<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">
<meta http-equiv="content-type" content="text/html;
charset=ISO-8859-1">
(oops, sorry, I forgot to send to the list).<br>
<br>
<meta http-equiv="content-type" content="text/html;
charset=ISO-8859-1">
<div class="im">On 7/11/14 3:48 PM, Anthony Ricaud wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
It’s so convenient to me that even in the middle of a
transaction in Firefox, if my credit card is not at harm’s
length, I will restart the whole transaction process in
Safari. (yup, I’m that lazy)<br>
</blockquote>
</div>
<div class="im">
On 7/11/14 4:10 PM, Javaun Moradi wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
I think it's a great feature and Safari has done an excellent
job. It's a common use case and this goes a long way to remove
the friction of checkout across sites.<br>
<br>
</blockquote>
</div>
Just my 0.000001 cent. Correct me if needed.<br>
<br>
The first thing I ask myself when I said the title is how often do
I make purchase. Is 10 seconds saving really that much to me as
auser, and to developers.<br>
<br>
Before I make purchase, I actually double check my balance (or my
credit card usage). Of course it is not Firefox dev's concern to
say "oh we want people to feel safer about their finance so let's
not implement this." But you see, this feature may at most save me
10 seconds as I continue to be financially responsible. And if I
can't find my wallet? If I don't remember the secret code for the
card I need to use (some people have multiple cards, even though I
only have one).<br>
<br>
I use PayPal and link PayPal to my debit card which links to my
bank account. So when I use PayPal I am also being lazy. I am
letting a third-party to control my card information. That's
dangerous if you are completely paranoid about security. I am
half. I trust Paypal and it's convenient.<br>
<br>
Now look at "remember my password". I can think of two reasons why
that's a useful feature for anyone. We log in a lot and we may
have crazy long password (sometimes it's a user's choice,
sometimes it's policy).<br>
<br>
Compare this auto-fill to my experience installing apps on my iOS
phone...I am asked to enter my Apple ID login and once I am logged
in, I can make any purchase I want for some hours or days until
the session has expired. Before the session is out, anyone who
uses my device can actually make purchase. But why does the mobile
device do that? Because there is a possibility that people tend to
download apps pretty often (plus the password policy is slightly
harder than your average-joe's password must be of length 6
chars). Furthermore, if someone gets a hold of my device and
either knows the passcode (a thief), or already passed the
passcode (maybe my little cousin is using my phone), there is no
security whatsoever if my Apple ID is still valid. Apple stops
there to protect me because the responsibility is now on me, the
user.<br>
<br>
I don't think most users actually make purchase every day and even
if they do, guess what, a lot of sites actually implement their
own "save my card" feature.<br>
<br>
Beyond just "being lazy", what security benefit does this offer to
users? How do we let users know that instead of saving their
credit card information in some sites (even if they can trust <a
href="http://xyz.com" target="_blank">xyz.com</a>) they can rely
on their personal browser to do a better job remembering the card
number? (I actually don't know if all sites ask me to give them
the secret code too... I am also inexperience in this field...).
More research on this?<br>
<br>
Now if we are going to bring this feature to firefox, I suggest
that in order to use the auto fill, we enforce a
password/passphrase unlock policy every time the auto-fill is
requested (plus no user Javascript can do that, human mouse click
must do the job). I think (please correct me), there is/was a bug
concerning about not allow some form inputs not auto-filled via
Javascript (like having an invisible form behind the scene).<br>
<br>
On 7/11/14 4:24 PM, Javaun Moradi wrote:<br>
</div>
<blockquote
cite="mid:5769742.867.1405110241055.JavaMail.mozilla@Javauns-MacBook-Pro-2.local"
type="cite">
<meta http-equiv="Context-Type" content="text/html; charset=utf-8">
<div>I mostly agree, I was speaking solely to the Safari
implementation. I think the decision to support cards is a
decent commitment and should be approached thoughtfully.<br>
<br>
<div><span name="x"></span>Javaun Moradi | <a class="moz-txt-link-abbreviated" href="mailto:jmoradi@mozilla.com">jmoradi@mozilla.com</a> |
IRC: javaun | @javaun<br>
<span name="x"></span><br>
</div>
<br>
<hr id="zwchr">
<div><b>From: </b>"Valentin Gosu"
<a class="moz-txt-link-rfc2396E" href="mailto:valentin.gosu@gmail.com"><valentin.gosu@gmail.com></a><br>
<b>To: </b>"Javaun Moradi" <a class="moz-txt-link-rfc2396E" href="mailto:jmoradi@mozilla.com"><jmoradi@mozilla.com></a><br>
<b>Cc: </b>"Mike Hoye" <a class="moz-txt-link-rfc2396E" href="mailto:mhoye@mozilla.com"><mhoye@mozilla.com></a>,
<a class="moz-txt-link-rfc2396E" href="mailto:mobile-firefox-dev@mozilla.org">"mobile-firefox-dev@mozilla.org"</a>
<a class="moz-txt-link-rfc2396E" href="mailto:firefox-dev@mozilla.org"><firefox-dev@mozilla.org></a><br>
<b>Sent: </b>Friday, July 11, 2014 4:19:05 PM<br>
<b>Subject: </b>Re: Credit card auto-completion<br>
<br>
<div dir="ltr">
<div>The LastPass addon has a similar feature for storing
credit card numbers (password protection optional), and
I'm pretty sure KeePass has the same feature.<br>
</div>
However, I think keeping CC numbers in Firefox's
autocomplete is not a great idea, and could be subject to
abuse, unless we decide to implement a
password/form-management feature that competes with LastPass
or KeePass.<br>
</div>
<div class="gmail_extra"><br>
<br>
<div class="gmail_quote">On 11 July 2014 23:10, Javaun
Moradi <span dir="ltr"><<a moz-do-not-send="true"
href="mailto:jmoradi@mozilla.com" target="_blank">jmoradi@mozilla.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote">
<div>
<div>I think it's a great feature and Safari has done
an excellent job. It's a common use case and this
goes a long way to remove the friction of checkout
across sites. <br>
<br>
I don't think they require a session password to use
a stored card, but arguably they could. Even
without, my device/laptop is always at least as
secure as my wallet, more so if it's screenlocked.
By contrast, my wallet has no password on it. A
thief who gets my physical card could use it online
and offline. <br>
<br>
<br>
<br>
<div><span></span>Javaun Moradi | <a
moz-do-not-send="true"
href="mailto:jmoradi@mozilla.com"
target="_blank">jmoradi@mozilla.com</a> | IRC:
javaun | @javaun<br>
<span></span><br>
</div>
<br>
<hr>
<div>
<b>From: </b>"Mike Hoye" <<a
moz-do-not-send="true"
href="mailto:mhoye@mozilla.com" target="_blank">mhoye@mozilla.com</a>><br>
<b>To: </b><a moz-do-not-send="true"
href="mailto:firefox-dev@mozilla.org"
target="_blank">firefox-dev@mozilla.org</a><br>
<b>Sent: </b>Friday, July 11, 2014 4:04:15 PM<br>
<b>Subject: </b>Re: Credit card auto-completion
<div>
<div class="h5"><br>
<br>
On 2014-07-11 4:02 PM, Rob Campbell wrote:<br>
> I actually find that particular one a
little creepy. Like, it has my credit card
stored somewhere? If someone gets access to my
screen, they only need to go to a payment
screen somewhere and it'll put in my info?<br>
I bet if you dig into your form autocomplete
stuff, you'll find that <br>
number is already in there somewhere.<br>
<br>
That's certainly surprised me in the past.<br>
<br>
- mhoye<br>
_______________________________________________<br>
firefox-dev mailing list<br>
<a moz-do-not-send="true"
href="mailto:firefox-dev@mozilla.org"
target="_blank">firefox-dev@mozilla.org</a><br>
<a moz-do-not-send="true"
href="https://mail.mozilla.org/listinfo/firefox-dev"
target="_blank">https://mail.mozilla.org/listinfo/firefox-dev</a><br>
</div>
</div>
</div>
<br>
</div>
</div>
<br>
_______________________________________________<br>
firefox-dev mailing list<br>
<a moz-do-not-send="true"
href="mailto:firefox-dev@mozilla.org" target="_blank">firefox-dev@mozilla.org</a><br>
<a moz-do-not-send="true"
href="https://mail.mozilla.org/listinfo/firefox-dev"
target="_blank">https://mail.mozilla.org/listinfo/firefox-dev</a><br>
<br>
</blockquote>
</div>
<br>
</div>
</div>
<br>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
firefox-dev mailing list
<a class="moz-txt-link-abbreviated" href="mailto:firefox-dev@mozilla.org">firefox-dev@mozilla.org</a>
<a class="moz-txt-link-freetext" href="https://mail.mozilla.org/listinfo/firefox-dev">https://mail.mozilla.org/listinfo/firefox-dev</a>
</pre>
</blockquote>
<br>
</body>
</html>