Researcher: Chrome, Safari password managers need work
Posted 15 December 2008 - 10:16 AM
A couple of times a new e-mail message window opened up instead of taking me to a website i.e. "localhost @yahoo.com".
Once a certificate warning opened up, I canceled but the test mentioned nothing about it.
So, eh. I guess it's really like anything else where the user just has to watch out what he or she is doing and be careful as to what sites you enter information at.
It's the simplicity vs. security quandary again.
Posted 15 December 2008 - 11:39 AM
So the two "flaws" are:
- You can be fooled, if both hosts are on the same domain... big deal, which credit card company or bank has its account login on MySpace, Facebook or whatever? Sorry, this is bunk.
- The login page can redirect you to another domain? That is big news. Of course it can - on most dynamic Web pages the browser (or password manager) can not even see where the submit action will take it, and even if it could - the next page might contain a redirect within the same domain and a third one will take you to xyz... this is not a browser security issue at all. If you bank or CC company has no control about what is hosted on their domain, there is no security. No difference at all if using Opera, Firefox, Safari or Lynx. Implementing any such functionality is pretty much impossible, as most institutes will e.g. host homebanking applications under a different subdomain than the main company page, which will contain login boxes for entering credentials. You would have to get all banks, etc. to redesign their sites for maximum security... not a browser issue at all. Would Chapin also want browsers to take care of man-in-the-middle attacks?! How?
Safari/Keychain and 1Password handle passwords perfectly well and as secure as possible, as long as the OS has not been modified by malware – so far there is none (cannot say anything about Chrome, as there is no OS X version yet). Actually, my German bank uses several different hosts for money transfers (seems to be a load balancing thing) and after login I am redirected to a host with available capacity. Neither Safari nor 1Password automatically fill in the password, if I have not used that very host on the same domain before – I have to manually go into the keychain and display my password to retrieve it. It can hardly be any safer.
I think Chapin follows the golden rule here: Mention Apple or Google and make yourself a name in no time, even if all you say is BS.
Posted 15 December 2008 - 12:05 PM
Safari Password is as safe as long as a user is browsing r-e-s-p-o-n-s-i-b-l-y.
The only websites where it's better to input the password manually are banks, paypal and other money related.
For the rest Safari Password is PERFECTLY! SAFE!