Yellow Flag @WPalant@infosec.exchange

Ok, so far it seems that the technical changes in Firefox are limited to a consent page. If you disagree the extension won't do anything and suggest that you uninstall. If you agree the same data is transmitted as before (minus page title).

Somehow my quick and dirty tool to make minified JS code readable turned into a pretty versatile pattern matching framework. At this point it can undo quite a bit of readability damage already, and adding new patterns is fairly easy.

https://github.com/palant/js-analysis/

Sometimes I almost regret not collecting IP addresses of blog commenters, this comment was likely sent from Avast headquarters. Seems to be the kind of logic a company would use to justify going behind users' back. They are fighting for data freedom!

https://palant.de/2019/12/03/mozilla-removes-avast-extensions-from-their-add-on-store-what-will-google-do/#c000009

I realize that clocks are ticking differently for embedded devices, which is why Windows XP installs are still common. However, this view on a German ICE train screen is still special. Judging by the visuals, this is Windows 3.1, released 1992. Take that, software updates!

This is either a huge "hack me please" sign in this browser extension's manifest or the extension is actually a backdoor. In case you are wondering: no, I don't think that the extension is using any of these permissions.

Me: Nice, a browser extension listing script-src: 'unsafe-eval' in its CSP. They disabled all protections, there might be fancy vulnerabilities inside.

Them: Actually, we only need it for this code:

Finally brought out an update for PfP: Pain-free Passwords. Now I get to use the new access keys feature in my production profile.

#Google just took down #PfP without any advance warning. My offense: I didn't publish a privacy policy, this extension not collecting any data whatsoever. The joke: unlike Mozilla Add-ons, Chrome Web Store does not have a field for the privacy policy!

Any hints on how to report McAfee security vulnerabilities? I tried the official process documented under https://www.mcafee.com/enterprise/en-us/threat-center/product-security-bulletins.html but my mail to security_report@mcafee.com didn't trigger the automated response. And security@mcafee.com bounces.

There is a redirect set up for security.txt on http://mcafee.com domain but it points to a non-existent file of course...

In case anybody considered Amazon Echo an exception: no, Google Assistant sends audio recording to the "cloud" and now we know for sure that Google employees can listen in: https://twitter.com/mikko/status/1149025136173113344. Big surprise.

If you ask me...

After some iterating, things look somewhat better now, in particular less cluttered - access keys are indicated by underlining the letter wherever possible. This is how the same screen looks now when pressing the Alt key.

Implemented access keys in #PfP, pressing Alt will show you all of them. Access keys have always been a major #l10n pain, so this time I decided to choose them automatically - seems to work reasonably well. Only few UI elements will change their access key depending on context.

Actually, combining Unicode property escapes with the heuristic above as fallback is easy enough. So in current Chrome my isLetter() function will use the more correct approach while in Firefox it will be the simple but not quite correct fallback code.

I think that I'll use the function below - a letter is something that is modified by toUpperCase() or toLowerCase(). This excludes some more exotic letter variants, and it just won't work on scripts like Hebrew or Arabic, but it should do for my use case for now.

And PfP options are part of the pop-up now. You can still get to them the way your browser lets you configure extensions. But quite frankly, how many people managed to find them there?

Selecting a site got its own tab now, so it's visually different from choosing an alias for a site and should no longer confuse anybody.

The visible change: sync should now work with any server supporting remoteStorage protocol (https://remotestorage.io/). The bigger but rather hidden change: sync protocol requires even less trust in the storage provider now, no tampering with the data should succeed.

A big one: no more "Easy Passwords 1.x compatible password" here, weaker password generation is gone for good. If you still had any legacy passwords these will be converted to stored passwords now, same happens when importing backups with legacy passwords.

Previous screenshot shows a minor improvement: website name is a link now. Here is one more: you can copy the user name from the password menu. Oh, and you can navigate both the password list and the password menu with arrow keys: https://pfp.works/documentation/keyboard-navigation/

I finally released #PfP: Pain-free Passwords 2.2.0! Get it here: https://pfp.works/

This is a major one, lots improvements here. The most noticeable one is the user interface, the tab strip on the left should make it much easier to navigate.