>But Palant wasn't the first to notice such weakness. A Mozilla bug tracker entry by Justin Dolske from nine years ago reported the same issue, soon after the master password feature's launch.
>Dolske also pointed to the low iteration count of 1 as the master password's main problem. But despite the report, Mozilla did not take any official action for years.
>It was only until this past week when Palant reanimated the original bug report that Mozilla finally provided an official answer, suggesting this would be fixed with the launch of Firefox's new password manager component —currently codenamed Lockbox and available as an extension.
Good job, Mozilla. You clearly care a lot about the security of your users... Not.
when you have so much important stuff going on like global warming, empowering women and making internet healthy you don't have time to make your browser better
This, honestly. It's just a disaster waiting to happen.
Evan Hill
>"I looked into the source code," Palant says, "I eventually found the sftkdb_passwordToKey() function that converts a [website] password into an encryption key by means of applying SHA-1 hashing to a string consisting of a random salt and your actual master password." open sores btfo
Jaxson Powell
Use a proper password manager instead. KeepassXC is really good and they now have an official browser integration addon for autofilling passwords.
Carter Watson
OP here. I agree, which is why I don't, ever, use the password managers embedded in my browsers, but still, this is not an excuse.
>many eyes muh security open sores doesn't just imply that bugs and security issues are found, but that they are also fixed
Lincoln Taylor
Who cares? it's been known for 9 years but no one's managed to do anything to exploit it
Grayson Bennett
>open sores doesn't just imply I guess you mean it's supposed to imply. IMO, you are terribly wrong, and this is not a matter of open source or not, at all, the problem is simple: mozilla fucked up.
there are lots of malware that can retrieve and crack those DBs. this is well known, and not that difficult to do. though, yeah, with enough privileges, malware can inject itself in your browser and simply get the key...
Nolan Nguyen
blog.mozilla.org/berlin/en/people/teaching-the-freedom-of-an-open-web/ >You can also support the initiative by speaking out publicly about “Internet health”. Perhaps the concept is useful in your own community? Our ambition is that the term may one day be as common as “global warming” is for the environment. >There are times when Cathleen asks herself if it wouldn’t be more important to tackle issues like refugee aid, global warming, or education for minorities. What is the difference between Mozilla, Huffington Post or ADL today?
I don't believe the many eyes shit, it's what I'm saying. but you can't even blame open source for this, at all. they already knew about the bug, for 9 years, at least. no one other than mozilla devs would even touch this feature, they are the ones supposed to take care of critical features... so "patches are welcome" wouldn't have worker here.
Alexander Turner
Who cares? Anyone with a brain never goes any farther than storing passwords offline with some flavor of Keepass.
Zachary Phillips
That was true right up until Quantum.
Asher Wilson
>this is not a matter of open source or not, at all, the problem is simple: mozilla fucked up. Firefox is free and open source so Mozilla can't fuck up. You fucked up by not using your freedom to fork it.
John Diaz
>eats your ram >eats your cpu >stutters like a cripple >developed by SJWs >teleports behind you
heh, nothing personell kid. Even Edge performs better now that it has adblock and supports webms
Xavier Thompson
Password storage in browsers is inherently reversible, so it doesn't even matter. The fact it's encrypted at all is just to put some security against prying eyes. Otherwise you can just go into the password vault and click "show password" in any browser.
Nathan Gomez
>yeah, with enough privileges, malware can inject itself in your browser and simply get the key It doesn't even need to do that. Your user account needs to have access to everything required to decrypt those passwords, otherwise it couldn't use them. Which means that malware could just send your whole browser profile to a CC server and they could harvest them there, since it by nature has everything included in it to decrypt them, including the encrypted passwords themselves.
Thomas Price
Use Waterfox.
Firefox without the stupid decisions TM
Anthony Phillips
>he doesn't know the difference between Mozilla Foundation and Mozilla Corporation
>*uses the settings* >offers way more control (about:config, UI customization)
Slower, and doesnt offer anything I need.
Logan Young
>It performs better for me than the old version Neat. What does that have to do with anything? We are talking about the least shit browser, which is now Waterfox, since they can still use the legacy add ons.. Firefox is just another flavor of Chrome now. And if speed is your game, Brave with all shields on (including NoScript) has FF beat on speed.
Bentley Green
i guess the OP and most of this thread didn't bother to understand what the purpose of the master password system was before posting their retarded opinions? even just skimming the bugzilla threads would have been sufficient. goddamn the technical literacy on this board is fucking abysmal.
Sebastian Young
>what does that have to do with anything You said Quantum is shit. I said it oerformed better for me, meaning I disagree based on my experience. Are you retarded? Firefox is stillnway more capable than chrome in terms of customization. And fuck you for even suggesting brave. The browser that serves their own ads and has shit extensions. The browser that doesnt have ublock origin or umatrix because then you would actually be able to block every ad. Firefox is the best all around browser for speed and customization.
>which is now Waterfox order of magnitude slower patch times and reliance on unsupported legacy code which the """developers""" are not competent enough to maintain and which is actively falling behind in performance + security as the ESR cycle rolls over. wew what a good browser
>Firefox is just another flavor of Chrome now Firefox has more (and increasingly so) robust extension APIs, allowing for more powerful ad-blocking (among other benefits), more built in privacy and anti-fingerprinting capabilities, allows full native UI customization and allows much deeper and broader customization of browser behaviour in general (exposed through native settings UI and through about:config). Not sure why you faggots keep shilling this lie. Does using meme forks make you feel special or something?
Zachary Young
Gee whiz! I wonder who has been funding mozilla behind the scenes??? Now everything is making sense now.