Where can I find support?
You may use one (or more) of the following ways :
- You can find information in the FireWebSSO documentation.
- You can take a look at the FireWebSSO Screencasts for samples of usage.
- You may find answers in the FireWebSSO FAQ.
- You can use the FireWebSSO forum to submit new questions or problems.
- You can mail to firstname.lastname@example.org for more direct contact.
Is the FireWebSSO service opened ?
Only "private-beta-testing" is done currently. But we hope to open very soon the public-beta service. It will be done when the FireWebSSO addon will be fully qualified for FireFox and SeaMonkey. The SeaMonkey is not yet complete.
Firefox 2 or Firefox 3 ?
On some forms the auto-submit feature fails to submit the form. This generaly appears on forms using advanced AJAX 'tricks'. For some of them a correction may be possible, if the URL of the forms is public, submit it to the support forum.
You may disable the auto-submit feature for this form. The fields will be filled and the submit button will be correctly identified.
A New Firefox window is not authenticated
After an authentication to the FireWebSSO service only one Firefox window is authenticated. You may open sites in new tabs of the current window, but if you open a new Firefox window, it won't be authenticated to the FireWebSSO service.
This is a technical and a security limitation, it avoids to auto-submit authentication to pop-up windows, only the main window is attached to the FireWebSSO service.
This limitation will be removed in a future version through an option.
This limitation is removed since version 0.9.9.0
I want to be sure that no clear information is sent
The server side is only a container, all the work is done by the FireWebSSO addon. You can read the code or ask someone to do it for you. You can check that everything is encrypted with your private key before sending in an SSL connection.
Your Master Password is not sent to the server, a HASH (SHA-2) is sent instead. This HASH is used to validate the user account and then your private key encrypted with your Master Password is delivered to you. Your private key can only be decrypted using your Master Password, so only your navigator can use your private key. The private key is used to encrypt/decrypt any data sent/received to/from the server.
How strong should be my Master Password?
I you read the previous section, you understand that the security is based on the strengh of the password. So, stronger is better. A weak password is one that is easy to guess for other (malevolent) people or the tools they are using to guess this password. For example common words (secret, password, rabbit, etc.), nouns or dates related to you (your first or last name, your wife/girlfriend/husband/boyfriend/pet name, your birth date, etc.), and even too short combinations of characters (1234, foo, bar, etc.) are all very weak passwords. Here is an example of a strong password: "F1rst H0us3 0n S1lly K0n Str33t". It is quite long (30 characters), easy to memorize (try reading it as "first house on Silicon Street" with "1" instead of "i", "0" (zero) instead of "o", "3" instead of "e", caps on each word first letter, a stupid pun on "silicon" (silly con) and a voluntary spelling mistake on top of it ("kon" instead of "con")) and it was definitely not easy to guess (until we wrote it in this document, of course) because you DO NOT live in the first house on Silicon Street (which in turn might not exist at all).
Auto-submit failed after a bad password
To avoid authentication loops after a bad authentication, the auto-submit feature (when enabled), is disabled during the next 30 seconds. If you correct your password and retry an auto-submit in less than 30 seconds, the auto-submit will not be available.
The connection takes a long time
During the connection phase all the decryption is done by the navigator. It takes a long time if there is a large number of sites.
Only the connexion takes time, but navigating and issuing logins and passwords are seamless.
I lost my password !
You are dead, it is not possible to recover it. Mail us your login and we will completely delete your account. (We won't delete it for real, we will flag it as deleted, in case you remember your password one day).
Why is it not necessary to give an e-mail address during registration
Because we don't need it. We have no use of your e-mail address or other personal information, remember that there is no password recovery possible !
If you give your e-mail, you only receive from us messages about the FireWebSSO service (very rarely).
Anyway, the FireWebSSO connect page, will contain all the messages we need to send to you.
I reached the limit of 1000 sites!
This limit can be modified by the administrator of the FireWebSSO service. If you realy like the FireWebSSO service and want to be a power user, mail us your login to request less limitation.
I try to connect but I got an error message
Either your Master login/password is erroneous or your account is in the following states:
- deleted : your account is being deleted after your requested it. Your account is still recoverable for a while.
- locked : your account is locked, it may occur during database migration or update.
- banned : your account is banned from the service because we observed strange connections or errors with your user account. Your account is still recoverable.
How is funded this project
This project is independent and receives no money except by donation and thanks to the ads on the web pages. We hope that the funds received let us cover the cost of the public FireWebSSO server.
What is the status of the project and the server
The project is in Open-Beta phase, it means that anyone can register to the FireWebSSO service, but the service may crash at any time. (See the Licence Agreement during the Registration).
But the project and the server are quite stable. The server bandwidth and power are limited but we have flexibility to increase it. Nevertheless, the accounts number is currently limited to 40000 , to avoid database overload.
Why the server sources/binaries are not available directly for download
Mainly because the sources are not ready for public release, i.e there is no ./configure and the compilation dependencies are not complete. The windows version is not fully stabilised, the database is currently only sqlite and we want to support at least mysql or any ODBC databases, the configuration tools and monitoring tools are not finalized...
Future features of the extension are under development and need some improvement on the server side, while maintaining compatibility with previous features.
We don't want to release a software not usable easily and spend time in supporting an incomplete version. We are focussed on the addon features.
I would like to participate
We are looking for translators, currently English/French/Italian are (or will be soon) available.
Who is the author of the project?
The author is Christophe Guionneau, he was already one of the two original authors of TORCS (The Open Race Car Simulator), years ago (no relation at all with security).
How to remove FireWebSSO addon ?
In the Addons panel of Firefox or Seamonkey, just delete the addon.
Depending on the version of FireWebSSO you use, the builtin password manager could be invalidated after the remove, then do the following actions:
Type "about:config" in the URL bar then accept the warning.
Then type "signon" in the filter fields.
Then take a look at "signon.rememberSignons" if it is set to "false" set it to "true". And it should work.