[IgorPartola]

This cannot be. Your passwords (the ones you are trying to protect) must be encrypted using your master password. LastPass needs to decrypt them somewhere using your master password. What you are describing is how their browser extension seems to work. However, their website does not require the extension to work. So either they implement security in JavaScript that's running within the page (cannot by definition be done securely), or they store all your passwords in a way that they can decrypt them (invalidates the use case for LastPass).

[pwman]

We implement everything in JavaScript on that page if you're trying to login from the website -- which is as secure as that page load -- LastPass recommends people utilize the extensions to mitigate this risk.

Our choice could be to not allow people to utilize the website but it seems like educating people of the risks and letting them decide is the best policy.

[IgorPartola]

Very happy to get a reply from someone from LastPass!

So then what would prevent someone from using the Heartbleed attack to obtain your private key that use used to secure the HTTPS connection from me to your servers, then inject malicious JavaScript into the page where I enter my password? This is the attack I am worried about outside of Heartbleed as well, since any CA can issue a valid certificate for lastpass.com and I would not know that I am being MITM'ed.

From a strict security point of view, disabling website access seems like the best policy. From a usability standpoint, I understand the tradeoff you made. Perhaps an option at the account level that disabled website access might be a good idea.

Also, how are the share/give functions handled? I know what "share" is not really keeping my password from being seen by the other person (there are a variety of techniques they can use to get at it), but how is the encryption handled on your end?

Lastly, how do I know that the browser extension I download from you is secure? Is there a way for me to verify it somehow?

Having said all that, I absolutely love your product and recommend it to everyone I know. It's a huge net win in terms of security.

[stungeye]

The passwords are decrypted locally on your machine using javascript not on the lastpass servers.