[Project_owners] Creating applications with Mozilla

Michael Vincent mv_van_rantwijk at yahoo.com
Tue Aug 23 01:17:30 EDT 2005


Eric Jung wrote:
> --- Jamie Bliss <astronouth7303 at gmail.com> wrote:
> 
>> On 8/22/05, Eric Jung <grimholtz at yahoo.com> wrote:
>>> I don't understand... why does splice() help?
>> I'm pretty sure that strings in JS are immutable. So you can't
>> actually delete them w/o some C interfacing (I think).
>>
>> Personally, I would add a disclaimer: "The passwords generated by
>> PasswordMaker are not secured in memory. If you want hyper-secure
>> passwords, use another utility." (I note that if you don't have any
>> spyware or whatnot looking for passwords in memory, then you're
>> ok.)

Why on earth do you need 'hyper-secure' password for? I mean, most data, 
even passwords, is send in plain text anyway. Most sites, even banks, 
don't even use SSL for all their pages!

> That's tempting, but it goes against my goal: the extension should be
> trusted and trustworthy. With that in mind, I don't mind pursuing an
> XPCOM component in C/C++ which allocates and deallocates strings.
> Before deallocation, it can overwrite the string's memory contents
> with random data.

The problem is not the allocated bits for the already scrambled password 
but the input fields you are using. Just check the length of them and 
clear it with random data if you like, but most of it is rubbish anyway.

Michael



More information about the Project_owners mailing list