"Firefox Add-on" suggested idea for preventing hacking of web accounts

(Chatmatchme) #1

Developers: “Firefox Add-on” for preventing hacking of web accounts

I have an idea for an add-on that will provide an additional new type of credential to be used when logging into an account on a website. This added credential will work towards preventing the hacking of web accounts.

I’m providing this idea and the details to your community of developers because I myself am not a developer. I’ve had a website created and in doing this I’ve begun to think more seriously about security issues. I’ve also previously had my email accounts and my WordPress account hacked. It frustrates me that someone who is not me using my computer can be allowed to enter into these accounts.

I hope that your community of developers will think about this idea and hopefully develop an add-on that can be implemented by Firefox and later by other browsers as well. This will give website developers another tool to use to prevent the hacking of their user’s accounts.

My idea is for an add-on (or even a permanent feature of the browser) that will be able to independently generate a permanent identifying serial number for that particular browser. This browser key, as I will call it, will become associated with that browser and will not store (or be associated with) any other information like IP address or details about the users private information. It will merely act like a license plate on a car. This serial number would be long like 35 random characters and would be supplied using encryption during a login.

Websites implementing the use of this browser key would request from the user his username and password and from the browser the website would request this browser key. When signing up for a new user account this browser key would also be requested and be supplied and would become associated with the user’s other credentials. So whenever the user logs in his username, password and browser key Must ALL match. If they don’t he cannot login. Of course the user may want to be able to make this browser key optional or he may have the option to disable it if he customarily uses many different browsers on an unpredictable number of devices and he is not concerned about security.

On the user’s profile page for his website account
the user should be able to add keys for the browsers that he uses at work, on his cell phone, on his different computers at home. Every browser no matter what platform it uses should generate a browser key and supply it during a login.

The user should be able to go into the browser options and find this key, copy the text and paste it into his profile Account Details in order to enable logins from other devices.

We have to find a way to prevent strangers from being able to log into an account that is ours. It’s true that anyone could in some way acquire your username and password or use brute force to identify your password, however a browser Key would be harder to acquire or to fake since a browser would generate this key independently and the user cannot control what key the browser produces, plus any key is permanent for the browser.

This security method transfers on control back to the programmers of the internet browsers and takes away control from user’s some of whom are hackers. At this point something like this is necessary in order to take control of what has become a totally out-of-control situation that harms the privacy of one’s information and is a costly obstacle for those of us who offer accounts on our website to the public.

I think this is a good concept. I’m sure there are details that would need to be worked out, however I hope that developers will consider the potential for this concept.

Any developer who is really interested in this idea please message me. I will volunteer to do whatever I can do on my end to help with a project like this.

(David Teller) #2

For what it’s worth, this sounds a lot like https://en.wikipedia.org/wiki/Client_certificate . I’m pretty sure that browsers already implement this. However, it’s seldom used – if I recall correctly, that’s because obtaining a personal certificate is quite annoying.

On the other hand, maybe Let’s Encrypt could help with that.

(YFdyh000) #3

BrowserID is dead. The new trend may be U2F, the bug.

(David Teller) #4

U2F is also a good idea. However, one could also think of something as light as SSH public keys. They work nicely for developers, it shouldn’t be too hard to make them work on the web.