foxyproxy / firefox-extension

FoxyProxy for Firefox extension beginning with Firefox 57 (Quantum)
GNU General Public License v2.0
523 stars 115 forks source link

Storing password in plain text #202

Closed TheKourosh closed 1 year ago

TheKourosh commented 1 year ago

Hello We use foxy Proxy to connect to our proxy server and for better user management, our proxy server authenticate users with a LDAP server. so we need to set LDAP user account password in foxy proxy. but i realized foxy proxy fore firefox store passwords in plain text and with a very simple grep, hacker can easily find a user main password. is there a solution for this? like set a master password on foxy proxy for encrypting it's data or whatever google chrome version do that doesn't show password in plain text? thank you

ericjung commented 1 year ago

The current Google Chrome version doesn't store them in plain text, but the encryption key is easily derived from the device anyway. There is no way to securely encrypt the passwords in Firefox or Chrome from someone who has physically access to the device already. Can you restrict physical access to the device?

TheKourosh commented 1 year ago

Yes devices are restricted physically but still if an user download a wrong file from email attach or whatever, a hacker could easily stole the password and this is very dangerous. Set a master password for foxyproxy that encrypt it's data and user must enter it every time he open the browser to be able to use foxyproxy isn't something that you can develop for this extension?

ericjung commented 1 year ago

user download a wrong file from email attach or whatever, a hacker could easily stole the password and this is very dangerous.

Can you please explain this attack vector in more detail? I do not understand how email relates to the FoxyProxy extension.

Set a master password for foxyproxy that encrypt it's data and user must enter it every time he open the browser to be able to use foxyproxy isn't something that you can develop for this extension?

Yes, it is technically possible. It will also greatly inconvenience everyone else who uses FoxyProxy and does not want this.

TheKourosh commented 1 year ago

No sorry foxyproxy has nothing to do with email i just ment a molicious email attach that user download, could stole the password.

I think if all foxyproxy users known that their password are stored plain text and how dangerous it could be, they wouldn't bother.

If you don't have any suggestion for us, it seems that the only solution is diable LDAP authentication in proxy server and use unic nonLDAP passwords.

Thanks a lot for quick replies and sorry for my bad English.