Deep bookmarks in the browser

Topic: 

In playing with a few firefox extensions that display things like my cellular minutes used, I realized they were really performing a limited part of something that could be really useful -- deep bookmarks which can go past login screens and other forms to go directly to a web page.

So many web sites won't let you bookmark a page that you must log-in to see, and they time out your login session after a short time. The browser will remember my password for the login screen, but it won't log me in and go to the page I want. Likewise, pages only available through a POST form can't be boomarked.

A deep bookmark would be made by going to a page, then using the BACK tool to go back to the entry page before it, which may be more than simply the previous page. You would then ask for a deep bookmark, and it would record the entire path from entry/login page to most forward page, including items posted to forms. Passwords would be recorded in the protected password database of course.

This would work in many cases, but not always. Some deep URLs include a session ID, and that must explicitly not be recorded as the target, as the session will have expired. In a few cases the user might have to identify the session key but many are obvious. And of course in some cases the forms may change from time to time and thus not be recordable. Handling them would require a complex UI but I think they are rare.

This would allow quick bookmarks to check balances, send paypal money and more. There is some risk to this, but in truth you've already taken the risk with the passwords stored in the password database, and of course these bookmarks would not work unless you have entered the master decryption password for the password database some time recently.

Comments

The problem is that right now most secure sites have only one level of security. Once you've logged in to your bank account to see the balance, you can also transfer money to Nigeria. So if there's any problem with security on your home PC, all sorts of exciting stuff could leak out. That would become more likely once it became common for peoples bookmark file to contain their bank account information. So you'd probably want a strong password as well as good security... and people are very bad at strong passwords (I have two, and change them as rarely as possible, using them to secure other passwords as needed. Even my geek friends comment when I use them, as 20 letters just seems excessive for a password to most people).

No, as I hoped I had explained, your passwords would not be stored with the bookmark. The major browswers already have a password storage system which is encrypted, and many people have it auto-fill passwords for most sites. (For me, it doesn't auto fill the bank, but it does many other sites.)

The deep bookmark would remember other form data, but passwords would be remembered by the password vault. Actually, I suppose everything could be remembered by the vault if you like.

Again, no that's not how it works. Today in the browser (at least the one named similarly to you :-) the password manager stores and pre-fills the passwords. So if I want to go to my account balance page, I go to the login page (via normal bookmark), and it fills in the password for me, and I click login. Then I get to navigation, where I can go to the page I want to see.

In some casea I can get halfway there because the site is smart, and if you bookmark a page, it takes you to login, and and after you login automatically takes you to the page you were trying to get to.

A deep bookmark would just automate that process, it would not reduce security. In either case, it's as secure as your password manager.

So you're saying that there are actually two files stored by the browser ? One of them is completely secure and uncrackable, and the other is the bookmark file that contains everything except the site passwords? This secure file naturally requires that you type in a 20-odd random character password to start your browser? And exists independently of the operating system and whatever spyware is installed on your computer?

Not being a Mozilla user I haven't bothered to look at its security model, but my objection is based entirely on the reluctance of users to safeguard their machines. Anything that makes it easier to access their bank account via information stored on their computer is going to increase vulnerability. Banks generally take the easy way out and say "if if came from your computer it's from you" (like so many other companies do), and this just exacerbates that. Writing the password on a note taped to your monitor is more secure, dammit.

(I used to get periodic hassles from idjits telling me to change the default email address in my program, because obviously moz can only ever refer to a browser... why the word existed before the browser is a mystery)

Mozilla stores passwords in an encrypted database, different from the open one for bookmarks and form filling. The first time you go to a page that needs a password from the database, you are prompted for the master password to the database. It remembers it for a while, I think Mozilla lets you set how long it lasts, Firefox is per-session.

This is the only way to do it if you are going to have lots of different passwords for lots of web sites. You can't possibly remember all those or tape them to your monitor. (They are working on better ways to roam with it.) Of course you must choose a good password for the master password. And, if paranoid, you don't keep the most secure passwords (bank) anywhere but your head.

Of course, spyware could snoop on you typing the master password, or typing the only-in-head bank password. The only truly secure system would be a dongle that talks end-to-end encrypted to the bank, with dongle password to boot.

However, the main point is, deep bookmarks are exactly as secure as the existing system with the browswer remembering passwords, no more, no less.

I use a simple password generator for most web sites, it's fairly secure but not excessively so. Swiped the code from someone else...
http://moz.net.nz/password.html

My bank, BTW, loads a java app that makes me type in my account number but click buttons to enter the password (the buttons are in different places every time, it's vaguely annoying but very useful). I haven't disassembled it to see, but I'm hoping they transmit click locations back to the bank rather than decoding them locally. If so, it's quite a secure system (although it could equally be done using javascript and gif images).

I've been working on a little program that does this kind of thing for several years now, and it is a PAIN in the ass to maintain. What I really want is a secure RSS feed to watch the transaction histories of my various financial accounts. What I have to do instead is maintain and run little scripts in a hairbag, ultra-obscure, ad hoc language I have designed for groveling through login screens and the like to get the data I need to parse to provide me with the updated information.

I considered writing some kind of proxy based "breakout box", but Bank of America has their own Javascript scrambler code for passwords that just HAS to be reverse engineered, and surely they are not alone in their distrust of SSL.

My program does provide me with updates of various transactions. I love the way it often keeps on working even after major web site redesigns that turn out to largely cosmetic.

My kludge uses Apple's keychain for the passwords. I have already taken the security risk of accessing my accounts from my computer, I may as well get the security benefit of timely updates. Hard to access financial data actually benefits identity thieves. Given the extreme lack of security involved with telephone access to accounts via a live broker, I am willing to take my chances with modern encryption.

But getting back to Firefox extensions and the like. Does anyone have, or is anyone likely to build, a deep bookmarking system that is based on the web site's user interface? EMACS has had something like this for years. Why not just record mouse clicks and keyboard entries? Surely a DOM based scripting language could not be that bad to cobble together.

P.S. Yes, I am incoherent as I often get when I foam about financial institutions. There is just something about banks and brokers that gets to me.

Add new comment