About
No more login/password lost, only one login/password to protect all your web accounts. Secure remote storage of your personnal passwords, bookmarks and personnal notes.
Menu
Support FireWebSSO
If you are interrested in supporting FireWebSSO and would like to contribute, you are welcome to make a small donation through the Donate link. It will be be a great help to maintain online the public server and it will be appreciated.
Home->FAQ
Questions list
Where can I find support ?
Is the FireWebSSO service opened ?
Firefox 2 or Firefox 3 ?
Auto-submit failed
A New Firefox window is not authenticated
I want to be sure that no clear information is sent
How strong should be my Master Password?
Auto-submit failed after a bad password
The connection takes a long time
I lost my password !
Why is it not necessary to give an e-mail address during registration
I reached the limit of 1000 sites!
I try to connect but I got an error message
How is funded this project
What is the status of the project and the server
Why the server sources/binaries are not available directly for download
I would like to participate
Who is the author of the project?
How to remove FireWebSSO addon?
Where can I find support?
You may use one (or more) of the following ways :
- You can find information in the FireWebSSO documentation.
- You can take a look at the FireWebSSO Screencasts for samples of usage.
- You may find answers in the FireWebSSO FAQ.
- You can use the FireWebSSO forum to submit new questions or problems.
- You can mail to support@firewebsso.com for more direct contact.
Is the FireWebSSO service opened ?
Not yet.
Only "private-beta-testing" is done currently. But we hope to open very soon the public-beta service. It will be done when the FireWebSSO addon will be fully qualified for FireFox and SeaMonkey. The SeaMonkey is not yet complete.
Firefox 2 or Firefox 3 ?
FireWebSSO uses XUL and therefore Javascript to encrypt data. Firefox 3 is far more efficient regarding encryption with Javascript than previous versions, therefore Firefox 2 users should consider migrating to Firefox 3.
There are also light behaviour differences between Firefox version 2 and 3; features and corrections for FireWebSSO are mainly validated on Firefox 3.
Auto-submit failed
On some forms the auto-submit feature fails to submit the form. This generaly appears on forms using advanced AJAX 'tricks'. For some of them a correction may be possible, if the URL of the forms is public, submit it to the support forum.
You may disable the auto-submit feature for this form. The fields will be filled and the submit button will be correctly identified.
A New Firefox window is not authenticated
After an authentication to the FireWebSSO service only one Firefox window is authenticated. You may open sites in new tabs of the current window, but if you open a new Firefox window, it won't be authenticated to the FireWebSSO service.
This is a technical and a security limitation, it avoids to auto-submit authentication to pop-up windows, only the main window is attached to the FireWebSSO service.
This limitation will be removed in a future version through an option.
This limitation is removed since version 0.9.9.0
I want to be sure that no clear information is sent
The server side is only a container, all the work is done by the FireWebSSO addon. You can read the code or ask someone to do it for you. You can check that everything is encrypted with your private key before sending in an SSL connection.
Your Master Password is not sent to the server, a HASH (SHA-2) is sent instead. This HASH is used to validate the user account and then your private key encrypted with your Master Password is delivered to you. Your private key can only be decrypted using your Master Password, so only your navigator can use your private key. The private key is used to encrypt/decrypt any data sent/received to/from the server.
How strong should be my Master Password?
I you read the previous section, you understand that the security is based on the strengh of the password. So, stronger is better. A weak password is one that is easy to guess for other (malevolent) people or the tools they are using to guess this password. For example common words (secret, password, rabbit, etc.), nouns or dates related to you (your first or last name, your wife/girlfriend/husband/boyfriend/pet name, your birth date, etc.), and even too short combinations of characters (1234, foo, bar, etc.) are all very weak passwords. Here is an example of a strong password: "F1rst H0us3 0n S1lly K0n Str33t". It is quite long (30 characters), easy to memorize (try reading it as "first house on Silicon Street" with "1" instead of "i", "0" (zero) instead of "o", "3" instead of "e", caps on each word first letter, a stupid pun on "silicon" (silly con) and a voluntary spelling mistake on top of it ("kon" instead of "con")) and it was definitely not easy to guess (until we wrote it in this document, of course) because you DO NOT live in the first house on Silicon Street (which in turn might not exist at all).
Auto-submit failed after a bad password
To avoid authentication loops after a bad authentication, the auto-submit feature (when enabled), is disabled during the next 30 seconds. If you correct your password and retry an auto-submit in less than 30 seconds, the auto-submit will not be available.
The connection takes a long time
During the connection phase all the decryption is done by the navigator. It takes a long time if there is a large number of sites.
All the encryption/decryption is done in javascript. We choose to implement every thing in Javascript and XUL to avoid developping and porting a C/C++ library for each system. Another advantage is that all the code is readeable, there is no binary (shared library) loaded into your navigator. The javascript code is clear and not offuscated, if you feel concerned by security issues you can take a look at the code.
Only the connexion takes time, but navigating and issuing logins and passwords are seamless.
I lost my password !
You are dead, it is not possible to recover it. Mail us your login and we will completely delete your account. (We won't delete it for real, we will flag it as deleted, in case you remember your password one day).
Why is it not necessary to give an e-mail address during registration
Because we don't need it. We have no use of your e-mail address or other personal information, remember that there is no password recovery possible !
If you give your e-mail, you only receive from us messages about the FireWebSSO service (very rarely).
Anyway, the FireWebSSO connect page, will contain all the messages we need to send to you.
You will be able to add/change your mail address in the "My Account Profile" panel.
I reached the limit of 1000 sites!
This limit can be modified by the administrator of the FireWebSSO service. If you realy like the FireWebSSO service and want to be a power user, mail us your login to request less limitation.
I try to connect but I got an error message
Either your Master login/password is erroneous or your account is in the following states:
- deleted : your account is being deleted after your requested it. Your account is still recoverable for a while.
- locked : your account is locked, it may occur during database migration or update.
- banned : your account is banned from the service because we observed strange connections or errors with your user account. Your account is still recoverable.
How is funded this project
This project is independent and receives no money except by donation and thanks to the ads on the web pages. We hope that the funds received let us cover the cost of the public FireWebSSO server.
What is the status of the project and the server
The project is in Open-Beta phase, it means that anyone can register to the FireWebSSO service, but the service may crash at any time. (See the Licence Agreement during the Registration).
But the project and the server are quite stable. The server bandwidth and power are limited but we have flexibility to increase it. Nevertheless, the accounts number is currently limited to 40000 , to avoid database overload.
We are working to increase the capacity of the server database.
Why the server sources/binaries are not available directly for download
Mainly because the sources are not ready for public release, i.e there is no ./configure and the compilation dependencies are not complete. The windows version is not fully stabilised, the database is currently only sqlite and we want to support at least mysql or any ODBC databases, the configuration tools and monitoring tools are not finalized...
Future features of the extension are under development and need some improvement on the server side, while maintaining compatibility with previous features.
We don't want to release a software not usable easily and spend time in supporting an incomplete version. We are focussed on the addon features.
The sources of the Firefox addon are available in the extension ;=). The addon is fully written in XUL and Javascript to be OS independent. (There is no C++ XPCOM dll.)
I would like to participate
We are looking for translators, currently English/French/Italian are (or will be soon) available.
You can also use the "donate link" and participate to the project funding.
Who is the author of the project?
The author is Christophe Guionneau, he was already one of the two original authors of TORCS (The Open Race Car Simulator), years ago (no relation at all with security).
How to remove FireWebSSO addon ?
In the Addons panel of Firefox or Seamonkey, just delete the addon.
Depending on the version of FireWebSSO you use, the builtin password manager could be invalidated after the remove, then do the following actions:
Type "about:config" in the URL bar then accept the warning.
Then type "signon" in the filter fields.
Then take a look at "signon.rememberSignons" if it is set to "false" set it to "true". And it should work.
