webextension vs. master password timeout

Peter Gervai grinapo at gmail.com
Tue Aug 1 20:58:00 UTC 2017

On Tue, Aug 1, 2017 at 9:36 PM, Kris Maglione <kmaglione at mozilla.com> wrote:
> On Tue, Aug 01, 2017 at 02:57:50PM +0200, grinapo+mozilladev at gmail.com
> wrote:
>> (Please refrain from telling me to use something else, unless you back
>> it up by real security-related facts, I mean those who insist MP is
>> insecure but fail to detail how, apart from their personal taste. The
>> question is about solving a problem, not avoiding it.)
> I won't tell you to use something else, but I will tell you that the master
> password feature in its current form is deprecated. A lot has been said
> about its security and UX issues (e.g., [1]), but that's a topic for
> elsewhere. There's a pretty strong consensus that the current implementation
> is a dead end, and we're not planning to do any further development work to
> support it. When and if we have a replacement planned, we'll be able to
> discuss the appropriate extension APIs to interact with it.
> [1]:
> https://groups.google.com/forum/#!msg/mozilla.dev.platform/BKa6rzcKvdo/U_OZLb1xjOsJ

Thank you. I am familiar with both the mentioned thread and the
referenced bug, and neither of them contains any fact-based problems,
and when people have specifically requested details about said
"security problems" the answer never seem to have happened. Last time
I checked Firefox use proper crypto properly implemented and all
claims to "crack it" usually resort to methods which safely recover
any strong master password in a few thousand years, provided moore's
law holds but we don't get a working quantum chip. (In the latter case
it wouldn't matter anyway since all of the password managers are based
on similar traditional hard problems, and all of them basically use
the same way to do it, so when it happens they all end up in the
trashbin together.)

And as it's been said in the same thread and others: integrated
solutions are handling far better the solution than general-purpose
external tools.

I understand that you (and some people) state that it's deprecated and
there's a pretty strong consensus about it, and I would - again, as
others before me - kindly request the pointer to the official
statement (or any real facts or visible signs of that existing strong
consensus), since it seems to me the other way around, as there are
plenty of active trackers about its development (1359182, 1324919,
1357856, 1344788, etc). (If this was your personal opinion would be
nice to phrase it that way and avoid misleading conclusions to be
formed. I am sure that if this had been the official mozilla decision
it should be communicated clearly to many developers working on
solutions which have been decided by some body not to be used. I am
also quite sure lots of people would re-balance that said "strong
consensus" if they were aware that there's supposed to be one.
Obviously it can be forced down the throats of the devs and users, but
that's a different decision method altogether.)

You maybe see why I suggested to avoid this topic.


More information about the Dev-addons mailing list