Re: criticism of web based password manager requested

From: masukomi (masukomi_at_gmail.com)
Date: 06/07/05 

Date: 7 Jun 2005 11:18:29 -0700

as you said there's no getting around the spyware / keylogger issue
which is even more moot considering that regardless of where / how you
stored your passwords you'd still be unknowingly typing them in on a
compromised box. So i'm not going to worry about that one because that
just a danger of computing on boxes you don't fully control

I'm not sure what version issues you're referring to ... it's the
latest version.. if it's changed by someone else then it's either not
going to work (different encryption key (obvious because you can't
decrypt it) or different data (can't log in with it)) or it's going to
work just fine.... ignoring the fact that your data has been
compromised versioning doesn't enter into it really.

The js being untrustworthy on a server you don't maintain is agan the
price of using other peoples software when you don't have a trusted
hash key to compare the install to... so again i'm not going to worry
about that.

I'm worried about the security of MY install of it. Not if it's safe on
someone elses box because i know i can't trust another box unless i can
see the code.. and that's part of the point here.. i (or anyone esle)
can always check the js to see what it's doing before trusting the
server. With the correct js in place i don't have to trust ANYTHING
about the server it's submitting to

ssl http authentication would be compromised if the server was hacked
into which is an all to frequent problem. This is a multi user system
so i can't encrypt the whole db.

the doman restriction goes against the whole point of a system you can
access anywhere.

also side note that there is no java applet involved ... just
javascript
no signed signatures involved .... Yes I can throw ssl on it and use
that for verification if i want it

in the current system each password in the db is encrypted separately
not en masse... but you could figure out the id of the one that was
being updated by watching the data stream if there wasn't any ssl

but asside from the standard issues of security on the web do you see
any holes in the mechanism itself?

-Kate

Relevant Pages

  • Re: encrypt password for webservices
    ... When you say about limitation of IIS/SLL (I assume it should be SSL) ... > 3) Requests can be multi-threaded, and some requests can even be droped if ... which allows the server to find appropriate EncryptionKey ... > encryption. ...
    (microsoft.public.dotnet.security)
  • Re: No SSL Should I care?
    ... server issue or keep using Verizon's Wireless Sync which does use AES ... I was going to use activesync over wifi in europe since my 730 won't work ... and I couldn't get that to work using SSL either. ... that provides SSl encryption between my server and the verizon web ...
    (microsoft.public.pocketpc.activesync)
  • Help with SSL for Exchange 2003
    ... I hope somebody could help me with SSL. ... and Outlook, however, I cannot get SMTP to work properly. ... If I select SSL encryption the error I get is: "Your server does not ...
    (microsoft.public.exchange.admin)
  • Re: Can encryrpted packets be cracked by middle man?
    ... But when you add that "someone who has complete control ... ssl connection to the proxy server which then communicates with the web ... server which could be either http or https as is that possibility with ISA. ... > This is a question about how secure encryption is. ...
    (microsoft.public.security)
  • Re: Python and SSL
    ... The SSL module will trust *any* ... server certificate, no need to tell it explicitly which ones to ... the whole idea of SSL is that you don't trust the connection. ... messages were not replaced by an attacker, ...
    (comp.lang.python)
Loading