Security/Features/PasswordManagerImprovements: Difference between revisions
Jump to navigation
Jump to search
No edit summary |
No edit summary |
||
| Line 10: | Line 10: | ||
|Feature overview=Hardening the Password Manager. | |Feature overview=Hardening the Password Manager. | ||
|Feature users and use cases=* See https://www.usenix.org/conference/usenixsecurity14/technical-sessions/presentation/silver | |Feature users and use cases=* See https://www.usenix.org/conference/usenixsecurity14/technical-sessions/presentation/silver | ||
* | * Includes improvements to the Password Manager to prevent attacks such as "Lupin" in the paper [http://arxiv.org/abs/1309.1416 "Automated Password Extraction Attack on Modern Password Managers"]. When a user is on an insecure network and makes any http request, a mitm could add login iframes to the http request. The mitm can then add javascript to the responses from the login pages that send the attacker the autocompleted passwords from password manager. | ||
|Feature requirements=* Preventing active network attacks: | |Feature requirements=* Preventing active network attacks: | ||
*# Do not autofill the username/password stored in password manager | *# Do not autofill the username/password stored in password manager on any pages. Provide alternative UX - <b>UX help needed</b>. If automatically filling the password must be an option, then at least do not fill in the following cases. (Note this does not secure the user from xss attacks, third party javascript, etc.) | ||
*#* For http sites (IE 11 has this security feature) | *#* For http sites (IE 11 has this security feature) | ||
*#* https sites that have mixed active content | *#* https sites that have mixed active content | ||
| Line 18: | Line 18: | ||
*#* in iframed sites (where the parent and frame are not same orign, or always?) (safari does this for non-same origin, chrome does this for all frames). (Open Issue - what about third party widgets that allow users to login and post comments.) | *#* in iframed sites (where the parent and frame are not same orign, or always?) (safari does this for non-same origin, chrome does this for all frames). (Open Issue - what about third party widgets that allow users to login and post comments.) | ||
*#* Invisible form fields (visibility and opacity, although this isn't going to prevent clickjacking attacks to autofill the passwords) | *#* Invisible form fields (visibility and opacity, although this isn't going to prevent clickjacking attacks to autofill the passwords) | ||
*# [https://wiki.mozilla.org/Security/Features/HighlightCleartextPasswords Highlight Cleartext Passwords] | *# Warn users when they are entering their passwords on HTTP sites. UX help needed for this. Some options: | ||
*# Secure Filling - Passwords that are saved by the password manager should not be available to javascript on the page. The actual password values should only be sent on submit. This protects the password from attacks via xss, 3rd party javascript, etc. | *#* warning icon in the password field | ||
*#* Fill-and-submit button is a different color | |||
*#* On mouseover of the fill in submit button, the user can read a tooltip that warns them that their password can be seen in the clear. | |||
*#* See also [https://wiki.mozilla.org/Security/Features/HighlightCleartextPasswords Highlight Cleartext Passwords] and [https://bugzilla.mozilla.org/show_bug.cgi?id=759860 Bug 759860]. | |||
*# Secure Filling - Passwords that are saved by the password manager should not be available to javascript on the page. The actual password values should only be sent on submit. This protects the password from attacks via xss, 3rd party javascript, etc. Implementation details: when a password is filled in on a form, fill hash(uri, username, salt) instead of the actual password. On submit, lookup the actual password value for that url and send that instead. Username is included for cases where there are multiple usernames. | |||
* Preventing local attacks: | * Preventing local attacks: | ||
** Explore solutions for encrypting the passwords stored locally in the password manager (for example, make use of keychain or encryption mechanisms that come with the OS). | ** Explore solutions for encrypting the passwords stored locally in the password manager (for example, make use of keychain or encryption mechanisms that come with the OS). | ||
* Duplicate Passwords - Protecting users from password reuse attacks | * Duplicate Passwords - Protecting users from password reuse attacks | ||
** If | ** Create UI around alerting users that they are reusing the same passwords | ||
* HSTS: If a site is HSTS, then there is no reason to have http data for that site. Hence, if a site is marked HSTS, and the user has any data (cookies, passwords, etc) that are not https-only/secure, immediately mark that data as https-only. (Note that we'd need some way to indicate that the site has been STS for at least X weeks to prevent deleting data from a site that goes HSTS as a beta test and then goes back to non-HSTS.) | |||
<b>Autofill:</b> | |||
If we must allow autofilling in certain cases, then we also need the following security features: | |||
* If an identical password is stored for both the http version and https version of a specific website (or domain), and it is not used on the http site for X months, expire the http version after alerting the user. (This can help in cases where the website has upgraded to https, but the user's http password manager entry still exists and is open to attack). | |||
-- | * When the password field name is different from the name when the password was saved, don't allow filling & submit. Moreover, don't allow javascript to dynamically change the name of the form?? See [https://www.usenix.org/system/files/conference/usenixsecurity14/sec14-paper-silver.pdf section 5.2, Preventing self exfiltration attacks]. | ||
* Consider not autofilling in cases where the page has multiple login forms. | |||
<b>Future Work:</b> | |||
* | * Support [https://mikewest.github.io/credentialmanagement/spec/ Credential Management Specification] so websites can opt into better detection and protection. | ||
* | * Prefer secure origins - If a password is stored in an http version of a site, see if the https version exists. If it does, prompt the user to redirect to the https version of the site and store their password there instead. (Issue here is that we don't always know if changing the url to https will work, or if a site is set up to have a different domain or path for their secure version) | ||
* | <b>Investigate more:</b> | ||
* Only autofill forms after user interaction with the login page, not necessarily the form - https://code.google.com/p/chromium/issues/detail?id=257156. We need more details here. | |||
* | * Do not autofill (or even fill-and-submit for HTTP pages?) if the form action has changed since the password was stored (perhaps with a user override option). (To do this, we need to include the form action in the key, along with the url. We'd need to check the action both on load and on submit. What if it's a javascript action? More investigation needed here. We already do some flavor of this.) | ||
* Assume we have implemented secure filling (javascript on the page can't read the password). If the user prompts the password manager to fill in a password on an HTTP page and the form action has changed since the password was stored, don't send the password (might be tricky to implement). Perhaps with an UI for user override. (Secure autofilling causes issues with ajax logins, a technique used mostly in china per https://www.usenix.org/conference/usenixsecurity14/technical-sessions/presentation/silver) | |||
* Secure Filling 2.0 | * Secure Filling 2.0 | ||
** Do not give javascript access to any password fields (regardless of whether the password manager saves the password) - the actual password the user enters is only used on submit. The problem with this is with registration pages that use javascript to test the password strength. [https://bugzilla.mozilla.org/show_bug.cgi?id=653132 Bug 653132] | ** Do not give javascript access to any password fields (regardless of whether the password manager saves the password) - the actual password the user enters is only used on submit. The problem with this is with registration pages that use javascript to test the password strength. [https://bugzilla.mozilla.org/show_bug.cgi?id=653132 Bug 653132]. Can we detect registration pages? If a page a registration page has only one password field (they don't ask you to confirm your password by entering it twice) do they really use javascript to test password strength? Since they aren't asking you to confirm your password, they probably aren't too concerned with special characters. | ||
|Feature ux design=* What should the UX be when we do not autofill? | |Feature ux design=* What should the UX be when we do not autofill? | ||
*# Today the experience is that the user first has to type the username, and then the password will be filled in. [NB: it fails utterly on "password-only" forms (where the username is known to the site already, such as by a cookie) because there's no username field interaction to trigger the fill-in] | *# Today the experience is that the user first has to type the username, and then the password will be filled in. [NB: it fails utterly on "password-only" forms (where the username is known to the site already, such as by a cookie) because there's no username field interaction to trigger the fill-in] | ||
*# We could have an fill-and-submit option, so that there is still only one click for the user. Instead of clicking "submit" they would click "fill and submit". This way, we've added security without decreasing usability. | *# We could have an fill-and-submit option, so that there is still only one click for the user. Instead of clicking "submit" they would click "fill and submit". This way, we've added security without decreasing usability. | ||
*# To prevent clickjacking attacks, the UI for this could live somewhere in chrome; the user could interact with the some password manager directly instead of the webpage. | *# To prevent clickjacking attacks, the UI for this could live somewhere in chrome; the user could interact with the some password manager directly instead of the webpage. Clickjacking is not our biggest threat here though, so in content would be okay too. | ||
* What should the UX be when we alert users of duplicate passwords? | * What should the UX be when we alert users of duplicate passwords? | ||
Revision as of 20:41, 26 November 2014
Please use "Edit with form" above to edit this page.
Status
| Security Improvements to Password Manager | |
| Stage | Draft |
| Status | ` |
| Release target | ` |
| Health | OK |
| Status note | ` |
Team
| Product manager | ` |
| Directly Responsible Individual | ` |
| Lead engineer | ` |
| Security lead | Tanvi Vyas |
| Privacy lead | ` |
| Localization lead | ` |
| Accessibility lead | ` |
| QA lead | ` |
| UX lead | ` |
| Product marketing lead | ` |
| Operations lead | ` |
| Additional members | ` |
Open issues/risks
`
Stage 1: Definition
1. Feature overview
Hardening the Password Manager.
2. Users & use cases
- See https://www.usenix.org/conference/usenixsecurity14/technical-sessions/presentation/silver
- Includes improvements to the Password Manager to prevent attacks such as "Lupin" in the paper "Automated Password Extraction Attack on Modern Password Managers". When a user is on an insecure network and makes any http request, a mitm could add login iframes to the http request. The mitm can then add javascript to the responses from the login pages that send the attacker the autocompleted passwords from password manager.
3. Dependencies
`
4. Requirements
- Preventing active network attacks:
- Do not autofill the username/password stored in password manager on any pages. Provide alternative UX - UX help needed. If automatically filling the password must be an option, then at least do not fill in the following cases. (Note this does not secure the user from xss attacks, third party javascript, etc.)
- For http sites (IE 11 has this security feature)
- https sites that have mixed active content
- https sites that require a cert override (chrome does this)
- in iframed sites (where the parent and frame are not same orign, or always?) (safari does this for non-same origin, chrome does this for all frames). (Open Issue - what about third party widgets that allow users to login and post comments.)
- Invisible form fields (visibility and opacity, although this isn't going to prevent clickjacking attacks to autofill the passwords)
- Warn users when they are entering their passwords on HTTP sites. UX help needed for this. Some options:
- warning icon in the password field
- Fill-and-submit button is a different color
- On mouseover of the fill in submit button, the user can read a tooltip that warns them that their password can be seen in the clear.
- See also Highlight Cleartext Passwords and Bug 759860.
- Secure Filling - Passwords that are saved by the password manager should not be available to javascript on the page. The actual password values should only be sent on submit. This protects the password from attacks via xss, 3rd party javascript, etc. Implementation details: when a password is filled in on a form, fill hash(uri, username, salt) instead of the actual password. On submit, lookup the actual password value for that url and send that instead. Username is included for cases where there are multiple usernames.
- Do not autofill the username/password stored in password manager on any pages. Provide alternative UX - UX help needed. If automatically filling the password must be an option, then at least do not fill in the following cases. (Note this does not secure the user from xss attacks, third party javascript, etc.)
- Preventing local attacks:
- Explore solutions for encrypting the passwords stored locally in the password manager (for example, make use of keychain or encryption mechanisms that come with the OS).
- Duplicate Passwords - Protecting users from password reuse attacks
- Create UI around alerting users that they are reusing the same passwords
- HSTS: If a site is HSTS, then there is no reason to have http data for that site. Hence, if a site is marked HSTS, and the user has any data (cookies, passwords, etc) that are not https-only/secure, immediately mark that data as https-only. (Note that we'd need some way to indicate that the site has been STS for at least X weeks to prevent deleting data from a site that goes HSTS as a beta test and then goes back to non-HSTS.)
Autofill: If we must allow autofilling in certain cases, then we also need the following security features:
- If an identical password is stored for both the http version and https version of a specific website (or domain), and it is not used on the http site for X months, expire the http version after alerting the user. (This can help in cases where the website has upgraded to https, but the user's http password manager entry still exists and is open to attack).
- When the password field name is different from the name when the password was saved, don't allow filling & submit. Moreover, don't allow javascript to dynamically change the name of the form?? See section 5.2, Preventing self exfiltration attacks.
- Consider not autofilling in cases where the page has multiple login forms.
Future Work:
- Support Credential Management Specification so websites can opt into better detection and protection.
- Prefer secure origins - If a password is stored in an http version of a site, see if the https version exists. If it does, prompt the user to redirect to the https version of the site and store their password there instead. (Issue here is that we don't always know if changing the url to https will work, or if a site is set up to have a different domain or path for their secure version)
Investigate more:
- Only autofill forms after user interaction with the login page, not necessarily the form - https://code.google.com/p/chromium/issues/detail?id=257156. We need more details here.
- Do not autofill (or even fill-and-submit for HTTP pages?) if the form action has changed since the password was stored (perhaps with a user override option). (To do this, we need to include the form action in the key, along with the url. We'd need to check the action both on load and on submit. What if it's a javascript action? More investigation needed here. We already do some flavor of this.)
- Assume we have implemented secure filling (javascript on the page can't read the password). If the user prompts the password manager to fill in a password on an HTTP page and the form action has changed since the password was stored, don't send the password (might be tricky to implement). Perhaps with an UI for user override. (Secure autofilling causes issues with ajax logins, a technique used mostly in china per https://www.usenix.org/conference/usenixsecurity14/technical-sessions/presentation/silver)
- Secure Filling 2.0
- Do not give javascript access to any password fields (regardless of whether the password manager saves the password) - the actual password the user enters is only used on submit. The problem with this is with registration pages that use javascript to test the password strength. Bug 653132. Can we detect registration pages? If a page a registration page has only one password field (they don't ask you to confirm your password by entering it twice) do they really use javascript to test password strength? Since they aren't asking you to confirm your password, they probably aren't too concerned with special characters.
Non-goals
`
Stage 2: Design
5. Functional specification
`
6. User experience design
- What should the UX be when we do not autofill?
- Today the experience is that the user first has to type the username, and then the password will be filled in. [NB: it fails utterly on "password-only" forms (where the username is known to the site already, such as by a cookie) because there's no username field interaction to trigger the fill-in]
- We could have an fill-and-submit option, so that there is still only one click for the user. Instead of clicking "submit" they would click "fill and submit". This way, we've added security without decreasing usability.
- To prevent clickjacking attacks, the UI for this could live somewhere in chrome; the user could interact with the some password manager directly instead of the webpage. Clickjacking is not our biggest threat here though, so in content would be okay too.
- What should the UX be when we alert users of duplicate passwords?
- Can we somehow expose the about:config option signon.autofill to users to prevent attacks on saved passwords in HTTPS pages (ex: XSS bugs on the victim site). Alternatively, if we come up with a fill-and-submit that is more usable than autofill, we can deploy it on both HTTP and HTTPS pages.
Stage 3: Planning
7. Implementation plan
`
8. Reviews
Security review
`
Privacy review
`
Localization review
`
Accessibility
`
Quality Assurance review
`
Operations review
`
Stage 4: Development
9. Implementation
`
Stage 5: Release
10. Landing criteria
`
Feature details
| Priority | Unprioritized |
| Rank | 999 |
| Theme / Goal | ` |
| Roadmap | Security |
| Secondary roadmap | ` |
| Feature list | ` |
| Project | ` |
| Engineering team | ` |
Team status notes
| status | notes | |
| Products | ` | ` |
| Engineering | ` | ` |
| Security | ` | ` |
| Privacy | ` | ` |
| Localization | ` | ` |
| Accessibility | ` | ` |
| Quality assurance | ` | ` |
| User experience | ` | ` |
| Product marketing | ` | ` |
| Operations | ` | ` |