Trust no one and how it applies to Firefox passwords

My last blog posting suggested not trusting a warning from Adobe about installing a new version of the Flash player because you can't know if the warning really came from Adobe.

This comes up often. Perhaps millions have been tricked into installing phony antivirus software based on a fraudulent popup warning that their computer was infected. The issue of trust even extends to Firefox passwords.

Having Firefox store website passwords is a great convenience but it comes with a risk: someone else using your computer has access to all your password protected sites.

To protect saved passwords, Firefox has a master password feature. The first time, in a session, that the browser needs to use a saved password, it prompts for the master password.

But, can you trust this prompt? How do you know that it really came from Firefox?

That's the question raised recently by a listener to Steve Gibson's Security Now podcast:

The way it behaves for me is that I'll just be browsing around across many tabs when all of a sudden the "Password Required: Please enter the master password for the Software Security Device" window pops up ... I've gotten used to quickly and automatically typing in the master password so I can get on with browsing the site. What worries me is that the master password window could pop up at any time, often for a tab I'm not even looking at, and it looks like any other JavaScript text input popup. How do I know Firefox made that popup window? Seems to me any website could easily phish for my master password. I just type it right in, and boom. I would feel a lot safer if Firefox only prompted me at startup, before any websites are loaded. 

Gibson agreed that you can't trust that the prompt is legitimate and suggested that Mozilla offer the option to always prompt when the browser first starts up. That way, the timing flags that the request is legit.

I have a better solution.

Instead of using a normally installed copy of Firefox, Windows users can opt for the portable version available at 

Then, instead of using the master password feature, lock up the entire browser in a TrueCrypt container.

All the software is free and the protection is much better than anything Firefox offers on its own. It's a bit more of a hassle, but better security always is. 

I've been doing this for years using a portable version of TrueCrypt  (a.k.a Traveler Disk).

Computerworld's IT Salary Survey 2017 results
Shop Tech Products at Amazon