File:  [mozdev] / autofill / www / help.html
Revision 1.14: download - view: text, annotated - select for diffs - revision graph
Sat Jan 7 01:10:21 2006 UTC (11 years, 9 months ago) by tnorris
Branches: MAIN
CVS tags: HEAD
no message

<h3>Help Notes</h3>
<h4>Answers to Common Post-install Questions</h4>
<ul>
	<li>After first install, the autofill button is on the toolbar customize palette (View->Toolbars->Customize). Drag it from the palette to the toolbar of your choice.</li>
	<li>Autofill automatically highlights fields it "recognizes" in a form by setting the background of the field in yellow. This behaviour can be turned off through the Autofill options dialog (Tools->Autofill->Autofill Options).</li>
	<li>Autofill will not recognize fields in all HTML forms. We are continuously improving the field detection algorithms for Autofill. If you encounter a form that doesn't work today, it may work in the next version.</li>
	<li>We test with a number of common web sites. If you feel we've overlooked an important one, email us. Our contact information is available on the <a href="members.html">Autofill Member Page</a>.</li>
	<li>The autofill toolbar button will only enable if there is at least one profile defined, <em>and</em> there is at least one field in the form that autofill recognizes.</li>
	<li>The profile selection menu will only enable if you have more than one profile. There is no point in selecting from a choice of one.</li>
</ul>
<h4>Profile Information</h4>
<ul>
	<li>Profiles are intended to be used to reflect the different roles you interact with web sites in. For Instance, you might want to have a "Work" and "Home" profile. You may even want a "Dummy" profile when websites require information that you don't want to share. Ultimately, though, how you use them is up to you.</li>
	<li>Autofill supports the definition of an unlimited number of profiles through the Autofill Preferences (Tools->Autofill->Autofill Options).</li>
	<li>Each autofill profile must have a unique name. Attempts to add empty, or duplicate profiles will be ignored.</li>
	<li>The currently "active" profile can be selected by clicking the drop-down marker on the toolbar button, right clicking on the toolbar button, or through the Tools->Autofill menu.</li>
</ul>
<h4>Credit Card Information</h4>
<ul>
	<li>Autofill stores the credit card attributes, and the password protecting them securely. The password is stored as an <a href="http://en.wikipedia.org/wiki/SHA1">SHA1 hash</a>. The credit card attributes are encrypted using <a href="http://en.wikipedia.org/wiki/AES">AES (Rijndael)</a> using a derivation of the autofill password (to expand it to 128 bits) as the encryption key. Once the credit card attributes have been encrypted, they can not be recovered without supplying the password used to encrypt them.</li>
	<li>Before the stored credit card information can be automatically filled into a form, the user is required to suppy the password previously used to encrypt them. There is no option to turn this behaviour off for two reasons. First, We think it's just a bad idea to turn it off. Secondly, the password is used as the key for encryption/decryption of the credit card attributes.</li>
	<li>If the autofill password is forgotten, click "Reset Password". This will clear the password, and all stored credit card attributes.</li>
	<li>At the time the credit card number is entered in the Autofill options dialog, it is validated for the proper Prefix and Length for the specified card type as well as against the <a href="http://en.wikipedia.org/wiki/Luhn_algorithm">LUHN Algorithm</a>, if applicable. If the card number fails any of these checks, a dialog is presented to warn the user the card number may not be valid.</li>
	<li><b><em>IMPORTANT NOTE: </em></b>Eventually Autofill will be distributed as a signed extension to prevent modification of the installed code. Until that time, direct modification of the Autofill code on the installed workstation could compromise the credit card information. For instance, an attacker could modify the autofill code to write out the credit card number in clear text prior to encryption. If the physical security of the installed workstation can not be guaranteed, my recommendation is not to use the credit card aspects of Autofill.</li>
</ul>

FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>