Web Form Filling Software

On 16 Mar 2005, at 08:53 :38, James.Mitchell wrote:
> I've been looking for the Mac equivalent of the program Roboform on
> the PC, a program that stores all standard information for filling out
> forms on web pages.

Safari stores form field entries. i believe most of the web broswers
do.

> I use it for all my logon passwords (which I know keychain does on
> the Mac) and, even more helpfully, for filling out the
> name-address-email etc. information when ordering products online.

I've found both Firefox and Safari are rather smart about this,
however, many forms instead of having filed labels like "FirstName"
have a filed label like "Field1" and those forms will not get filled.

Yesterday James Mitchell asked about software to fill out forms on
Web pages. I suggest looking at the OmniWeb browser
(www.omnigroup.com). It has a "Form AutoFill" panel in its
Preferences, and from its appearance it might do what he wants. It
stores passwords securely in the Keychain, can fill with data from
the Address Book or from its own editable lists, and can save all
submitted forms for future use. It has both Autofill and
Autocomplete capabilities. I can't testify to how well or poorly it
works for forms in general, because I haven't felt the need to enable
that function. But it does work quite well for password autofill.

Carl

On 3/21/05 2:19 PM, "Paul N. Schatz" <pnsvirginia.edu> wrote:

> One caution about using AutoFill or the analog in Safari. It will
> remember your credit card number and happily auto fill it. But your credit
> card number is then stored on your computer in unencrypted form unless you
> explicitly erase it from the appropriate file.

Only if the web page allows for it. I can only think of a couple that do.

--
John C. Welch Writer/Analyst
Bynkii.com Mac and other opinions
jwelchbynkii.com

> -----Original Message-----
> From: Paul N. Schatz [mailto:pnsvirginia.edu]
> Sent: Monday, March 21, 2005 3:19 PM
> To: tidbits-talktidbits.com
> Subject: Re: Web Form Filling Software
>
>
> One caution about using AutoFill or the analog in
> Safari. It will remember your credit card number and happily
> auto fill it. But your credit card number is then stored on
> your computer in unencrypted form unless you explicitly erase
> it from the appropriate file.

This reminds me of a reason why I don't use such features. I believe it is
not difficult for a web site to have form fields on a page but concealed so
you are not aware that the autofill information has been entered. So, you
can end up sending credit card numbers, social security numbers, addresses,
etc. to a malicious site without your knowledge. There doesn't even have to
be a visible form at all, any link (or all links) on a page can perform the
"submit" action.

If autofill works within frames, particularly iframes, it wouldn't even have
to be the site you're visiting, it could be an "advertiser" using an iframe.
While it would be pretty daring to attempt identity theft while posing as
such an advertiser, I would not put it past them to use such techniques to
gather data about you for their consumer profiles.

I would feel much better about an autofill feature if the browser would not
enter any information until an "autofill" button or keystroke was used. Even
then, I'd like the browser to provide some indication of what information it
was providing beyond what the web page chooses to display.

Robform is an excellent application & the ability to direct the
RoboForm encrypted files to a mini drive means (if you are so disposed)
that you can remove this data from your PC when you are not using it.
Roboform indicates on their web page that a Mac version is unlikely to
be produced. I switched from PC to iMac early this year & password
management etc is one of the few areas that has not matched or exceeded
what I had in the PC World (ie Roboform). Here is what I have worked
out so far:

I have found nothing in the Macworld to match Roboform.

The best way to save notes/text data ( a Robform function) is to create
a keychain dedicated to this task.

Safari has a password system integrated with Keychain, ... but Keychain
does not integrate with any other browser.

I am using Firefox which has an integrated password manager & the
resulting file is encrypted ... but not sure how secure this is & to
date have not found any info on this on Firefox webpages. This
password manager (unlike Roboform) does not pick up all web pages
(presumably a configuration matter) ... so Firefox password manager is
not a complete solution! I have solved this gap in performance by
using Firefox extension "Autoform" ... this does not seem a very
elegant application but does seem to save all password data you throw
at it ... and allows you to encrypt passwords (but not user names?).
"Autoform" seems web page specific, ... so I am using Firefox extension
"Autofill" for automatic completion of address data.

So all in all, an okay outcome, but fragmented & not as good as
Roboform, ... and of course it doesn't appear possible to with ease
place this encrypted data on a removable mini drive. Another option,
some users may want to work into the mix, somehow, is to use Disk
Utility to create an encrypted disk image as a virtual fault to save
sensitive data.

I would love to achieve a more elegant solution ... but I asked the
same question re Roboform Mac equivalents on my local Mac Message Board
& got a very few "inconsequential" responses.





  

The Autoform extension for Firefox does a very nice job with auto-filling forms. Passwords are encrypted. I suggest when configuring Autoform in the Fiedl context tab, uncheck Query string.

The auto-fill information that Safari uses is stored in the
PersonalFormsAutoFillDatabase, which is encrypted on disk. You can see
in Keychain Access that there is a password used to decrypt this file
for use by Safari.

As someone already said, if your credit card number is being
auto-filled, it is because the web page owner has not protected that
field. (You should complain to the clueless website.) Additionally, I
don't see any evidence that the credit card number is being stored in a
plain text file on your computer, as was asserted earlier in this
thread, it is most likely kept in this encrypted db.

   --Gordon

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 25.3.2005, space aliens observed Gordon Meyer saying:
>As someone already said, if your credit card number is being
>auto-filled, it is because the web page owner has not protected that
>field.

I'm wondering: How would a site protect a form field from auto-fill? The
browser does the filling, not the site. How can a site possibly discern
between a credit card number entered by the browser and one entered by
the user?

Auto-filled credit card numbers look like a browser flaw to me, not like
a site flaw.

lucas

-----BEGIN PGP SIGNATURE-----
Version: PGP SDK 3.2.2

iQA/AwUBQkQOYLXYdom/dB2cEQK2BQCgzOXhoeZ6myWOl0am46+MqbhYbmQAnRM/
JGpUfiZt9sTV6JZ8uyf8EEhk
=F3RH
-----END PGP SIGNATURE-----

On 25 Mar 2005, at 08:52 :46, Lucas K. Mathis wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 25.3.2005, space aliens observed Gordon Meyer saying:
>> As someone already said, if your credit card number is being
>> auto-filled, it is because the web page owner has not protected that
>> field.
>
> I'm wondering: How would a site protect a form field from auto-
> fill? The
> browser does the filling, not the site. How can a site possibly
> discern
> between a credit card number entered by the browser and one entered by
> the user?

The same basic way some sites prevent Safari (stupid on Safari's part
to respect the setting, in my opinion) from storing the password in
the keychain. As for the exact mechanism, I'm not sure; the form and
input fields LOOK normal enough, but obviously something is going on
that prevents Safari from storing the password.

citbank, for example, prevents the password from being stored. this
means that I must have the password WRITTEN DOWN somewhere, and it
also means, being paranoid about that, I have to change the password
very frequently.

Normally what i do with a website is generate a password (I have a
shell-script that makes a password for me[1]), type it in once, and
let it reside in the keychain forever. Sites that prevent this mean I
have to manually manage the password, which makes it far less
secure. They THINK they are making it more secure, but they are wrong.

[1] Some samples:
QTPhSZ9P EfPASDTzScGa
T3hDWaS5Qo7s tLDRQxHgMBLS
vfc8a7FDL6 1Z8g8GSQ9
EAfLWJdX Q3wGVwBb8Q

(it pulls random characters from the string
"abcdefghkmopqrstvwxzABCDEFGHJKLMPQRSTVWXZ1234567890" note the lack
of 'O' and 'l' and 'i' and 'I' to reduce confusion)

> Auto-filled credit card numbers look like a browser flaw to me, not
> like
> a site flaw.

It's not a flaw when the data is stored locally in a locked/protected
file.

Citibank's form tag is...

<form method="post" action="https://web.da-us.citibank.com/cgi-bin/citifi/scripts/login2/login.jsp" name="LoginValidateForm" onSubmit="return signOn();" AUTOCOMPLETE="off" style="display:inline">

Note the autocomplete attribute.

-Dave

At 5:26 PM -0800 3/28/05, Dave Friedman wrote:
>Citibank's form tag is...
>
><form method="post"
>action="https://web.da-us.citibank.com/cgi-bin/citifi/scripts/login2/login.jsp"
>
>name="LoginValidateForm" onSubmit="return signOn();"
>AUTOCOMPLETE="off" style="display:inline">
>
>Note the autocomplete attribute.
>
>-Dave

Here is my question, and what I would like to see. A setting
(however hidden in config files etc.) to instruct the browser to
ignore the #($# autocomplete="off" tag. I figure for general
security purposes it is a good idea, unless the user specifically
decides to instruct the browser to override the tag. Remember web
browsers are supposed to interpret pages, not impose a strict DRM
like code on the page display/function.

Nick

On 3/28/05 8:26 PM, "Dave Friedman" <davefun2play.com> wrote:
> Note the autocomplete attribute.

It looks like Microsoft introduced this non-standard form attribute in IE5.
It works on individual fields as well as entire forms. I guess Safari and
Firefox honor it as well.

http://www.htmlref.com/reference/appa/tag_form.htm
http://msdn.microsoft.com/workshop/author/forms/autocomplete_ovr.asp

The current draft of the Web Forms 2.0 spec includes an autocomplete
attribute for some fields (fields, not forms). Who knows when we'll see this
in a mainstream browser though.

http://whatwg.org/specs/web-forms/current-work/#the-autocomplete

--On March 28, 2005 9:18:50 AM -0800 Google Kreme <gkremegmail.com> wrote:
>> Auto-filled credit card numbers look like a browser flaw to me, not
>> like
>> a site flaw.
>
> It's not a flaw when the data is stored locally in a locked/protected
> file.

It's a flaw when a simple web page can trick the information out of the
protected file by merely creating a small field somewhere on the page that
isn't immediately obvious and the info is auto-filled in.

username/passwords are tied to a particular web site. Other fields are
more generic and are not stored in the keychain or limited to use on
particular URLs.

> Here is my question, and what I would like to see. A setting
> (however hidden in config files etc.) to instruct the browser to
> ignore the #($# autocomplete="off" tag. I figure for general
> security purposes it is a good idea, unless the user specifically
> decides to instruct the browser to override the tag. Remember web
> browsers are supposed to interpret pages, not impose a strict DRM
> like code on the page display/function.

One solution is the "greasemonkey" extension for Firefox.

http://greasemonkey.mozdev.org/

"Greasemonkey is a Firefox extension which lets you to add bits of DHTML
("user scripts") to any webpage to change it's behavior."

It looks like someone has already written a greasemonkey script to remove
get rid of this autocomplete attribute.

http://people.opera.com/rijk/opera/userjs-collection.html

On 29 Mar 2005, at 20:34 :43, Nicholas Barnard wrote:
> At 5:26 PM -0800 3/28/05, Dave Friedman wrote:
>> Citibank's form tag is...
>>
>> <form method="post"
>> action="https://web.da-us.citibank.com/cgi-bin/citifi/scripts/
>> login2/login.jsp"
>>
>> name="LoginValidateForm" onSubmit="return signOn();"
>> AUTOCOMPLETE="off" style="display:inline">
>>
>> Note the autocomplete attribute.

Interesting. I did not notice that, probably because it was in the
<form> tag and not the input. Good catch!

> Here is my question, and what I would like to see. A setting
> (however hidden in config files etc.) to instruct the browser to
> ignore the #($# autocomplete="off" tag.

I believe Firefox does this, but it might be a side effect of one of
the many plugins I have installed. OTOH, Firefox doesn't use the
keychain, so that's a big downside for me.

On 29 Mar 2005, at 21:49 :09, Kevin van Haaren wrote:
> --On March 28, 2005 9:18:50 AM -0800 Google Kreme
> <gkremegmail.com> wrote:
>>> Auto-filled credit card numbers look like a browser flaw to me, not
>>> like
>>> a site flaw.
>>
>> It's not a flaw when the data is stored locally in a locked/protected
>> file.
>
> It's a flaw when a simple web page can trick the information out of
> the protected file by merely creating a small field somewhere on
> the page that isn't immediately obvious and the info is auto-filled
> in.

Is it? have you verified this, or are you guessing? it should be
simple to verify. Go to a site you've ordered from and where the CC
info is autofilled in when you start to fill a field (this, btw, is a
point you missed. Auto-forms are not filled in automatically until
you start to type something IN that form); Rip out the form code
from that page and put it on your own webserver (you can use your
local mac). Make the cc field very very small and see if Safari auto-
fills.

> username/passwords are tied to a particular web site. Other fields
> are more generic and are not stored in the keychain or limited to
> use on particular URLs.

They _ARE_ stored in the keychain. Whether or not they are limited
in scope is an issue that I don't think you've fully explored.

I turn off autofill in every browser I use (that's about 8--4 Mac, 2
Windows, 2 Linux).

Why? Not security, but because I found early on that I had to correct too
many entries. For address, I prefer to use my PO box but I'm sometimes
stuck with the street address. For email, each vendor or other site gets a
unique email address, so I can track "leakage" and abandon the guilty
vendor.

I should be using the one-time (or vendor-limited) special credit card
numbers many cards offer, but I haven't begun to yet. But I do select
credit card to use based on various factors.

And so on.

Autofill cost me more time than it saved, until I turned it off.

  --John

On 4/1/2005 7:42 AM, "Google Kreme" wrote:
>> username/passwords are tied to a particular web site. Other fields
>> are more generic and are not stored in the keychain or limited to
>> use on particular URLs.
>
> They _ARE_ stored in the keychain.

Website password info is stored in the keychain. Other auto-filled form data
is stored in ~/Library/Safari/Form Values and (if you've enabled the "Using
info from my Address Book card" option) in your "Make This My Card" contact
in Address Book.


BTW, for those wondering why Safari's AutoFill feature doesn't work on some
sites:

<http://docs.info.apple.com/article.html?artnum=107841>

On 4 Apr 2005, at 10:57 :46, Dan Frakes wrote:
> On 4/1/2005 7:42 AM, "Google Kreme" wrote:
>
>>> username/passwords are tied to a particular web site. Other fields
>>> are more generic and are not stored in the keychain or limited to
>>> use on particular URLs.
>>>
>>
>> They _ARE_ stored in the keychain.
>
> Website password info is stored in the keychain. Other auto-filled
> form data
> is stored in ~/Library/Safari/Form Values

This is only used for form data from http:// URLS. Form data from
https:// urls is stored in the keychain. This is why Safari asks me
for my keychain password when i first go to a https:// page.

> <http://docs.info.apple.com/article.html?artnum=107841>

Does anyone know of a utility to disable Safari's honoring of these
request?

I don't care what some web site author has decided should and should
not be autofilled.


--
"I don't care how much melanin you have in your skin nor who you
sleep with, you can't have my cheese."