
LastPass and the Heartbleed Bug - mjhoy
http://blog.lastpass.com/2014/04/lastpass-and-heartbleed-bug.html
======
theboss
I don't understand how anyone can throw last pass under the bus here.

0day where an unbelievable amount of sites are affected. last pass comes out
and says we were vulnerable and we fixed it and provides information as to
what it means for your data... I wish everyone did that...

edit: A lot of people recommend keepass. keepass is vulnerable to the same
thing everyone else is worried last pass was vulnerable to. kee pass' download
site is HTTP. You could be getting trojaned binaries and incorrect shasums if
you download it from ANYWHERE.

~~~
streptomycin
I installed keepassx through my distro's package manager.

~~~
theboss
Where do you think they got the package from?

~~~
IgorPartola
To be fair, not where you think he got it from (it seems). For example, in
Ubuntu you download all packages over plain HTTP. Worried yet? Don't be. Let
me tell you why:

A Debian repository (a repository of .deb packages) is a directory containing
*.deb files, a list of packages in a file called Packages and a description of
the repository in a file called Release. Every package listed in Packages
includes the filename, the name and version of the package, and several
checksums of the file (typically MD5sum, SHA1, SHA256, and SHA512). Thus if
you trust Packages you can verify the integrity of the .deb file.

Why should you trust the Packages file? Well, it's checksums are listed in the
Release file.

Why should you trust the Release file? Because there is a signature of it
available in Release.gpg file. The signature is created by the distribution
maintainers.

How can you trust this signature? Because your initial installation ISO, etc.
came with the public key of the distribution maintainers which APT uses to
verify all the packages. How can you trust the ISO you used to install it?
Because presumably you verified the checksums of it when you downloaded it,
and you obtained those checksums over a secure channel at the time of the
installation.

~~~
theboss
I'm aware how you download packages but I don't know how Ubuntu actually gets
the packages it will be distributing.

How do we know Ubuntu isn't distributing a trojan'ed version of keepass?, is
what I'm saying. If keepass doesn't have a secure mechanism for distribution
then how can you be sure Ubuntu got the correct copy?

~~~
bad_user
Distributions like Ubuntu are not picking up and distributing random packages
from the Internet. Usually it's either the software author that does the
packaging by himself, or a package maintainer that has a direct relationship
with the software author.

Encryption/signing is only for proving that the source is who it claims it is.
It doesn't mean that you can trust the software itself. Towards that end
you've got source-code. Ubuntu's software packages are built from source and
you can inspect it - yes it may not be feasible, leaks may escape even trained
eyes and so on and so forth, but the source-code is there available for
inspection and nothing short of a source-code review can _prove_ that the
software does what it claims.

~~~
theboss
The only point I'm making, and I hope the other guy reads this as well, is
that keepass isn't as bullet proof as people act it is when criticizing last
pass. It has its problems, just like last pass. I was simply playing devil's
advocate.

It's very much the "Oh I don't get viruses I have a Mac" argument that I've
heard a lot of non-computer people say. This is undeniable because I'm sure
many windows keepass users go to the site every download.

~~~
IgorPartola
OK. I guess for me it sounded like you were saying the big problem is with the
actual download of the software, not with the software itself. That's two
different beasts that need to be attacked very differently.

------
efuquen
Not understanding some of the responses, I think they did a pretty nice job
trying to address the issues in their posts. Of course you could have been
MITM but the vast majority of that danger comes from using public wifi and if
you're smart you should be using a VPN provider anyway.

Realistically speaking here they found out about this at the same time as
everyone else did and addressed it pretty quickly and professionally. Is there
really anything else they or anyone else could have done, other then just use
KeePass? Which has it's own major inconveniences that can only be addressed by
_some_ sort of cloud based solution (whether controlled by you or someone
else), which probably would very likely have been using OpenSSL as well ...

~~~
yblu
Any VPN provider that you can recommend?

~~~
efuquen
I use privateinternetaccess, good reference comparisons:

[http://lifehacker.com/5935863/five-best-vpn-service-
provider...](http://lifehacker.com/5935863/five-best-vpn-service-providers)

[https://torrentfreak.com/which-vpn-services-take-your-
anonym...](https://torrentfreak.com/which-vpn-services-take-your-anonymity-
seriously-2014-edition-140315/)

~~~
yblu
Great, thanks a lot for the links.

------
icebraining
I don't get it. If someone capture the SSL cert, they could be MITMing the
server. Which means they could be serving poisoned JavaScript code to everyone
who was using the website or the bookmarklets, code that could send the master
password to the attacker's servers.

How is this not vulnerable?

EDIT: and more, what guarantees can they offer that the plugins downloaded
from their site ever since their were vulnerable are not themselves
trojanized? OpenSSL has been vulnerable since _March 2012_ , how many
downloads did they have since then?

~~~
Erwin
I'm unclear on what you mean by "MITM... serving Javascript to EVERYONE". In a
typical MITM scenario, you've logged into your coffee shop with an insecure
network, or you are in some Middle Eastern country where all traffic is under
control of the government.

Unless you are somehow able to route all traffic through your network, you
cannot MITM "everyone", no matter even you have the private certificate for
lastpass.com.

~~~
jsn
Of course you can -- for example, if you are NSA and in position to apply
pressure to whoever hosts lastpass SSL frontends.

~~~
icebraining
If you're the NSA, you can probably get a CA to sign a cert for you, no need
to steal theirs.

But MITM can still affect a lot of people if the attacker can get into a big
gateway (e.g. large company, ISP, university, etc).

~~~
Xylakant
> If you're the NSA, you can probably get a CA to sign a cert for you, no need
> to steal theirs.

That would leave a trace (at least the person issuing the cert would know)
while heartbleed doesn't.

------
EGreg
_Also, LastPass has employed a feature called “perfect forward secrecy”. This
ensures that when security keys are changed, past and future traffic also
can’t be decrypted even when a particular security key is compromised._

I thought perfect forward secrecy simply gives you plausible deniability, or
is that in the particular case of Off The Record messaging? How is it that a
key I could have used yesterday to decrypt all the traffic I was capturing
until yesterday suddely cannot be used to decrypt the same data, if none of it
has changed in my vault?

~~~
jnbiche
No, they're using the term correctly. The plausible deniability in OTR comes
as a _result_ of forward security. Since past and future traffic can't be
decrypted with a certain captured key, the entity that captures that key can't
cryptographically tie an identity to the previous messages.

~~~
mandalar12
It goes futher than that in OTR. After the ephemeral keys are out of use, the
public keys (used for encryption, not decryption) are broadcasted so if later
someone gets an old encrypted message, it could "effectively" have be written
by anyone.

------
mjhoy
LastPass puts vulnerable in scare quotes.

But to my understanding, with this bug session information to the website
could have leaked, and they don't seem to address this. Could an attacker have
hijacked logins?

~~~
pgrote
No. Here is the explanation:

"However, LastPass is unique in that your data is also encrypted with a key
that LastPass servers don’t have access to. Your sensitive data is never
transmitted over SSL unencrypted - it’s already encrypted when it is
transmitted, with a key LastPass never receives. While this bug is still very
serious, it could not expose LastPass customers’ encrypted data due to our
extra layers of protection. On the majority of the web, user data is not
encrypted before being transmitted over SSL, hence the widespread concern."

~~~
jbinto
This means "your passwords are safe, because they're encrypted with a key that
only you have".

It still means people could have hijacked your session, which is what GP was
referring to.

I don't use LastPass, but I speculate even if your data isn't vulnerable,
people could use your ID/password to do malicious things (denial of service to
your passwords being the first thought).

~~~
pgrote
I thought that too, until they mentioned logins at the end. Perhaps you are
right.

It would appear the session info would be compromised, but the login
credentials would be protected.

------
IgorPartola
The issue I have with LastPass is that they claim to never see your master
password. This is not true in any sense. Open their website, log in using your
master pass. You just submitted it to them. As a secondary thing, pick a
random password from the list and say "Show me the password"; it will ask you
for your master password. The extension you install has nothing to do with
this: you are entering the password directly into their web page and
interacting with their JavaScript and their server-side code. At this point
they have your master password.

I understand why they do this: it's convenient and lets you share/give
passwords to others. But this feature is 100% incompatible with the claim that
they never see your master password.

~~~
stungeye
My understanding is that even with their web login process your password isn't
sent to their servers in plaintext. From the comments on their heartbleed blog
post: "We only use one-way salted hashes (after going through PBKDF2 rounds)
to send to the server for authentication."

So their servers get a hashed version of your password, but not the password
itself. Their servers likely also store a hashed version of your password so
that they can authenticate you. This style of auth is also used when you use
the "show me the password" feature.

~~~
IgorPartola
This cannot be. Your passwords (the ones you are trying to protect) must be
encrypted using your master password. LastPass needs to decrypt them somewhere
using your master password. What you are describing is how their browser
extension seems to work. However, their website does not require the extension
to work. So either they implement security in JavaScript that's running within
the page (cannot by definition be done securely), or they store all your
passwords in a way that they can decrypt them (invalidates the use case for
LastPass).

~~~
pwman
We implement everything in JavaScript on that page if you're trying to login
from the website -- which is as secure as that page load -- LastPass
recommends people utilize the extensions to mitigate this risk.

Our choice could be to not allow people to utilize the website but it seems
like educating people of the risks and letting them decide is the best policy.

~~~
IgorPartola
Very happy to get a reply from someone from LastPass!

So then what would prevent someone from using the Heartbleed attack to obtain
your private key that use used to secure the HTTPS connection from me to your
servers, then inject malicious JavaScript into the page where I enter my
password? This is the attack I am worried about outside of Heartbleed as well,
since any CA can issue a valid certificate for lastpass.com and I would not
know that I am being MITM'ed.

From a strict security point of view, disabling website access seems like the
best policy. From a usability standpoint, I understand the tradeoff you made.
Perhaps an option at the account level that disabled website access might be a
good idea.

Also, how are the share/give functions handled? I know what "share" is not
really keeping my password from being seen by the other person (there are a
variety of techniques they can use to get at it), but how is the encryption
handled on your end?

Lastly, how do I know that the browser extension I download from you is
secure? Is there a way for me to verify it somehow?

Having said all that, I absolutely love your product and recommend it to
everyone I know. It's a huge net win in terms of security.

------
LocalMan
Password managers can protect you from being "Hacked" in the manner of
destroying all your Gmail, and can help prevent your computer from being
enslaved by a botnet. And probably help protect your bank account and any
online medical records.

But if the NSA or any competent government targets you as an individual, no
password manager can help you. TrueCrypt might help, but even that has
vulnerabilities.

------
DavideNL
This reminds me of the time when i downloaded the Lastpass iPhone app, synced
it with my Macbook's Lastpass, opened the Lastpass iPhone app _for the first
time_ and it uploaded all my data to icloud without asking for permission...
#fail

It was about a year ago, and at the time the iphone app apparently defaulted
to 'sync -> iCloud -> on'.

------
davexunit
Don't worry, you're still storing secret information with a proprietary web
service that you can't audit. You're safe!

~~~
RainbowRandolph
The website and extensions are mostly JavaScript, so you can audit the code
yourself if you wish. LastPass does use a proprietary plugin for some
features, but they have a binary free version for most, if not all browsers.

------
borplk
Thank god I'm using Keepass I can put my head on the pillow comfortably.

------
blueskin_
Should have used KeePass. Even HTTPS isn't perfect, so uploading your data to
a third party is a bad idea.

~~~
Fishkins
I've heard people say this before, but I'm a little confused by it. Do you
only use one device? If not, how do you keep the PWs for your devices in sync
without uploading your data somewhere?

~~~
Sprint
Using my local network or USB. Aren't most if not all your devices using your
network too? There is no need for your private data to leave your network when
you want to sync!

~~~
ds206
How do you easily connect to your network from your phone?

~~~
Sprint
I enable Wifi and let it login. Takes 3-5 seconds.

~~~
blueskin_
...just answered it for me. I scp it across intermittently, as I rarely
actually use it on my phone.

