I remember submitting a version of this cover last summer, and getting a response along the lines of “I’m not sure we’re there yet.”
After not looking at it for almost a year, I made a number of revisions to the drawing and basically redid the colors, and I’m grateful I had that opportunity.
Conceptually, what could be simpler than a password manager? It’s just a trivial key-value store.
Things start to go wrong when you want integration with other applications, or when you want data synchronized by an untrusted intermediary.
it’s difficult to tell the difference between a competent implementation and a naive one.
The tech press can review usability and onboarding experience, but can’t realistically evaluate any security claimsAdvice on this topic needs to be specific.
It’s better to recommend implementations that are well designed, rather than general product categories.
Most online password managers use content scripts
There are two primary components that make up your browser interface, the chrome (confusingly, the term has nothing to do with Google Chrome) and the content area.
The chrome contains things like the address bar, tabs and back button. These components can be trusted, and websites can’t interfere with them.
Conversely, anything inside the content area can be controlled by the website and therefore it can’t be trusted.
it’s not unusual to have different parts of the content area with different privileges, that’s basically how iframes work.
This problem [that a malicious website can temper with password manager widgets that are injected into its content frame] is pervasive among online password managers, you can never be sure if you’re interacting with a website or your password manager.
One naive solution would be to just use XHR or WebSockets to a local HTTP endpoint.
The problem with this solution is it’s very difficult to differentiate between your content script, and a hostile script running on the same page but a different world.
online password managers effectively inject privileged components into these sandboxed processes with extensions.
The purpose of sandboxing is to isolate potentially compromised components from each other,
but if you stuff all your most valuable secrets inside the sandbox - then what’s the point?
If you want to use an online password manager, I would recommend using the one already built into your browser.
They provide the same functionality, and can sidestep these fundamental problems with extensions.
About the author
Tavis Ormandy is an English computer security white hat hacker. He is currently employed by Google as part of their Project Zero team.
kbuck: [In 1Password,] he password selection menu (on Windows at least...) is actually rendered by an entirely separate process on the system.
dogma1138: This somewhat overlooks the main threat model that password managers solve - leaked credentials. Using password managers and generating different passwords for each service reduces the blast radius from any breach.
Gain of function research (GoFR) is a term used to describe any field of medical research which alters an organism or disease in a way that increases pathogenesis, transmissibility, or host range (the types of hosts that a microorganism can infect).
This research is intended to reveal targets to better predict emerging infectious diseases and to develop vaccines and therapeutics.
For example, influenza B can only infect humans and harbor seals.
Introducing a mutation that would allow influenza B to infect rabbits in a controlled laboratory situation would be considered a "gain of function" experiment
as the virus did not previously have that function.
However, such an experiment could help reveal which parts of the virus are responsible for its host range, enabling the creation of antiviral medicines which block this function.
To mitigate these risks while allowing the benefits of such research, various governments have mandated that dual use research of concern (DURC) experiments be regulated under additional oversight by institutions and government agencies
Which sites are available?
You have a few to choose from:
icanhazip.com - returns your IP address
icanhazproxy.com - can determine if your traffic is being proxied
Why should I use these services when there are plenty of other ones out there?
My services return all data in plain text without any advertisements or extra data. I also monitor the services to ensure they’re always available.
My Puppy Linux box keeps talking to your server. What’s up?
I’m not a Puppy Linux user, but my site is used by some of the startup scripts to help users determine what their external IP address is after booting. My site returns IP addresses without any advertisements and that’s why it’s relatively popular in some circles. I don’t gather any information about users other than what would normally appear in an Apache log. If you’re upset about your computer making these connections, please direct your complaints to Puppy Linux developers and maintainers.