|
|
|
|
|
|
by Acorn
5472 days ago
|
|
|
If someone managed to compromise LastPass' servers, they would be able to modify the content that was sent to your browser, and thereby do anything they wanted with your master password after you typed it in. That's the weakness of services that are supposedly "Host-proof". If the host is sending you the webapp/javascript/webpage in which your data is decrypted, each and every time you visit their website, you have to trust that they wont (or someone else wont) modify it in a malicious way in order to gain access to your data. The only way to be safe from this kind of attack is to use the same trusted copy of the code, and not use any new versions until you trust that it is also safe, or to somehow verify that the webpage sent to your browser is exactly what you expect it to be. Cortesi has a very good write up on this issue: http://corte.si/posts/security/hostproof.html |
|
|