's detail to get the login info if I forget it.
I wouldn't need to do this if the Seamonkey Password Manager truly allowed management of password, but it doesn't. It does not allow manual addition or editing of passwords.
Therefore, it would be great to make sure the bookmarks.html file were encrypted because folks may want to put secure information in the comment section for a bookmark.

[woodrowGrant]

if you created a second Profile and password-protected that profile, wouldn't that work

[unbeleevabull]

It's unlikely they will implement bookmarks encryption even as an option, so your best choice is to use the LastPass extension. The url is stored with the password so you don't even have to have the bookmark in your regular bookmarks if you would rather not.

[leishirsute]

I've tried that technique of creating a password protected profile. I can drilldown the Seamonkey folders and still locate an unencrypted bookmarks.html at C:\Users\home\AppData\Roaming\Mozilla\SeaMonkey\Profiles\{profilename}\

In fact, I merely type bookmarks.html in the Windows 7 Explorer search to find all occurrences of unencrypted bookmarks.html files.

Thanks for the suggestion but a password protected profile doesn't secure the bookmarks.html file.

[woodrowGrant]

[trolly]

What do you want to achieve with an encrypted bookmarks file that you do not get with the correct use of Windows user accounts?

[therube]

> bookmarks.html

Is no longer used, actively, only for possible backup, import/export.
Bookmarks (for a long time now) are stored in places.sqlite (a binary database file).

You can store un/pw in a bookmark, though there are privacy issues in doing so.
> http://joe:blow@www.example.com/

[leishirsute]

therube, you have resolved my request. I saw a bookmarks.html file in the profile directory but see that modified date is 2 years old.
trolly, you could say the same thing about password protecting a Seamonkey profile. The reason would be additional security.
woodrowGrant, your original suggestion works since the passwords are stored in a binary database in binary format ( I checked via Unix strings command against the places.sqlite file).

The request is closed.

Thanks

[LordOfTheBored]

Personally, I assume anyone with access to the files on my hard drive already has my data.
Not saying I do nothing for security, but... it's a case of knowing where to make your stand. You don't raise an army to fight the invaders after they've looted your city and burned it to the ground.

Once they have access to your hard drive, they can copy the file and decrypt it at their leisure. It doesn't take years of 24/7 compute these days. Your encrypted username/password list will likely be plaintext in a matter of hours.
Better if your account names and passwords aren't on the hard drive at all, aside from in the cookies created while you're logged in. That greatly reduces the ability for someone to acquire them.
Which is why I disable password manager immediately on a fresh install. The better solution is to write them on paper and store them offline somewhere. Preferably in a fire safe with other important documents.


A binary file format is not more SECURE than plain text in any meaningful form, and should not be counted on for protection.
A poorly-documented file format is security through obscurity. It can be reverse-engineered through brute-force. A well-documented format is merely a passing annoyance, not even a speed bump.

[therube]

> A binary file format is not more SECURE than plain text in any meaningful form, and should not be counted on for protection.
> A poorly-documented file format is security through obscurity.

Correct.

It may be sufficient for the users case, but cannot be considered "secure".

[leishirsute]

Well, I thought my request was satisfied, but I have since learned that the Security Device Password does not protect bookmarks. How can a profile be password protected as suggested in an earlier response? What does it protect? I was incorrectly under the impression that the Security Device password was the same a profile password protection.

Please advise and thanks

[trolly]

Just curious: How did you detect that bookmarks.sqlite is not encrypted?

[leishirsute]

When the Security Device password was requested, I canceled the window instead of responding with a password. The browser came up and I accessed my bookmarks without any hassle at all.

It really doesn't help if the places.sqlite file is encrypted, if I can start the browser and access the bookmarks without the need for a password.

[LordOfTheBored]

You ... REALLY shouldn't be using the bookmarks menu to store secure information.

I am aware this post is not actually solving your problem, but that's only because your problem is making me cringe every time I think about it.

[leishirsute]

It would be great if the password manager in Seamonkey would allow passwords to be saved for more than just sites that have been visited. There are times when Seamonkey does not request a password be saved when visiting a page and performing a login. From other posts I've read, the solution given to protect profile data is primarily to rely on the Windows login password.

By the way, the places.sqlite file is not encrypted and is in text format.