Monday, December 15, 2008

Trust me, I'm your browser...

Ryan Narine over at ZDNet published an interesting article on a new story from Chapin Information Services about the security of password-storage mechanisms in your browser.
Now, I read this and immediately thought... do I even store passwords in my browser? Duh... no! But that led to a much deeper thought - I read down some of the comments people have left and came to the conclusion that most of the people that read that post missed the point entirely. Rather than looking at whether open-source Mozilla is better or closed-source MS IE is better... why aren't we looking at why in the world someone would trust their passwords to a browser. Look, there are dozens of reasons why this is a bad idea before you even start not the least of which is that no matter what the browser there has been at some point an vuln that made the security mechanism completely useless in these browsers. Aside from that the purpose of a browser, boys and girls is what? That's right, it's to render and display web-based content. It's *not* to manage passwords to web sites and applications.

This whole thing has me thinking (which is sort of dangerous around the holidays...) why someone hasn't written a BHO or Mozilla plug-in that masquerades as a "password manager" and simply steals all your passwords (all your passwords are belong to teh hax0r). Oh... no, wait - that's been done.

No comments: