AutoType matches if host of URL of website matches host of URL in entry
A lightweight and easy-to-use password manager
Brought to you by:
dreichl
Menu
▾
▴
#2320 AutoType matches if host of URL of website matches host of URL in entry
Request: An AutoType entry matches a web site if the host component of the web site being visited matches the host component of the URL stored in the URL field of the entry.
Say I have https://uk.example.com/home stored in the URL field in the entry. By host component I mean "example.com".
When I want to login I am at, say, https://uk.example.com/login where the browser title bar shows "Customer login" which does not include example. This is frustratingly common. By host component I mean "example.com".
So, as the two host components match, Auto type is triggered. I can differentiate what I need to be typed by means of the {COMMENT} field in the entry.
At present there add-ons which do this but I would prefer this to be built into KeePass itself. The add-on Add URL to Window title for Firefox suddenly stopped working at the recent Firefox update and none of my Auto types then worked. I had to edit each.
A further advantage is that the entry will still work even when the Web site changes the text it places in the browser Title Bar. This is again frustratingly common.
My partner uses my KeePass file without understandinmg how if works. My instructions "Place the cursor in user name > Press Ctrl+A ... KeePass does the rest work fine ... until the web site changes something. This enhancement would prevent these problems.
See https://sourceforge.net/p/keepass/discussion/329221/thread/739be3e4/
This won't be added to KeePass because program interaction is not in KeePass remit.
What's wrong with WebAutoType?
cheers, Paul
Paul
Thanks.
"What's wrong with WebAutoType?". Nothing ... as long as it is always present!
There was nothing wrong with the Firerfox addon Add URL to Window Title until Firefox upgraded and it instantly stopped working so all my AutoTypes immediately stopped working too. I don't want that to happen again in the future and providing the function in KeePass means it will always work.
I understand the desire to insulate KeePass from other applications but I confess I do not understand the intricacies of why KeePass is allowed to read what is in the Browser Title Bar, but not allowed to read what is in the Browser Web Address field.
With the rise of phishing and false web sites imitating authentic sites, the security KeePass offers the user is completely compromised if the password is sent to a false web site. Having KeePass ensure that the user is at the correct web site greatly enhances user security.
www.mybank.com is my bank. www.mybank.com.login.ru is not. If KeePass compares mybank.com with login.ru it prevents my sending my username and password to a rogue site. If I use mybank.com as my match with the addon I send my data to the rogue site.
As you well understand, the security of a cryptographic system is most easily compromised by attacking "how it is used or misused" than by attacking the cryptography itself.
Last edit: John 2017-12-15
The functionality that you request requires application-specific integration (here via a browser extension or via browser-specific approaches based on accessibility features) and is thus outside of the scope of KeePass; this should be implemented using a plugin instead (like for instance the WebAutoType plugin does it, or any of the other integration plugins like KeeFox or ChromeIPass).
For most browsers there exist extensions that put the current URL into the title bar (which can be used in conjunction with the 'An entry matches if ...' options), including ones for Firefox 57:
https://keepass.info/plugins.html#urlintitle
Every window has a title, which can be read easily by other applications. In contrast, reading child controls of a window (like the address bar of a browser) is complicated, application-specific, and breaks easily.
Best regards,
Dominik
Dominik
Thank you for your explanation and I of course accept your decision.
"Every window has a title". No doubt, in efficient Germany, window titles are unique. In lackadaisical Britain window titles are far from unique - I use a number of sites where the page title is merely "Login".
I really would like an add-on which matched the host component "mybank.com" so as to recognise the genuine site "www.mybank.com" and reject the phishing site "www.mybank.com.login.ru".
I am trying WebAutoType in FIrefox.
One can distinguish between the legitimate and phishing sites using the URL posters by including the trailing delimiter in the matching criteria.
Domain in Title adds "]" so:
www.mybank.comis posted as ...www.mybank.com]www.mybank.com.login.ruis posted as ...www.mybank.com.login.ru]matching
www.mybank.com]eliminates the match to the phishing site.TitleURL adds "/" so:
www.mybank.comis posted as ...www.mybank.com/www.mybank.com.login.ruis posted as ...www.mybank.com.login.ru/matching
www.mybank.com/eliminates the match to the phishing site.Also, you won't end up at phishing sites if you use a URL stored in KeePass to navigate to important sites.
Unless you get DNS poisoning or man-in- the-middle re-direction.
cheers, Paul
True, but I don't think there's much an end user's computer can do to protect against those kind of attacks. (Use the IP address in place of DNS name?)