![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
ventaAn question about web forms and security...
When filling in forms (I use FireFox), it's often possible to hit the down arrow and get a list of things you previously typed into that field. This is kind of handy, mostly, and results in me not having to type my name or email address out a lot.
Forms taking things like credit card details don't usually do this - for obvious reasons - and I assume the existence of some sort of 'nocache' attribute which the form-writer can set on the fields which contain information which should be a little more secure.
Except today I filled in an entire payment form (card number, expiry date, security code, the lot) from cached information based on me having filled the same form out on that website months ago. This strikes me as Not Good.
I intend to write to the site in question and tell them I think they're a bit rubbish... but I'd like to be sure I know what I'm talking about first. Am I right about the form attribute ? Am I totally wrong, and this is something which FireFox implements wrongly and the site itself can't be blamed for ?
Informed opinion welcome :)
When filling in forms (I use FireFox), it's often possible to hit the down arrow and get a list of things you previously typed into that field. This is kind of handy, mostly, and results in me not having to type my name or email address out a lot.
Forms taking things like credit card details don't usually do this - for obvious reasons - and I assume the existence of some sort of 'nocache' attribute which the form-writer can set on the fields which contain information which should be a little more secure.
Except today I filled in an entire payment form (card number, expiry date, security code, the lot) from cached information based on me having filled the same form out on that website months ago. This strikes me as Not Good.
I intend to write to the site in question and tell them I think they're a bit rubbish... but I'd like to be sure I know what I'm talking about first. Am I right about the form attribute ? Am I totally wrong, and this is something which FireFox implements wrongly and the site itself can't be blamed for ?
Informed opinion welcome :)
![[identity profile]](https://www.dreamwidth.org/img/silk/identity/openid.png){kind=small}
no subject
Date: 2010-06-08 10:32 am (UTC)It's all in your browser. Under the preferences (I'm on a Mac so if you are on Doze it will vary.) Privacy, remember search and form history.
You're not the only one to have found this: http://support.mozilla.com/en-US/forum/1/7920
You can uncheck this - but this is sometimes rather handy.
So, try http://autofillforms.mozdev.org/ which will crypt the settings via your master password.
What? you haven't got one?
do it now : set a Master Password for your profile (Preferences, Security, Use a Master Password)
:)
no subject
Date: 2010-06-08 10:43 am (UTC)While I'm happy to accept that, that doesn't really explain why credit card forms normally *don't* cache the information, but this specific one does.
What? you haven't got one?
I haven't, no. No one uses my laptop but me, and the log-on is password protected. It's locked when I'm away from it, and thus a master password doesn't really seem to bring much to the party.
I'm curious about the autofillforms, so will experiment with it.
no subject
Date: 2010-06-08 10:46 am (UTC)Just in case anyone else is reading this and fancies trying it, the Windows settings are:
Tools->Options->Privacy, set "Firefox will..." to "Use custom settings for history" to see the "Remember search and form history" checkbox.
Tools->Options->Security for the master password option.