- Mozilla Connect
- Discussions
- Re: Firefox stores cookies locally without encrypt...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Firefox stores cookies locally without encryption, is it ok?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-24-2023 03:42 AM
Hello everyone,
I recently came across some disturbing news that Linus Tech Tips (LTT) was hacked via a malicious email attachment that stole session keys stored locally on the victim's browser. This made me concerned about the security of my own browser. Upon further investigation, I discovered that Firefox stores cookies in an unencrypted SQLite file on my computer.
I think Firefox should consider encrypting cookies to prevent similar hacks in the future. Is there a reason why Firefox doesn't encrypt cookies?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-28-2023 02:49 AM
I am also interested in how the cookies can be protected, or an explanation why they cant really protected if that is the case.
It seems all the rage, to grab the cookies instead of getting passwords. Cookies seem to be the weakest link.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-28-2023 11:59 PM
I posted my thoughts on this over on Reddit the other day:
The cookies.sqlite database file is not encrypted, and its contents are not encrypted. In theory, the contents could be encrypted using a mechanism similar to the Primary Password used for logins saved in logins.json: you would provide the password once per session to allow Firefox to decrypt cookies coming out of the database and encrypt cookies going into the database. It sounds like it could be a drag on performance, and query whether this presumably low frequency attack justifies the precaution.
On the server side, if a cookie is suddenly presented from a different IP address, that ought to raise a red flag. In our era of mobility, I think web app designers don't want to inconvenience you by requiring you to sign in again when your IP address changes, but for highly sensitive apps, that probably would be a worthwhile setting.
https://www.reddit.com/r/firefox/comments/120t8bg/malware_which_steals_browser_info_session_tokens/
In the meantime, malware executing on your system outside of your targeted browsers can be blocked/defended in other ways. For more information on why the malware might not be detected by your antivirus, see: https://www.youtube.com/watch?v=nYdS3FIu3rI.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-31-2023 08:14 PM
Then, Firefox can implement a setting that also requires a master password to decrypt stored cookies at startup.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-03-2023 04:04 PM
@kennyfs wrote:Then, Firefox can implement a setting that also requires a master password to decrypt stored cookies at startup.
You can post product suggestions on the "Ideas" side of this site:
- Recommendations for password managers in Discussions
- currentSrc not working in Firefox Developer Edition dev tools in Discussions
- Here's my list of recommendations for the Firefo'x browser in Discussions
- Please add PGP encrypted email relay support in Discussions
- thunderbird import of messages from another local profile in Discussions
