Mario, I really appreciate the time you've taken to put together your response below. You raise some important points and I've answered inline for context...
Kuba On Saturday, March 29, 2014 2:41:41 AM UTC+10:30, PMario wrote: > > Hi Kuba, > > Are you the owner of the company? github suggests it. > > Yes I am, but EveryPass is written by a group when we have time to do it. > There has been a topic about TW5 as a password store. My opinion [1] about > an html app as a password store has not changed very much. > > I definitely think, that a single purpose app is less vulnerable, if > always loaded from https, than a "framework" like TW5, which is designed to > include all sorts of 3rd party plugins. ... I think it is a good move, that > you inform your users at the "Security" section of your page [2], about the > pro and cons. > The primary usecase is to load it from your file system and we assume that you trust the device you are using. Our intent is to provide a more portable option for password management rather than replace the good existing solutions. Security is about managing risk and the level acceptable in one situation may not be in another and part of this is articulating the risk properly. > > I want to point out 2 sentences, that make me think: > > "Once you start using EveryPass, the original signatures will no longer >> match since you add your data to the mix, you can however use our Validator >> service to check files you are unsure about. " >> > > You provide 2 checksums on your page, that should make users feel save but > in the text you write, that these 2 values are broken in the second I use > the program. > - So what's the value of those checksums? > If you happen to download EveryPass from a 3rd party (like all the download websites out there) you can verify if it is original or not. Our assumption (right or wrong) is that if someone understands what the signatures are they've probably verified software authenticity that way before. For others (probably the majority) they are useless. - How can I use the app offline, if I need an online validator to check > its integrity? > EveryPass (and all other HTML/JavaScript apps) are vulenrable when in transit over insecure channels, i.e. email or HTTP, mainly because there is no JS code signing available. If you are offline and someone has breached your computer to the point where they modify your files (virus etc.) you can not trust that coputer any more. No software that runs will be secure. So if you trust your computer, there is no need to validate EveryPass, only when that trust is broken you need to validate (a point we should make clearer on our website). > - If I download an empty version, how can I locally check the integrity > (How can I calculate the checksum of a file?) > There are a number of hashing programs available, perhaps we should make it more overt that when you download from Consunet over HTTPS you don't have to check because the channel guarantees integrity. > "Alternatively, you could download a new copy and import the data from the >> copy that you no longer trust." >> > > IMO it doesn't make sense to move possibly compromised data to a new app. > The data may be compromised, you can't trust it anymore, so you need to > change all your passwords ... immediately. > It is not possible to compromise the user's password data unless you break AES 256 encryption (attack vector 1). The other attack vector, and the one that is much simpler to do, is to modify the JavaScript in the unencrypted part of EveryPass so that it betrays your master password (attack vector 2). When EveryPass imports from a corrputed copy it only gets the encrypted data (which requires attack vector 1 to break and is highly unlikely). Import function protects against the more likely attack vector 2 which is normally guarded against by code signing, so even in the event that you get a corrupted EveryPass you don't have to run for the hills, just import into a fresh one. Or said another way, EveryPass file contains both the software and the encrypted database, when you import it reads just the database and ignores all everything else (exactly what other password managers do when they move encrypted database between devices). > > ------------ > I did play a little bit with the browser dev console. > > I think plain text passwords should _not_ be stored in the DOM, longer as > necessary (<10 seconds). It's too easy to read them, with a one liner and a > little bit of "getElementsByTagName" > EveryPass relies on the browser sandbox to prevent cross domain access (other websites scraping forms). If this is broekn we should all should stop using the Internet now. If you have some software on your device which is scraping your browser input fields I'd suggest that you're already compromised. Doing anything to hide passwords whilst EveryPass is running is next to pointless because the attacker has probably scraped your master password first and it is very much game over. In my opinion hiding stuff for 10 seconds or some other time is just "security" through obscurity. > > There is no count down, that "re-encrypts" the stuff. ... So if I change > the browser tab and leave the pc, everything is there to be used. ... > We do intend to fix this :-) https://github.com/Consunet/Apps/issues/4 > > IMO you should think about the delete button dialog again! > Great point. > > I think: "havefun" as a pw is not OK and "havefunmario" is not a strong > password, even if the app thinks so. > We know we need to work on our password strength alg, this will come when we add password generation functionality. > > have fun! > mario > > [1] https://groups.google.com/d/msg/tiddlywiki/zsUIynWxmww/qO6W-d0YCrwJ > [2] https://www.consunet.com.au/products/everypass/ > -- You received this message because you are subscribed to the Google Groups "TiddlyWikiDev" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/tiddlywikidev. For more options, visit https://groups.google.com/d/optout.
