Quit Googling your Passwords

Recently, I noticed someone using one of the QuickSearch toolbars included in Firefox as a place to temporarily paste something while working on their desktop.

Put it here temporarily?

It makes sense, you need to place to hold something for a moment – it’s right there and readily available. And since you’re not pressing the Enter key, it’s not going to be sent anywhere right?

Well, actually it is. After you stop typing, it immediately sends an HTTP POST request to it’s target (Google in this case). And while the search does takes place, it doesn’t update your browser (so you might not realize it even happens). Here’s a copy of the content in the packet:

 

GET /complete/search?output=firefox&client=firefox&hl=en-US&q=mysuperleetpassword HTTP/1.1
Host: suggestqueries.google.com
User-Agent: <omitted>
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

 

Does this matter? That depends on what you put there. You probably wouldn’t pick up the phone and call Google (or Yahoo!, or BING, etc) and tell the receptionist “Hey, my Facebook username is … and my password is …”, but you can very easily do this by simply pasting ANYTHING in that handy little search bar.

Here’s a quick video of me running a packet capture and typing something into the search area. Again, I only moved my cursor – never did I press Enter (View it fullscreen for better detail).

 

I wonder how much garbage accidentally falls into search engine pits like this. I’m also curious as to how many sites log mistyped passwords (think of it this way – you accidentally type your webmail password into Facebook or vice versa).

All the misguided traffic reminds me of  the pollution problem of 1.0.0.0/8.

Blast you, PinEntry!!!

Following a recent update to my Gentoo installation at work, I found myself pestered by PinEntry acting as my new SSH Authentication Agent. Formerly, I used the normal ssh-agent, as it’s console only and doesn’t steal focus on the terminal window I’m currently working in.

 

Popups Must Die

A quick look at the process-list shows why:

gillespiem@kovacs2 ~ $ ps axu | grep gpg-agent
30847 ?        Ss     0:00 gpg-agent –daemon –enable-ssh-support –write-env-file /home/gillespiem/.cache/gpg-agent-info

 

The GPG-Agent is being run with the –enable-ssh-support flag. Here’s how you can turn it off if you’re using XFCE4:

The script /etc/xdg/xfce4/xinitrc handles chosing the correct authentication agent at line 129:

129 # launch gpg-agent or ssh-agent if enabled.
130 ssh_agent_enabled=`xfconf-query -c xfce4-session -p /startup/ssh-agent/enabled 2> /dev/null`
131 if test “$ssh_agent_enabled” != “false”; then
132     # if the user has pam_ssh installed, it will start ssh-agent for us, but
133     # of course won’t start gpg-agent.  so, if ssh-agent is already running,
134     # but we want gpg-agent (and that’s not running yet) start gpg-agent
135     # without ssh support
136
137     ssh_agent_type=`xfconf-query -c xfce4-session -p /startup/ssh-agent/type 2> /dev/null`
138     if test -z “$ssh_agent_type”; then
139         if which gpg-agent >/dev/null 2>&1; then
140             ssh_agent_type=gpg-agent
141         else
142             ssh_agent_type=ssh-agent
143         fi
144     fi

To pass the first test (line 130), set ssh-agent to be enabled by running this (it only needs to be run once):

xfconf-query -n -t bool -c xfce4-session  -p /startup/ssh-agent/enabled -s true

To pass the second test (line 137), set /startup/ssh-agent/type to … well, pretty much anything will do, as it only tests that it’s a non-zero length string – I’m setting it to “ssh-agent”:

xfconf-query -n -t string -c xfce4-session  -p /startup/ssh-agent/type -s ssh-agent

If you’re currently in XFCE4, kill gpg-agent and restart XFCE. You’ll find when you return, ssh-agent will act as your SSH Authentication Agent, and gpg-agent will handle GPG specific transactions.

BrainDeadUpgrade

Not much has happened project-wise in the last few weeks. Any free time I’ve had has gone to updating the wireless firmware to capture MAC addresses and pass them off to an Elgg plugin I’ve written. I’m still waiting on a box of 10 Servo’s from China to continue my RC Car modification project.

I’ve also got plenty of work to do around the house until May.

But now, after almost 4 years, I’ve decided it’s time to spruce up BrainDeadProjects.com.  I’m retiring the  glowing brains that have been the personification of BrainDeadProjects for these past few years. Sure, remnants will probably remain (the favicon for instance)… but now let me introduce you to “Tin Can Head“:

Tin Can Head is the work of LogoDesignCreation.com. Give them your idea, and for a modest amount  (under $60), they’ll propose a few design ideas for you. Turnaround is fast, Wired.com gave them a good grade, and overall I have to say that I’m pretty satisfied.

More project updates soon, in the meantime stare at the glowing brains of Tin Can Head.