mozilla :: #security

13 Jul 2017
00:00Peng_If you encrypt 31 bytes, there's 1 byte of padding. If you encrypt 32 bytes, there are 16 bytes of padding..
00:00Peng_I hope you're using some secure encryption scheme with a MAC.
00:56herschePeng_: thank you for the answer
00:57herschewith what sign it basicly do the padding?
00:57Peng_What do you mean?
00:58herschefor example and testing only, we have 31 times a 1 as input text
00:58herschewhat will the 32. byte be?
00:59Peng_In WebCrypto? I don't know. I'd guess it's probably 0x80 or 0x01.
00:59herschei assumed a 0 or \0 maybe
00:59herscheok, thats a idea, thanks :)
00:59herschei need to have it the same way on a uC
09:03phlixi_ohi
09:05phlixi_oi am looking for documentation on how the "save password" stuff works, my search results are cluttered with stuff what users can try when passwords are not saved, but i am looking dfor ducumentation on that, in order to design my logins to work for my users
09:06freddybphlixi_o: I'm not sure what your question is, really.
09:07phlixi_ohi freddyb, i am looking for documentation on how the save password stuff works.
09:07freddybphlixi_o: what is your concner? you don&#39;t have to design for a password manager. they just work with common login forms (<form><input type=&quot;text&quot;><input type=&quot;password&quot;></form> kinda things)
09:07phlixi_owhen will firefox save a password and when not
09:07phlixi_oif it was that easy, i would not look for documentation
09:07freddybit will always offer to save it, when it sees a login form. _how_ it detects login forms is not really documented, but I suppose the source code is sort-of readable
09:07freddybdoes it mean you currently have a form that is not detected?
09:08phlixi_opasword is not autioo filled
09:08phlixi_ooops
09:08phlixi_opaswords are not autofilled into the password field
09:10phlixi_owe do not want a username field, but since we need one (different logins on the same domain) we create one load with js into a username field an hide it
09:10freddybhttp://searchfox.org/mozilla-central/source/toolkit/components/passwordmgr/LoginManagerContent.jsm#670
09:10freddybit&#39;s even implemented in JS
09:11phlixi_oso, there is no actual documentaiton, best practises, or similar
09:12phlixi_oidk, maybe some standardx that firefox tries to follow
09:13freddybsorry that it does not work for your case, but for all login forms I ever developed, it just worked
09:14phlixi_oi worked for years
09:14phlixi_oit worked for years
09:14freddybso it just stopped working?
09:14phlixi_ojust some years back we had to add the hack with the hidden pseudo username for each page
09:15phlixi_onow recently users stat to complain again &quot;it does not save passwords&quot;
09:15phlixi_o...which probably does not mean it does not save the passwords, but does not autopopulate it
09:15freddybhm, maybe we _did_ change something recently? I don&#39;t work on the password manager, so I&#39;m not sure.
09:15phlixi_oi have no doubt somethign changed
09:16phlixi_othats the reason i was looking for documentation, to &quot;make it right&quot;
09:16phlixi_o:)
09:16phlixi_o...instead of trying to find a hack
09:16freddybhm. :/
09:17freddybmaybe johannh knows?
09:17freddybif not, I suppose you&#39;ll have to watch what other websites do. I&#39;d assume that &quot;normal&quot; forms still work
09:18freddybhere&#39;s documentation for firefox extension developers on how our password manager works. this has an example form. https://developer.mozilla.org/en-US/Add-ons/SDK/High-Level_APIs/passwords#HTML_Form_Credential
09:26johannhuhm
09:28johannhnah, unfortunately I don&#39;t know off-hand, and I&#39;m not actively doing pwdmgr anymore. nobody is really working on it right now
09:28phlixi_owell, thanks for looking into it anyways
09:28johannhyou can file a bug in the Password Manager::Site Compatibility section in Bugzilla
09:29phlixi_oapprechiated :-)
09:29johannhbut as I mentioned, not a lot of activity, it&#39;s a bit understaffed atm
09:29phlixi_owell, its my own ninche use case where there is no username, and multiple passwords for one actual user all on the same domain
09:29freddybah, there&#39;s a site compatibilty bucket. I did not know that.
09:30johannhmultiple passwords? I wouldn&#39;t think we ever supported that
09:30johannhoh ok I think I misunderstood
09:30phlixi_olike, example.com/projecta is a site with a input type password and submit and nothing else, and example.com/projectb is the same but different password
09:31freddybI think our scoping is more granular than domain
09:31phlixi_oexactly
09:32johannhyeah, as I said, that should work. If there&#39;s really a bug here it would be useful to get a reduced example, e.g. on jsfiddle
09:32phlixi_othis worked, by adding a username intput, prefill it via js with &quot;example-com-projecta&quot; and &quot;example-com-projecta&quot;
09:32phlixi_othis worked, by adding a username intput, prefill it via js with &quot;example-com-projecta&quot; and &quot;example-com-projectb&quot;
09:32phlixi_osorry
09:32phlixi_o...and then hide the input
09:33johannhit should be able to just save the password, though
09:33phlixi_oi would have had imagined its not a bug, but a &quot;feature&quot; to not fill passwords if the username is hidden or similar
09:34johannhdid you try removing the username field?
09:34phlixi_othen this will no work anylonger, due to different passwords for same domain
09:35johannhour password are saved by origin, but you can have multiple passwords for the same origin
09:36johannhhmm, or maybe not. I see your point.
09:39phlixi_oi see lots of log() in http://searchfox.org/mozilla-central/source/toolkit/components/passwordmgr/LoginManagerContent.jsm
09:40phlixi_owhere can i see those?
09:40phlixi_oi guess in some sort of console
09:47freddybforhttp://searchfox.org/mozilla-central/source/toolkit/components/passwordmgr/LoginManagerContent.jsm#36
09:48freddybthis basically declares a parameter you can set in an environment variable to enable logging
09:49freddybMOZ_LOG=&quot;LoginManagerContent:5;LoginManagerParent:5&quot; I think
09:49freddybdoesnt work for e10s content processes, really according to https://developer.mozilla.org/en-US/docs/Mozilla/Developer_guide/Gecko_Logging#E10S_Note :)
09:52phlixi_oandthen stuff goes into devtools console?
09:53freddybno. stderr.
09:53freddybyour terminal.
09:53freddybit&#39;s not really for web developers. more for firefox developers
09:54phlixi_o;(
09:58johannhphlixi_o: set signon.debug to true in about:config
09:58johannhthen you can see the output in the browser console
09:58freddyboh!
09:58johannhhttps://developer.mozilla.org/en-US/docs/Tools/Browser_Toolbox
09:59johannhthese logs would probably help
09:59phlixi_oah, thats nice, i where just about wondering why there is nothing in the console (not the browser console)
10:01freddybjohannh++
10:01johannh(might have to restart the browser, not sure)
10:02phlixi_oits pumping stuff into console now :-)
10:57Caspy7&quot;Amazon may give app developers access to Alexa audio recordings&quot; https://www.theverge.com/2017/7/12/15960596/amazon-alexa-echo-speaker-audio-recordings-developers-data
10:58Caspy7beautiful
11:01phlixi_othanks johannh and freddyb the login works now, thats a first step into a new implementation of the login stuff on our side... by the way, that: [2017-07-13 11:49:31] <freddyb> MOZ_LOG=&quot;LoginManagerContent:5;LoginManagerParent:5&quot; I think
11:01phlixi_o...is not needed
11:01johannhyeah that&#39;s not needed :)
11:01johannhgreat to hear!
11:01johannhwhat was the issue?
11:01phlixi_osimply starting firefox with -console and singon.debug in about:config is all
11:02phlixi_ojohannh not sure yet, i can not work on it now, thus i am happy i have loggin working :-)
11:02phlixi_oi am confident with login and this: http://searchfox.org/mozilla-central/source/toolkit/components/passwordmgr/LoginManagerContent.jsm#1006
11:02phlixi_owe can make it work
11:02phlixi_owith logging*
11:02johannhcool
11:03* johannh lunch
11:03phlixi_oso thanks for helping with the logging and the source
14:26jibCould someone add me to bug 1380610?
14:26firebotBug https://bugzil.la/1380610 is not accessible
16:08dveditzjib: done
16:09jibdvedirz: Thanks!
14 Jul 2017
No messages
   
Last message: 71 days and 12 hours ago