"software security device"?

babbage on 2003-10-16T00:30:09

Dear aunty use.perl.org,

Does anyone here understand how Mozilla / Firebird's current security module system works? In particular, does anyone know what's up with the "software security device"?

My fiancee's computer -- a WinXP laptop with no user account passwords (it's just two of us using it, and we trust each other) -- keeps throwing these annoying dialog windows demanding that you "Please enter the master password for the Software Security Device." whenever you take Firebird to a web page with a username & password.

The catch though is that no password I can think of as a likely candidate works. A bit of Googling points to a couple of semi-promising solutions, and while all the ones I've found so far talk about Linux, the general description of the issue seems to be spot on. The workaround -- enter the Linux login account -- doesn't seem to apply here: there is no Windows system login for this account, and leaving the password field blank doesn't work either.

Following on from the Mandrake advice, I tried opening up Firebird's dialog window for the security device settings (go to Tools -> Options, then Advanced -> Certificates -> Manage Security Devices [there's a disclaimer that this is subject to move around in future releases]). This brings up a cryptic dialog window with the "Device Manager" (yay! trusted computing IN OUR TIME), with a hierarchy of cryptically labelled "Security Modules and Devices" on the left (e.g. NSS Internal PKCS #11 Module -> Software Security Device), some cryptic "details" and "values" in the middle panel, and a column of cryptic buttons over on the right. (For a crypto system, they've got being cryptic nailed :-/ ).

With those right-side buttons, three seem to do with managing what appears to be the equivalent of OSX's Keychain ("Login", "Change Password", and "Load"), but again if you click on any of those you get asked for the master password -- the lack thereof being the rabbit I'm chasing down this hole. There's also a button labelled "Enable FIPS", but there seems to be no indication of what happens when you click it or what FIPS stands for (if in fact it's an acronym in the first place).

Hilariously, there's also a "Help" button on the bottom of the dialog, but it doesn't seem to be hooked up to anything. Har har har.

----

So, the QUESTION:

Where did this thing come from, and how can one either fix or disable it? If it's like Keychain, and provides some kind of encrypted safekeeping for sensitive form data, I have no problem with doing it "right" and working logged into the subsystem. As it is now though, it's just getting in the way, and I can't figure out how to reliably get it to go away and stay away.

I say "reliably", because on some sites I get the dialog almost every time I follow a link, while on others it's just at the initial login -- I assume that this has to do with how accounts are being managed on the server, but haven't been ablle to pin down what's going on there. One annoyance per site I could deal with, but repeating it all the time like this is really getting on my nerves...

Any help wins an ice cream cone -- TIA :-)


clarification request

nicholas on 2003-10-16T11:28:46

Any help wins an ice cream cone -- TIA :-)

Would that be an empty cone, or a cone full of ice cream. :-)

(Sorry, can't help with the real problem)

Re:clarification request

geoff_field on 2004-02-09T04:54:03

I've solved it (I think!)

I'm at work using Windoze and IE6 at the moment, but on my home Linux box, the answer seems to be to get into the Mozilla settings, go to the Security tab, and change the password to a blank. You'll get a pop-up saying that it will no longer be protected, but it then seems to work OK.

DO NOT hit the button/checkbox/whatever that says "No protection" or something similar.

Can I have my cone now? How about a rhomboid?

Software ecurity device

kunperl on 2005-10-28T12:41:44

I experienced same thing today on Mozilla browser. The way around it is to reset the master password. This though would delete all passwords and certificate handled by password manager. To reset the master password, on your browser use; Edit> Prefernces>Privacy & Security>Master Passwords>Reset Passwords.

You can then change to your desire password. After 2 years, do I still get a cone?