556188 - Keylogger protector

Status: RESOLVED WONTFIX

(Toolkit :: Safe Browsing, enhancement)

Description

[ryan14]

User-Agent:       Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
Build Identifier: 

My feature request is for Firefox to have a Keylogger protector that encrypts keystrokes inside the browser so keyloggers will not be able to view people's passwords. There is an example of a Keylogger protector software here:

http://download.cnet.com/KeyScrambler-Personal/3000-2144_4-10571274.html?tag=mncol

So you should develop your own Keylogger protector and integrate it into the browser. It should be enabled by default, and there should be a disable option.

Reproducible: Always

Comment 1

[Johnathan Nightingale [:johnath]]

I like your thinking here around finding ways to shut down new classes of attack. Unfortunately, key log defenders are mostly snake oil. The defenders and the loggers are both software - any defense a defender can mount is one that a logger can subvert, it's an arms race without a very positive end point since the defender has to anticipate every attack and the attacker only needs to discover one. And all of this would still be ineffective against hardware loggers, of course.

Defending against keyloggers is something the operating system can do by only allowing signed/verified drivers for peripherals like keyboards, but it's not something a piece of client software running on that operating system can meaningfully defend against. What's more, any attacker in a position to run a keylogger on your system is in a position to modify other software as well, so it could replace your Firefox with a fake that had this protection disabled.

I'm marking this WONTFIX, but not because I don't appreciate the thought - just because this defense would be at the wrong level - attacks at the Operating System level need to be defended against at a similar level.