Comments on: Firefox 3: Why do I love thee? The second way.

By: sheppy

sheppy — Fri, 16 May 2008 19:01:36 +0000

The keychain is the Mac OS X system-wide password and certificate storage system. I’d like to see Firefox take advantage of it, but it’s not a huge deal for me either. The main advantage to it is that once a password for a site is stored in the keychain, any application that you use that needs access to that site can get the password from the central storage pool.

It’s also handy in that keychains are synchronized among all your Macs if you’re a .Mac user.

By: Jonah Dempcy

Jonah Dempcy — Fri, 16 May 2008 17:57:19 +0000

Good point, Sean!

My opinion on it is that the usability benefit for power users outweighs the security risk for less knowledgeable users. I know this is an elitist attitude, but it seems to me that hand-holding for security purposes is only appropriate when there is no negative usability downside.

In this case, it is clear to me that there is a huge usability gain from the new system (less distracting, cleaner, asks you _after_ seeing if worksthe password), and the only real downside is a potential security problem caused by users being more trusting of sites asking for their info.

Not to change the subject too much, but what are peoples’ thoughts on Safari’s keychain feature? Or is that a Mac thing bigger than just Safari? I had a Mac test box with Safari at my last job and I remember that one of the bugs I encountered was that it was asking if I wanted to save a password after entering a search query into a text input. Go figure!

By: Sean

Sean — Fri, 09 May 2008 02:01:49 +0000

sheppy:

I’m not saying the current uses of the dialog strip are a concern. The concern is that system messages appear within the browser window at all.

If people become accustomed to system messages within the browser window they will be less able to discriminate against fake system messages. “Hmmm… now the system is asking me to retype my paypal password. Oh well…”

If the system messages are obviously part of the chrome then a faked system message will at least be surprising (and hopefully viewed with suspicion) because of its physical location. “Why is this web-page asking me to enter my paypal password?”

By: sheppy

sheppy — Fri, 09 May 2008 01:07:17 +0000

Sean:

What cases of use of the dialog strip are there that are a security concern? I’ve only seen it used to ask if you want to save a password, which doesn’t make your password less secure that I can think of, and also to notify you about certain types of updates.

By: Sean

Sean — Thu, 08 May 2008 23:23:44 +0000

While I like the dialog strip for the reasons mentioned, I can’t fathom why it appears *inside* the browser window. How easy would that be to fake? Surely this will be a security nightmare once people are comfortable with system messages appearing there.

By: Fabian

Fabian — Thu, 08 May 2008 16:24:03 +0000

no you just needed to change that into the options. I used that feature from the Firefox2 trunks.

By: sheppy

sheppy — Thu, 08 May 2008 16:16:43 +0000

Actually, the session restore feature in Firefox 3 has improved over Firefox 2. I believe it only worked in the case of a crash in Firefox 2.

By: Adam Dempsey

Adam Dempsey — Thu, 08 May 2008 16:06:24 +0000

Firefox 2 could also save your open tabs if you told it too

By: Matt

Matt — Thu, 08 May 2008 16:02:42 +0000

Also - you have a chance to re-enter it if you get the password wrong (or can’t remember which password you used). The old way required you to commit to saving before you even knew it was right!

By: Fabian

Fabian — Thu, 08 May 2008 15:54:30 +0000

Firefox2 already had the “show my last tabs and windows at startup” feature.