
Lastpass not using certificate pinning, wut? - johnflan
It seems that Lastpass are not using certificate pinning for the webapp or desktop app. Discovered this today kinda by accident, but now realise it leaked my password to my corporate overloads.<p>This fundamentally undermines all of the security that Lastpass have implemented.
======
smt88
I've always been surprised that anyone thinks shared cloud password databases
are safe. You'd have to trust that service so completely.

My suggestion is to use KeePass and store your database in a zero-knowledge,
self-hosted cloud with end-to-end encryption (and also secure it with an
offline private key).

If setting up that cloud storage sounds like too much trouble, SpiderOak is a
good centralized, zero-knowledge service.

~~~
toyg
If i understand correctly, lastpass encrypts the database locally. Their cloud
sync is supposed to be all-or-nothing zero-knowledge, so I'm not sure what OP
is on about.

~~~
johnflan
This is all orchestrated over a HTTPS transport, the transport does not use
certificate pinning.

~~~
toyg
Orchestrated how? If the passwords are not going over the wire unencrypted, it
doesn't really matter how secure the wire is -- unless the attacker is also
actively replacing stuff that does go on the wire and would touch unencrypted
passwords at some point, like JS files, but that indeed requires an active
attacker.

~~~
johnflan
A very simple case would be logging into lastpass.com, your password is passed
to lp.com via a https transport.

------
SubiculumCode
is this real?

