[Ext] Opera Wand for Firefox - SecureLogin

[jms]

I would like to find out why securelogin does not work on the page http://member.friendscout24.de/

Is there a way to debug the javascript code or throw some alert() in it?
Greasemonkey?

[Philip Chee]

http://xsidebar.mozdev.org/modifiedmisc.html#securelogin
Secure Login 0.9.9pre mod for SeaMonkey 2.0+ contributed by Stanimir Stamenkov

Tested with SeaMonkey 2.3 but should work with SeaMonkey 2.0 to 2.4a.

Secure Login is a login extension for Mozilla Firefox integrated password manager. Its main feature is similar to Opera's (the browser) Wand login.



Features:

• Easy installation through Mozilla Firefox add-ons system.
• Works out of the box without any configuration needed.
• Login with one click or a keyboard shortcut (automatically submitting the login forms).
• Easy and convenient selection for multiple logins (multiple users).
• Provides direct login to any site from the bookmarks (using the "Secure Login Bookmarks").
• Integrates with Mozilla Firefox password manager.
• Provides easy access to the saved passwords.
• Prevents malicious JavaScript code to automatically steal your login data.
• Provides an option to protect your login data from all JavaScript code during login.
• Websites requiring JavaScript for the login process can be added to an exception list.
• Can prevent cross-site scripting (XSS) attacks to steal your passwords without having to deactivate JavaScript.
• Helps to protect you from phishing.
• Shows the login URL(s) and the number of available logins in a tooltip of the toolbar button and the statusbar icon.
• Can be set to automatically search for login data and highlight form fields.
• Can be used with a toolbar button, a statusbar icon, a keyboard shortcut or via the context menu.
• Completely customizable interface (buttons, icons and menus can be enabled/disabled).
• Provides a customizable keyboard shortcut
• By default only active on login so it doesn't consume any system resources while surfing.
• Can fill out additional form fields using the Autofill Forms add-on.
• Possibility to play a sound when logins are found or when logging in.

Install Secure Login for Seamonkey 2.0+:
secure_login-0.9.9pre-mod.xpi
This mod contributed by Stanimir Stamenkov

Besides SeaMonkey compatibility, this versions includes some more changes over the official 0.9.8 version:

• Add Macedonian locale from the last mozdev.org version 0.9.3.1.
• Fallback to Core-DOM for accessing HTML forms. (Mozilla Bug 230214).
• Recognize HTML5 input types for username.
• Catch up with the toolkit LoginManager: Mozilla Bug 600551 (Password manager not working with input type=email).
• Add basic support for username only forms.

Phil

[VulcanTourist]

SecureLogin seems to fail for this page/site, even when I set a JavaScript protection exception for it:

https://www.ebt.ca.gov/caebtclient/login_set_locale.recip

Can it be made to work for this site? I am currently using Autofill Forms to handle it instead.

[Stanimir Stamenkov]

I would like to find out why securelogin does not work on the page http://member.friendscout24.de/

SecureLogin seems to fail for this page/site, even when I set a JavaScript protection exception for it:

https://www.ebt.ca.gov/caebtclient/login_set_locale.recip

I guess the last one is https://www.ebt.ca.gov/caebtclient/, instead? In both cases the forms use autocomplete="off" attributes, so - do you guys have any logins remembered for those sites?

The Secure Login extension doesn't remember any passwords on its own (yet) - it just uses whatever has been saved already. To remember your logins on forms which otherwise suppress it, use solutions like the "remember password" bookmarklet, the Remember Passwords extension or the Saved Password Editor extension.

After remembering few dummy logins on both sites, the Secure Login extension offers to use them just fine for me.

[VulcanTourist]

So exactly what does that mean, if this autocomplete attribute is false? Does that mean the site is actually dictating to the browser that it must not remember any form data?! That smells like robots.txt, only more Big Brotherish.

I did have one "username" and password saved from when I created an account using a different page with a different form, but it picked the wrong field as the password and since there's no way (?) to edit that information I deleted it. I assumed that the next time I logged-in and supplied the correct information that Firefox would recognize and remember it... but it doesn't. I tried everything in my limited bag of tricks and it simply failed to even recognize this login page(s) for what it is.

So no, currently nothing is remembered or stored. If this autocomplete attribute being disabled is what is standing in the way, isn't there some means I can defeat it? For instance, have you heard of Proxomitron? It's an HTTP filtering proxy, and I still use it for a couple specific things. It intercepts and filters the HTTP stream according to a set of rules; could I create a rule to match and remove or alter the setting of this attribute? I doubt I could use tools like GreaseMonkey, since it is only able to act *after* the browser gets the stream and builds a DOM from it. Proxomitron or privoxy, though, might those work if there's not a more straightforward means?

Shame on any Web site for taking it upon itself to decide that I am not to be trusted with safeguarding my own security information, and shame on the standards community for giving sites a means to take that control away from me. That behavior is precisely why I began using Proxomitron in the first place so many years ago.

[VulcanTourist]

Well, I answered one of my own questions above: Proxomitron can easily rework the page and remove the autocomplete attributes, and doing so allows Firefox to store the login information for the form. Here's the rather simplistic filter rule I created to do it (it should be more restrictive and targeted, I think, but it's been a while):

[Patterns]
Name = "Enable form autocompletion on CA EBT login page"
Active = TRUE
URL = "(http://www.|)ebt.ca.gov/"
Bounds = "<input[^>]++>"
Limit = 512
Match = "\1 autocomplete="off"\2"
Replace = "\1\2"

Maybe this will help others in the same predicament, if they're willing and able to use an HTTP proxy like Proxomitron or privoxy.

[Str0ngwun]

Just use this userscript: Allow Password Remembering.

[Str0ngwun]

And no, it's not a "big brother thing". It's a security thing. It's just a part of HTML standard, which is accepted by everyone.

[VulcanTourist]

Thanks, genuinely, for pointing out the userscript that I didn't expect could exist, which is much simpler to manage than Proxomitron with my "script", but....

Actually it IS a Big Brother thing: it's someone else acting like a pushy, meddling, overconfident pseudo-parent. Big Brother doesn't HAVE to be a guv'mint agency, it can be any entity that has the intent and ability to take control away from you and transfer it to itself. That entity could easily be a Web site, whether it's controlled by a corporation or an individual. In my cited instance it just happens to be a Web site of a government agency. Regardless, the result is the same: you have less control and someone else has the control you lost. You can argue all you want that it was was warranted and reasonable for that control to be taken without consent, and you'll still be blind to the essential principle that is being discarded in the process. That this little feature that allows this little transfer of control just happens to be embedded in a "standard" - a standard which neither you nor I had any part in codifying - is completely irrelevant and does not excuse the principle being violated.

Are you really so unwise that you don't know that "security" is THE most commonly used justification for any unethical or unconstitutional taking of control? How do you think we got shafted with the Patriot Act that is STILL being renewed and sucked into military aggressions in two countries that STILL continue after 8 years? All in the name of "security".

Sorry to everyone else for the tangent, but I just made a comment in passing and someone made an ill-considered disagreement out of it. It's worth defending my offhand comment if someone learns something from the disagreement. That someone could be me, but I don't think so.

[Str0ngwun]

YOU SAW ALIENS TOO? THEY KIDNAPPED ME ONCE AND I KNOW THEY IMPLANTED ME SOME TRACKING CHIP, NOW THEY WATCH EVERYTHING I DO AND I CAN'T EVEN GO TO POLICE, AS THEY HAVE THEIR AGENTS THERE TOO!! THEY LOOK LIKE HUMANS, BUT THEY AREN'T!! USING TELEKINESIS THEY TELL ME TO OBEY THE GIANT!

What specific control did this site gain from you? They already have a database of all their users (including you), so what do they gain from setting login/pass text-fields to not save previously entered data?
Have you ever heard of ISO, IETF and WWWC? Have you heard about HTML standard? Do you know why is it so important to care about security in the web? Did you ever think that a computer might be public? In that case some non-advanced user might have his login data leaked to some 3rd party?
how old are you?

[mantra]

hi
it's the best or one of the best extension

will be update ?

i use firefox 6 and the submit login automatctly doesn't work anymore

thanks!

[dabiank]

Two problems.

1. Login is NOT automatically submitted after Login and Password fileds are filled

2. If I bookmark two or more logins, and I use them as my home page (for instance: http://www.site1/xxx|http://www.site2/xxx), only the first login is automatically done: the second one is done ONLY if I manually click the second tab. Quite boring...

[mantra]

i can not automatically log in
i have 1 password for 1 webpage

secure log doesn't automatically log in , i have always click on the icon

[Brummelchen]

working for firefox 9 and 10 so far (0.9.9_pre_mod)

cheers

[Uncle Spellbinder]

http://xsidebar.mozdev.org/modifiedmisc.html#securelogin
Secure Login 0.9.9pre mod for SeaMonkey 2.0+ contributed by Stanimir Stamenkov

Tested with SeaMonkey 2.3 but should work with SeaMonkey 2.0 to 2.4a....

WOW! Working perfectly in Firefox 7.0.1 on my Mac.

Thanks for sharing this, Phil!