|
|
|
|
|
|
by pwman
4454 days ago
|
|
|
We implement everything in JavaScript on that page if you're trying to login from the website -- which is as secure as that page load -- LastPass recommends people utilize the extensions to mitigate this risk. Our choice could be to not allow people to utilize the website but it seems like educating people of the risks and letting them decide is the best policy. |
|
|
So then what would prevent someone from using the Heartbleed attack to obtain your private key that use used to secure the HTTPS connection from me to your servers, then inject malicious JavaScript into the page where I enter my password? This is the attack I am worried about outside of Heartbleed as well, since any CA can issue a valid certificate for lastpass.com and I would not know that I am being MITM'ed.
From a strict security point of view, disabling website access seems like the best policy. From a usability standpoint, I understand the tradeoff you made. Perhaps an option at the account level that disabled website access might be a good idea.
Also, how are the share/give functions handled? I know what "share" is not really keeping my password from being seen by the other person (there are a variety of techniques they can use to get at it), but how is the encryption handled on your end?
Lastly, how do I know that the browser extension I download from you is secure? Is there a way for me to verify it somehow?
Having said all that, I absolutely love your product and recommend it to everyone I know. It's a huge net win in terms of security.