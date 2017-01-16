You are looking at intermediate data of what's stored in your decrypted blob. Yes, some things are encrypted twice in the Lastpass vault.
The contents considered "unencrypted" by the blog post are actually only accessible after your private key has been provided.
"How can Lastpass show me the Google logo?" It's shown by your Lastpass Extension, after your vault has been decrypted with your password. It's the same reason that Lastpass can show you the password saved for Google!
Notice that request has an unencrypted folder name, "Email." Those folder names are only accessible after the decryption of the entire vault.
URLs are encrypted. LastPass does not know your URLs.
I noticed the article does not include the destination URL for this request, only the parameters. So I can't make a determination as to why this request was made and who the destination server is.
I just tried adding a new site to the "Email" folder, and no requests to remote servers showed up in my Network tab.
IF the LastPass extension really does make a call to lastpass.com with this information, then, yes, there is a possibility that Lastpass can track these hashes in some separate store. But that doesn't mean that the encrypted vault blob has the unencrypted data as claimed.
NSA: LastPass, we suspect that John Smith uses your service. Give us access to John Smith's password database.
LastPass: We cannot, all of John's usernames and passwords are encrypted and we ourselves don't have the key.
NSA: Alright, then, give us the websites for which John Smith's database has credentials for, and we'll subpoena each website of interest individually.
If John Smith has known email address JohnSmith@gmail.com, it is probably safe to assume that the email is the login for at least some of the websites of interest, and can then ask each website for info on that particular user.
Seriously if you have a threat model that includes the NSA you've already lost.
You are completely correct that any threat model that includes direct attention from the NSA is insurmountable. Even highly skilled targets like OBL are eventually defeated.
I normally don't assume astroturfing without concrete evidence, but there is no information in the post that explains why the author is anonymous and the creator of BitWarden has previously made comments without disclosing their affiliation (https://news.ycombinator.com/item?id=12754396).
Yes, as this seems to be an initial marketing attempt by Kyle Spearrin (the creator of Bitwarden) to unveil his own LastPass alternative while simultaneous making LastPass seem untrustworthy. Regardless of whether the issue detailed in this article is true, the following timeline cannot be ignored:
1. Bitwarden.com was registered on Nov. 16, 2015
2. The initial commit to bitwarden/core was on Dec. 8, 2015
3. Release v1.3.0 of Bitwarden is issued on Jan 16, 2017
4. A quick fix release v1.3.1 is issued on Jan 17, 2017
5. Bitwarden.com gains an SSL certificate on Jan. 17, 2017
6. This article arrives touting an unknown LastPass alternative on Jan. 18, 2017
Suspicious? I am. Especially since Kyle is the only contributor to the project, as well.
The only thing unencrypted is the site's domain name. Who cares? Site domains are public anyways.
Definitely two opinions on this matter, I suppose. But for me, I really don't care that they don't encrypt the domain names for the sites.
FTA, which is clearly more than a domain name:
https://accounts.google.com/ServiceLogin
For a really simple example, I guess there are quite a few people with a pornhub account in their vault. I'd guess a significant portion of those users don't want that fact to become public.
Bitwarden looks interesting, but it doesn't seem to support team features, nor does it seem to have any documentation, or even an "about us" page.
I don't necessarily need LastPass to be there in 5 years, since I can export and recover what I need into another manager if I need to, but I personally don't want to go into something that is set up right now to not be there in 5 years.
This is not a permanent objection forever and ever, amen. If my objections go out of date, I'd consider at least trying it.
Hi there,
bitwarden is currently sponsored by the Microsoft BizSpark program which covers many of our operation costs and allows us to offer services for free to our users. We are working to introduce enterprise features for businesses in the future which will allow us to monetize. For now though, everything is free for users.
Let me know if you have any other questions.
Wine works too.
Can't even begin to count the # of times it lost a newly generated password, or it failed to swap the password for a website, or didn't immediately show a password I just created until I did a full refresh, or it has opaque rules about what can be shared with teammates. Would be great if they put more focus on getting the fundamentals right before expanding the feature set.
LastPass always thinks I want to replace credentials for subdomain sites. all the time.
When I have a password saved for foo.com
And then I try to save a password for bar.foo.com.
LastPass, for all that is holy and good in the world, stop assuming I want to replace my password for foo.com damnit.
Lack of linux client (which I suspect are more likely to pay for a password management system)
I see a ton of reviews all over the Internet claiming it's one of the best password managers, and I wonder if these reviewers and websites didn't just get paid some money to write a positive review without ever installing, let alone using the software. With the software being so shoddy, I would not trust my passwords to Lastpass even if they ended up fixing the UX. I ended up deleting my account and switching to Enpass which has worked flawlessly. On top of that, I don't have to trust Lastpass, or any shitty company like that, with my most valuable data and can sync it over WiFi, my NAS, and shared folders in addition to cloud providers (also works in Linux).
I get that they say that everything is encrypted, but really it could be a lot worse. I definitely won't be switching password managers just because of this like some people are saying.
Keepass had tons of issues on the synch-side, merging incorrectly or just plain not syncing in addition to the android app being horrible to some extend. Additionally the chrome plugin is less well written, it's not bad but not as easy to access as lastpass.
1password is still not out on linux and I have no intention of using them until they bring out a linux client.
Bitwarden looks fishy to me (audit? pricing? funding? integration?).
If the only problem with Lastpass is that they sent out the URL of the site in cleartext over a HTTPS connection, fine, have it, there is clearly worse and it's something I'm willing to accept in exchange for one of the better password managers.
Same information that your internet provider already has linked to your ISP and can be retired by a warrant or no warrant.
On the one hand, it feels like they're being sneaky and trying to trick savvier users who might glance at the data to make sure it "looks encrypted". On the other hand, they have to have realized someone would notice eventually. Or maybe that's the point: if they obfuscated it well, someone would break it and they'd have egg on their faces. By just hiding it a little, they have plausible deniability that they weren't trying to obfuscate.
But any way you slice it, it seems weird.
However, if we want to trade off _some_, but not all privacy (in terms of what logins a vault contains), I can think of a naive obfuscation scheme where random domains are added to a login alongside the real one. Here's how that could work:
Preprocessing
* assign an order to the logos and hence numerical IDs
* pick a hash function (URL / site name) => ID
User adds a new login:
* is the URL recognized (e.g. accounts.google.com) i.e. do we have a logo for it?
* if yes, obtain its ID e.g. 1
* get N more random IDs e.g. 14, 124, 144
* save all of them as the login's metadata e.g. "logo_cache:1,14,124,144"
User requests logins (and hence needs logos):
* compute (and cache) the list of IDs of logos needed (M entries x N logo IDs each, deduped)
* pack and send the logos (hopefully a much smaller subset than all logos)
This might be modestly annoyingly resource intensive for mobile, probably not an issue for desktops.
LastPass needs to comment on this. It looks pretty bad.
Looks like their Argon2/ChaCha20 based KDBX4 format is now out too, so I've got some upgrading to do.
As for sharing - yeah, you probably lose that. Well, unless you sync a separate DB or something.
It's been a long-standing dispute... Chrome says "if people have physical access, security is broken anyway." But that's because they refuse to acknowledge the lesser threat model; "A non-tech savvy friend or family member borrowing my computer for 20 min" -or- "my computer gets stolen from my desk while I was logged in... and now they have access to all chrome passwords in plaintext."
It's infuriating. Wish they'd fix that, even if it's a superficial fix.
Actually, I think it does that on Mac OS too.
Don't know about Linux, since I haven't tried it.
When using a non-cloud solution (e.g. KeePass, local 1password installation)
- Auditable and specified ecryption: I know how my passwords are encryped. I can check this by actually decrypting and finding my passwords
- No automatic updates. You can't force an update to my client that breaks security.
Did they delete it?
The WeChat article recently posted shows one major thing about user behavior and UX architecture. Users actually prefer to have one APP on their phone representing their social identity, have all their notifications, contacts, etc. from all different communities in the app.
So this probably means that the "personal identity server" should have some default protocol to receive notifications (encrypted with user's public key) and an APP for iOS and Android. The server would have rules for processing notifications and may notify the user (eg it may stop after the first 5 or set do not disturb where only the badge updates). Upon opening the app the user would see all the notifications from all the other services (they would be fetched and decrypted). And those notifications may contain deep-links back into flows that generated the notifications, eg a chat.
What is also nice is if you can have these rules be general purpose hooks that run on the client in some isolated JS environment. Then for example you can update the list of ids that a user's contacts have on different services (if you have pairwise anonymity) in the background. And next time you visit a website the auth extension/library/app can offer to connect you with those people on that website.
I think the Personal App should
display badges corresponding to the # of websites that have caused notifications, not the # of notifications. The latter should appear only when you open the app and see the list of relying party websites.
Then each website can have a # of notifications next to it and the can be sorted eg by most recent or most urgent notifications.
Last thing - by having a personal APP I have a feeling that it would also be tied in with payments in the future. Identity service is becoming tied with payments (to prevent fraud, China now ties the two together more than any other country and cash is disappearing). So the Personal App could in the future have some standard for attaching payment methods and using them without giving the relying party anything except tokens representing payment plans the user agreed to (like Stripe does).
In this way, even though payments are increasingly tied to identity - which may lead to fascism - we can empower local communities to control the identity and maybe in the future even issue their own money on their own credit! This may help finance loans for poor people in India etc. (already shown that having a large group guarantee loans works better for everyone due to social factors etc.) and pull people out of poverty faster. @mediaprophet what do you think of these points about integrating payments inside identity App in the future?
(By the way I say community because you may host your own data AND your own identity on your own server but when it comes to reputation and payments, there has to be some others who give you this value. Maybe it will not be communities. Maybe it will be completely distributed with no centers. But so far in history, wealth and reputation and power has always found a way to concentrate itself at least a little.)
