Comment on Password managers are less secure than promised
victorz@lemmy.world 5 days agoBut these issues were patched before even publishing the findings, right?
Comment on Password managers are less secure than promised
victorz@lemmy.world 5 days agoBut these issues were patched before even publishing the findings, right?
unexposedhazard@discuss.tchncs.de 5 days ago
There is no way to patch this. Its an inherent flaw of delivering client software through a web browser. If the entire client is delivered as a web page from a server you dont control, then that server can modify the software however it pleases.
victorz@lemmy.world 5 days ago
This feels a bit extreme though. Can you even trust anything online at that point? Do you also never leave your home carrying your wallet in case someone might rob you?
unexposedhazard@discuss.tchncs.de 5 days ago
Bro i have my bank details, all my private 2FA, work 2FA, health insurance access, my families master passwords, steam access, and more in there. Its literally the most important piece of software that can exist in this day and age. No im not taking chances with that. The only thing you can do with my physical wallet if you rob me is buy something up to 20€ beyond which you need the cards pin. Everything else i can just deactivate by calling the relevant parties.
victorz@lemmy.world 5 days ago
I assume you follow proper backup protocol of you are using offline password management.
How do you sync though? You keep one copy on your phone or something, I imagine? What apps and managers are you using?
BennyTheExplorer@lemmy.world 4 days ago
This comment shows that you know less about computers, than you may think. You can definetly make end to end encryption work using a Website. JavaScript runs client side. So as long as you trust the encryption algorithm (which in elements case you definetly can, because it is OSS), the encryption is safe and your unencrypted data never leaves the device.
bcnelson@lemmy.world 4 days ago
The point is you are trusting the JavaScript that the server delivered to you. If the server is compromised, it hands you compromised JavaScript and you’re screwed. It’s the exact same thing as going to evil.com and entering your master password. I think that you inherently understand that evil.com is untrusted. However, if passwordmanager.com is compromised by the same people who own evil.com. there’s really no difference.
BennyTheExplorer@lemmy.world 4 days ago
I understand, but wouldn’t the same problem occur, if the server for the website you download your software from or the server for your package manager would be compromised? Even if you would buy your software physically on a CD, there would be a chance someone has messed with the content on a CD.
So I don’t really see this as a flaw unique to browsers. Am I wrong?
unexposedhazard@discuss.tchncs.de 4 days ago
Yes of course you CAN make it safe in theory, but unless you run it locally or on your own server, you cant be certain that the javascript delivered to you from the hoster hasnt been modified. Its like having autoupdates on but you have zero control over when or how the updates take place, because every time you open the page it could be different code from the last time.