How Does Firefox's Software Security Device Protect Passwords?

Question

Mozilla claims someone can sit at your computer and get your passwords for each site in 15 seconds. I learned while writing a Firefox extension for the first time that I could access any file in a users directory (given that it was owned by the user). If the passwords are decrypted and written somewhere in the users directory, then they are accessible during a session by a malicious extension or site that uses web code that may access a users directory. What is the process the Software Security Device uses in Firefox that ensures site passwords are really secure from such malicious code?

Decrypting passwords to the hard drive would be insecure because other processes could read them. Does the Software Security Device decrypt them to the users directory?

If not, then does the Software Security Device decrypt them only in ram? If so, then what are the possibilities of another application reading the application space of the Software Security Device?

Please describe.

Describing the process shouldn't be a secret, because secrets are an indication of vulnerability and weakness, instead a true secure method requires brute force to break. An open policy about the encryption process gives a wider audience, which increases the potential for more secure solutions.

I bring this up, because it's not described in the Software Security Device explanation or Master Password explanation on the Mozilla site, leaving me wondering if we are really secure using that feature.

Answer 1

The passwords are stored in the SQLite database signons.sqlite in user's profile directory. By default they are not really encrypted - extracting them from this file and "decrypting" is trivial. To have some security here the user has to define a master password (on the Security tab of the Firefox options), this one will be used to encrypt the passwords in the database. If that has been done then extracting passwords from signons.sqlite is non-trivial, one has to guess the master password.

But Firefox needs to decrypt the passwords to use them of course. If some browser code requests a password (via nsILoginManager) a master password prompt appears - the user needs to enter the master password to allow decrypting his passwords. The decrypted passwords are never written to disk but the browser (and any browser extensions) will be able to access them after that.

Firefox doesn't do anything to prevent extensions from accessing passwords because it would be pointless. The only way to prevent a malicious extension from getting to your passwords is to avoid installing a malicious extension in the first place. Even if nsILoginManager were not there, a malicious extension could still sniff on your communication with the web page when the password is transmitted. Or it could listen to what you type when asked for the master password. Or it could fake a master password dialog and get the master password directly. There are tons of possibilities - an application cannot possibly beat another application that is running with the same privileges.

PS: Software Security Device is for certificates, not passwords - entirely unrelated. But it uses the same master password, hence the confusing dialog.