Security Sprint – Firefox Profiles
- At February 03, 2010
- By Josh More
- In Sprint
4
We’re all busy people. A security sprint should take no more than two hours… which while long for a real sprint, it a mere blink of an eye when compared to the multi-year commitment that is proper security practice.
If you use Firefox as your primary browser, there’s a feature that you’re probably not taking proper advantage of. Firefox stores your personal data in a profile. This includes your bookmarks, passwords, cookies and add ons. The advantage here is that you can tune your Firefox configuration to what you’re doing… and somewhat segment your data.
For example, I have my normal browsing profile which includes a bare minimum number of add ons Adblock Plus, LongURL Mobile Expander, Web of Trust, BetterPrivacy, Cookie Safe and NoScript. Then, if I am conducting offensive security work, I use a profile that is loaded with some attack tools like SQL Inject Me and XSS Me. Similarly, when I’m doing web development or troubleshooting, I have a separate profile that loads Web Developer and Live HTTP Headers. This approach keeps my normal use fairly light and allows me to load the extensions that I need when I need them.
In theory, it also keeps my passwords and cookies a bit safer than usual. It’s not as secure as using a completely separate user account or even computer for doing dangerous activities, but it’s better than not doing anything at all.
To do build your own profiles, go here and launch the Profile Manager. Then, when you start Firefox, you will get dialog asking you which profile you wish to run. From there, it’s just a matter of picking which mode you wish to work in and selecting the appropriate profile before you start.
Kenneth Younger
Thanks for pointing me to the SQL Inject Me and XSS Me plugins, those will definitely help test the web apps.
I was curious, and was hoping you could elaborate as to how you manage your passwords securely.
Josh
Personally, I prefer the password wallet systems. I generate a secure password for each site and store it in a wallet. Wallets should use secure encryption (like AES or Twofish).
Generally speaking, I distrust the “store it in the browser” option. I know that it’s more convenient and that modern browsers use decent encryption on their password stores… but in order to function, they must be able to read the store. This means that it is theoretically possible for a flaw in the browser to expose the store to an attacker via web page.
That’s not to say that my solution is perfect. In particular, it is vulnerable to password sniffing by keylogger and accidental account lockouts due to mis-entered passwords. However, when I compare those risks to those of native browser storage, the native browser solution seems riskier. (This is just a feeling… I’ve not researched it… yet ;)
Basically, my philosophy is similar to the Unix philosophy. Most systems do one thing well. Browsers, be they IE, Firefox, Opera or Chrome are really good at browsing. They’re getting better at security, but it’s still not their core focus. There is a lot of security in simplicity, so a simple password wallet with good market history (and that is being actively maintained) is probably better then security in a browser.
I use Gnu Keyring on my Palm and am considering 1Password should I move to the iPhone. I don’t know what’s available in the Blackberry and Android spaces, but I’m sure that they exist there too.
Kenneth Younger
I was just doing a little searching and ran across http://lastpass.com – very wide compatibility, including linux. This Ubuntu forum question and response by a team member of LastPass was encouraging as well: http://ubuntuforums.org/showthread.php?p=5896494
I was considering 1Password as well, but they have completely ignored an Android version for a long time, continually saying they’ll get to it eventually – plus, they don’t support any OS other than OSX.
Josh
Hmm, LastPass does look promising. I agree with what you say about 1Password. It is a very good solution, but only in the OSX/iPhone space. I just haven’t researched anything else in any details, as the solution I have right now is working.
I expect that I’ll be looking a lot come this time next year when it’s time to pick out a shiny new phone. :)