The first beta version of the Lockfox Firefox extension has been posted to addons.mozilla.org! I developed this with Rohit Chaudhri as our class project for Yoshi Kohno‘s graduate course in computer security at the University of Washington. I’ll use this blog to talk about the development of Lockfox and interact with its (eventual) users. Right now it’s just an experimental addon (so it’s kinda hard to find) but hopefully it will soon pass AMO’s code review and be listed as a trusted, public addon!
How Lockfox works
Lockfox works in a manner similar to the SSH known_hosts database, but instead of remembering an association between public keys and domain names, Lockfox remembers an association between a password submitted on a web form and the domain to which that password was submitted. For added privacy, Lockfox stores only the SHA1 hash of the password, not the password itself. Lockfox monitors all password submissions and checks on each submission if a remembered (hashed) password is being submitted to a new, unknown domain. Lockfox prompts the user with a dialog to ensure that the user wants to submit their password to a new domain. If the user authorizes the submission, Lockfox forges a new trusted association between the password and the new domain. Otherwise, Lockfox redirects the user to the old, trusted domain.
For additional security, Lockfox also remembers any SSL certificate information available for the site to which a password is submitted. If this certificate information changes unexpectedly for some password submission, Lockfox requires the user to authorize the submission. The intuition here is exactly the same as that behind SSH’s known_hosts database: an unexpectedly changed SSL certificate likely indicates a man-in-the-middle attack.
Why Lockfox (hopefully) works
The intuition behind Lockfox is that a password is generally used only with a very limited set of domains – if a password gets sent to a different domain, it is likely that a phishing attack is taking place. Lockfox has a number of advantages compared to existing anti-phishing techniques:
- Lockfox works entirely locally, building up a custom set of associations for each user without any global coordination or public key infrastructure. There’s no blacklist to be broadcast or constantly updated.
- By remembering a set of trusted associations between passwords and web sites, Lockfox builds up a custom set of associations for each user. This is, in a sense, a per-user whitelist: it has the advantages of a whitelist (shorter to specify, default action is to be secure) but without the disadvantage of maintaining a whitelist that works for all users.
- Lockfox is able to detect and prevent phishing attacks at exactly the moment that they occur, which will hopefully result in an effective form of user education about how to detect and avoid phishing sites.
To be fair, there are some disadvantages to Lockfox’s approach, too:
- If a user recycles a password between multiple sites, the user will receive a Lockfox warning for each new site. This may annoy the user enough to make them disable Lockfox altogether. To try to ameliorate this, Lockfox can optionally, at installation time, import passwords (and their corresponding web sites) that are remembered by Firefox as “trusted”. So if you’ve built up a large set of remembered passwords with Firefox, Lockfox can automatically trust those sites that you, implicitly, already trust.
- Lockfox works only for passwords, and not for other information a user may want protected, such as credit card numbers, social security numbers, etc.
Ultimately, Lockfox is just one more tool for keeping people safe online. It will work best when combined with existing anti-phishing techniques (such as those already built-in to Firefox).
Are you using Lockfox? Thanks for your bravery, and please post any feedback in the comments!