The first beta version of the Lockfox Firefox extension has been posted to addons.mozilla.org! I developed this with Rohit Chaudhri as our class project for Yoshi Kohno‘s graduate course in computer security at the University of Washington. I’ll use this blog to talk about the development of Lockfox and interact with its (eventual) users. Right now it’s just an experimental addon (so it’s kinda hard to find) but hopefully it will soon pass AMO’s code review and be listed as a trusted, public addon!
How Lockfox works
Lockfox works in a manner similar to the SSH known_hosts database, but instead of remembering an association between public keys and domain names, Lockfox remembers an association between a password submitted on a web form and the domain to which that password was submitted. For added privacy, Lockfox stores only the SHA1 hash of the password, not the password itself. Lockfox monitors all password submissions and checks on each submission if a remembered (hashed) password is being submitted to a new, unknown domain. Lockfox prompts the user with a dialog to ensure that the user wants to submit their password to a new domain. If the user authorizes the submission, Lockfox forges a new trusted association between the password and the new domain. Otherwise, Lockfox redirects the user to the old, trusted domain.
For additional security, Lockfox also remembers any SSL certificate information available for the site to which a password is submitted. If this certificate information changes unexpectedly for some password submission, Lockfox requires the user to authorize the submission. The intuition here is exactly the same as that behind SSH’s known_hosts database: an unexpectedly changed SSL certificate likely indicates a man-in-the-middle attack.
Why Lockfox (hopefully) works
The intuition behind Lockfox is that a password is generally used only with a very limited set of domains – if a password gets sent to a different domain, it is likely that a phishing attack is taking place. Lockfox has a number of advantages compared to existing anti-phishing techniques:
- Lockfox works entirely locally, building up a custom set of associations for each user without any global coordination or public key infrastructure. There’s no blacklist to be broadcast or constantly updated.
- By remembering a set of trusted associations between passwords and web sites, Lockfox builds up a custom set of associations for each user. This is, in a sense, a per-user whitelist: it has the advantages of a whitelist (shorter to specify, default action is to be secure) but without the disadvantage of maintaining a whitelist that works for all users.
- Lockfox is able to detect and prevent phishing attacks at exactly the moment that they occur, which will hopefully result in an effective form of user education about how to detect and avoid phishing sites.
To be fair, there are some disadvantages to Lockfox’s approach, too:
- If a user recycles a password between multiple sites, the user will receive a Lockfox warning for each new site. This may annoy the user enough to make them disable Lockfox altogether. To try to ameliorate this, Lockfox can optionally, at installation time, import passwords (and their corresponding web sites) that are remembered by Firefox as “trusted”. So if you’ve built up a large set of remembered passwords with Firefox, Lockfox can automatically trust those sites that you, implicitly, already trust.
- Lockfox works only for passwords, and not for other information a user may want protected, such as credit card numbers, social security numbers, etc.
Ultimately, Lockfox is just one more tool for keeping people safe online. It will work best when combined with existing anti-phishing techniques (such as those already built-in to Firefox).
Are you using Lockfox? Thanks for your bravery, and please post any feedback in the comments!
Linux is for Lovers 
When Lockfox brings up the firstrun pop-up (“Thanks for Installing Lockfox”), I the “Yes, Allow Lockfox Access” button does not work.
The “No” button works fine but the “Yes” button does not work.
(I reset it in about:config so I could try is again after clicking “No”.)
Got any ideas on how I can make it work?
I asked about this a few days ago: I cannot let Lockfox access my passwords.
When lockfox runs the first time, it asks if it is allowed to access my passwords. If I click the YES bar, nothign happens. Clicking no makes the firstrun screen go away.
Any ideas?
Hi John,
That’s almost certainly a bug. What version of Firefox are you using, and on what operating system?
joe
When lockfox runs the first time, it asks if it is allowed to access my passwords. If I click the YES bar, nothign happens. Clicking no makes the firstrun screen go away.
w7 x64
ffox ver 3.0.11
Hey guys! Great job making lockfox. Is it open source by any chance? Where can i get the source code?
Hi Rahul,
Yes, Lockfox is open source: it’s all written in Javascript, and licensed under the GPLv3. A few ways to peek at the code:
1. Create yourself an account on addons.mozilla.org, and then you can browse the code online via a “view the source” link at the bottom of the lockfox addon page (the link only appears when you’re logged in).
2. You can also download everything to your computer: https://addons.mozilla.org/en-US/firefox/downloads/file/49721/lockfox-0.2-fx.xpi?confirmed. .xpi files are really just .zip archives, but you might have to rename the file to be able to view/extract it.