Why is it secure?
It is secure because the server never receives clear information, and has no way to decrypt data ciphered by the Firefox addon. All the ciphering are done by the addon, inside the navigator. As a side effect, if you lose your primary password, there is no way to recover it, all your logins and password stored on the server are just a useless pile of bytes.
If you use the public FireWebSSO server, the server knows nothing about you, even your mail address is not necessary to create a user account. All the data are ciphered with your private key by your firefox navigator. The server can be seen as a container of data that are unreadable, except by you.
There is no way to recover your data if you lose your primary login and password. The encryption strengh depends on the strengh of your primary password, during the creation of your user account, the wizard informs you about the strengh of your password.
The communications between the addon and the server are done using SSL. It is not possible to use the session one time password (OTP) negociated during the initial authentification phase. No cookie are stored for the usage of the FireWebSSO addon, but when you access the www.firebsso.com pages, cookies may be used to control web server usage. You may disable cookies if you want.
If you think that there is security issues, the code of the plugin and the server are readable. Your comments are welcomed.
What we know about you if you use the FireWebSSO server:
- Your IP address, as any web server, except if you use a proxy.
- Your email address if you filled the email field during registration (modifications can be done in "My profile" ).
- Date and time you connect to the server
- The number of sites you defined
What we don't know or we are not able to do:
- Recover your primary password: we only have a SHA-2 HASH of the password, and it is not possible to recover the original password
- Recover your encyption key: your primary password is used as a key to crypt your key (AES-256), only you can use it
- Recover any information stored about your sites : even the name or the URL of the site is crypted (AES-256)
If you filled the email field, your email address will only be used to send to you (rarely) informations about the FireWebSSO service.