|
|
|
|
|
|
by dohko
5057 days ago
|
|
|
Well.. why not do it half client-side and half in the cloud?
For example, why not build an pwd-management application which sits in the cloud. Have the application store in a secureDB in the cloud your encrypted list of passwords. These would be encrypted with a master pwd stored in the local pwd repository of your (mobile) browser. The idea would be to have the browser do all the leg work for you and have the pwd management service available form anywhere. The browser would automatically generate a new complex pwd for each new website you subscribe to, then encrypt it and send it over to the pwd mgmt app in the cloud.
When you authenticate to the website, the browser queries the pwd mgmt app for the pwd of the site. The app sends it to the client. In this whole process the whole encryption/decrpytion happens locally, thus limiting the attack surface. It would be easy to use and overall seamlessly integrated with any device you own that has access to the internet. |
|
|
The main weak point is there's no way for the user to know if the javascript they're downloading is the correct Clipperz javascript, or a trojan'd version that will send my master password and decrypted database off somewhere. So, pretty much all is still lost if someone is able to break into Clipperz and modify the javascript without being noticed for a while.
A possible solution to that is to implement a browser extension to hash the javascript (and perhaps display it as a visual hash) so the user can at least easily check whether it's changed. This has been on my "possible side-project" list for a while...