My last blog posting suggested not trusting a warning from Adobe about installing a new version of the Flash player because you can't know if the warning really came from Adobe.
This comes up often. Perhaps millions have been tricked into installing phony antivirus software based on a fraudulent popup warning that their computer was infected. The issue of trust even extends to Firefox passwords.
Having Firefox store website passwords is a great convenience but it comes with a risk: someone else using your computer has access to all your password protected sites.
To protect saved passwords, Firefox has a master password feature. The first time, in a session, that the browser needs to use a saved password, it prompts for the master password.
But, can you trust this prompt? How do you know that it really came from Firefox?
That's the question raised recently by a listener to Steve Gibson's Security Now podcast:
Gibson agreed that you can't trust that the prompt is legitimate and suggested that Mozilla offer the option to always prompt when the browser first starts up. That way, the timing flags that the request is legit.
I have a better solution.
Instead of using a normally installed copy of Firefox, Windows users can opt for the portable version available at portableapps.com.
Then, instead of using the master password feature, lock up the entire browser in a TrueCrypt container.
All the software is free and the protection is much better than anything Firefox offers on its own. It's a bit more of a hassle, but better security always is.
I've been doing this for years using a portable version of TrueCrypt (a.k.a Traveler Disk).