Closed Bug 469636 Opened 17 years ago Closed 16 years ago

PM-Evaluator tracking bug (Chapin's password manager test suite)

Categories

(Toolkit :: Password Manager, defect)

Product:
Toolkit
Component:
Password Manager
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED INVALID

People

(Reporter: moz, Unassigned)

References

(Depends on 1 open bug,
URL
)

Details

http://www.info-svc.com/news/2008/12-12/ summarizes issues found by Chapin's password manager evaluator (http://www.info-svc.com/news/2008/12-12/pm-evaluator/).
Bug 371515 is a combination of the tests "Method Checked on Retrieval" and "Method Raises Warnings".
Depends on: 371515
Bug 38862 might be one of the tests, judging from comments in other bugs. But as I can't read it I'm adding it on good luck... (I'd add it to the dependencies if I could do so.)
Bug 38862 has nothing to do with password manager.
I went though the list of failed tests on Chapin's report (first link in comment 0). Overall, it's a rehash of previously reported issues, most of which were marked INVALID or WONTFIX. The ones that are not have marginal, if any, security benefit. Here are the 21 tests... Chapin's results shows Firefox 3.0.4 passes 7, fails 13, and 1 is marked "?". I didn't look closely at the passed tests, I'm including them just for completeness. Tests 1-9 all deal with the URL that a form is submitted to. EG, <form action="http://foo.com">. 1) pass -- Action Authority Checked on Retrieval Previously fixed by bug 360493, which added same-origin checking of the action URL (scheme://host:port) to saved logins. 2) pass -- Action Authority Checked on Save Basically the same issue as test #1. 3) FAIL -- Action Authority Raises Warnings Bug 373144, WONTFIX. Not a security problem. Warning the user about this is just an annoyance, gives users no guidance as to what to do, and trains users to simply click "ok" to security dialogs. 4) FAIL -- Action Path Checked on Retrieval A flavor of bug 263387, WONTFIX. Not security problem. Would result in breaking many sites, and is confusing for users. 5) FAIL -- Action Path Checked on Save Basically the same issue as test #4. 6) pass -- Action Scheme Checked on Retrieval Basically the same issue as test #1. 7) pass -- Action Scheme Checked on Save Basically the same issue as test #1. 8) FAIL -- Action Scheme Raises Warnings This test appears to be for two different things: a) warn if action-scheme != page-scheme We already warn when insecurely submitting a form on secure page to an insecure page (eg, https to http). Other than that case, this isn't a security problem, and would be a user annoyance. Don't know of any existing bug filed for this. b) warn if action-scheme is mailto:. Bug 373309. There's sufficient rationale to WONTFIX. A warning wouldn't be unreasonable, since this case is uncommon, but has little security benefit. 9) FAIL -- Action Scheme Prevented if Unsafe This test's description is vague, not sure what it's talking about. Sounds similar to test #8. 10) "?" -- Autocomplete=Off Prevents Form Fills Bug 362576 implemented current behavior, see discussion there. Logins will not be automatically filled into forms with autocomplete=off, but with explicit interaction the user can request the password to be filled in. Giving the user control is not a security problem. 1) FAIL -- Invisiblility Prevents Form Fills Bug 373153, WONTFIX. This doesn't provide any security benefit, as a malicious page can hide inputs in many different ways. Would also break legitimate uses. 12) FAIL -- Method Checked on Retrieval See discussion in bug 371515. Low security benefit. 13) FAIL -- Method Raises Warnings See discussion in bug 367717. Low security benefit. 14) FAIL -- Multiple Paths Per User Per Authority Bug 263387, WONTFIX. Not security problem. Would result in breaking many sites, and is confusing for users. (Same issue as test #4) 15) pass -- Multiple Ports Per User Per Host This is same-origin (scheme://host:port) checking. 16) pass -- Multi. Schemes Per User Per Authority This is same-origin (scheme://host:port) checking. 17) FAIL -- Page Path Checked on Retrieval Same issue as test #14. 18) FAIL -- Random Name Attr. Prevents Form Fills See bug 372885 (WONTFIX) for discussion. Not a security problem. Form field names are not a security mechanism. 19) FAIL -- User Required for PW Retrieval This can be controlled by the signon.autofillForms preference. Automatically filling logins is not a security problem, and is a useful feature. 20) FAIL -- User Required for PW Save Fixed in Firefox 3.1 by bug 394611. Still, not a security problem. This was changed to prevent accidentally changing a password that works to one that doesn't. 21) pass -- Valid URIs Don't Break Anything
Keywords: privacy, qawanted
Depends on: 470005
No longer depends on: 470005
INVALID, per previous comment.
Status: UNCONFIRMED → RESOLVED
Closed: 16 years ago
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.