Firefox certainly gets props for going beyond that, except for 3 things:
A) a re-implementation of a keychain outside of the OS opens additional potential security issues. Generally the OS's keychain security will have more eyes / devs looking at it than Firefox's.
B) 99% of users dont use the master password mechanism
C) once the keychain is unlocked, whether it is the OS keychain or firefox's, any program can access it.
A) Can't argue with this. However, there is guaranteed always on access to Chrome password store while there is not with master password encrypted Firefox store. (While logged in of course. Which is almost always the case for attacks.)
B) I agree, but that doesn't mean there isn't extra security for the 1%. The code change to add it would be pretty insignificant and wouldn't need to inconvenience users who don't want it. One could argue this is exactly what extensions are for and I could agree with that. I believe there are some for Chrome/Firefox that utilize Keepass for example. At the same time I believe the Firefox master password is opt-in, which can explain the low uptake.
C) Yes, but it's not always guaranteed that the attack will happen when the master password keychain is unlocked or that it will be an ongoing attack. That means this is a security risk mitigation. I'm fine with that.
Only if the attacker is already running arbitrary code with access to the userdata, in which case youre screwed anyways. Such an attacker could simply log keypresses, or wait in the background for firefox's keystore to unlock, he has full access. Trying to defend against arbitrary code running in the user context is really not in the scope of what a browser should be doing.
Yeah, I said as much in my original post. However, there is no guarantee the attacker will wait around (or be around) long enough to keylog. (Might be a hit/run or the user/antivirus might detect something and stop activity.)
This seems to be a classic philosophical debate of ideal security vs realistic security. I understand the ideal security side of this, but I prefer to mitigate risk as much as possible. Luckily we have choices that fit our various needs out there. (Firefox with/without master password. Chrome/Firefox with extensions to add Keepass or other password support. Or just utilizing the OS keychain.)