Home page logo

basics logo Security Basics mailing list archives

Re: Online password manager
From: "Gregory Rubin" <grrubin () gmail com>
Date: Tue, 13 Nov 2007 09:46:38 -0800

I read through the Host-proof pattern, and I may be missing something,
but I just don't believe it.

If you don't trust them to hold your passwords, how can you trust them
to provide the JavaScript that protects them?  They don't need a
script that walks the DOM tree to find your key since they wrote the
DOM to begin with.  One or two lines of code is all that is necessary
to send the key back.  That isn't even going into the more evil ways
of sending the password back.  What if they choose to send back an MD5
hash of your key (so they know which key is associated with with
password)?  All they need is a good rainbow table on their end to
recover many of the keys.

As I said, I may just be missing something, but this whole pattern
seems badly broken unless it is only intended for use by:
1) Browsing to the page.
2) Unplugging your computer from the network
3) Entering your key and getting the passwords you need.
4) Closing your browser and clearing all cookies for that site.
5) Reconnecting to the network.

I realize that they mention this risk, but as this fundamentally
undercuts the entire goal of the pattern, it seems rather severe.

Give me password safe on a thumb-drive any day.


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]