Comments on: Thought Process Behind Online Password Services http://www.liquidmatrix.org/blog/2008/04/22/thought-process-behind-online-password-services/ Bringing Fire To The Village: Your Source For Computer, Network & Information Security News from Dave Lewis, Security Blogger Mon, 08 Sep 2008 11:31:29 +0000 http://wordpress.org/?v=2.6.1 By: Marco Barulli http://www.liquidmatrix.org/blog/2008/04/22/thought-process-behind-online-password-services/#comment-69135 Marco Barulli Mon, 28 Apr 2008 09:59:32 +0000 http://www.liquidmatrix.org/blog/?p=2936#comment-69135 @ Dave, Clipperz is trying to promote "zero-knowledge web applications" as defined in this post: http://www.clipperz.com/users/marco/blog/2007/08/24/anatomy_zero_knowledge_web_application We are fully aware that it's a counterintuitive concept and we deliberately applied it to the most sensitive kind of data: passwords! But we are completely transparent: we provide the source code and the tools to perform a security review of the whole application. Furthermore, few days ago we announced Clipperz Community Edition: a downloadable package that offers same features and functionalities of the hosted online service. Now everyone can host Clipperz password manager on any MySQL/PHP enabled server. http://www.clipperz.com/open_source/clipperz_community_edition Most importantly Clipperz is released under an open source license. We opted for AGPLv3, recently approved by OSI, since it solves the "ASP loophole" in GPL. (Btw, we had to move from Google Code hosting to SourceForge because AGPL is not welcome at Google!!!) http://www.clipperz.com/users/marco/blog/2008/04/04/clipperz_not_welcome_google_code Feel free to contact me for any further information, Marco Clipperz co-founder PS <b>(ed. note: changed the direction to the prev commenter)</b> <strike>@CJ</strike> @Dave Lewis Changed from "exploits" to "leverages". Thanks! @ Dave,
Clipperz is trying to promote “zero-knowledge web applications” as defined in this post:
http://www.clipperz.com/users/marco/blog/2007/08/24/anatomy_zero_knowledge_web_application

We are fully aware that it’s a counterintuitive concept and we deliberately applied it to the most sensitive kind of data: passwords!

But we are completely transparent: we provide the source code and the tools to perform a security review of the whole application.

Furthermore, few days ago we announced Clipperz Community Edition: a downloadable package that offers same features and functionalities of the hosted online service. Now everyone can host Clipperz password manager on any MySQL/PHP enabled server.
http://www.clipperz.com/open_source/clipperz_community_edition

Most importantly Clipperz is released under an open source license. We opted for AGPLv3, recently approved by OSI, since it solves the “ASP loophole” in GPL.
(Btw, we had to move from Google Code hosting to SourceForge because AGPL is not welcome at Google!!!)
http://www.clipperz.com/users/marco/blog/2008/04/04/clipperz_not_welcome_google_code

Feel free to contact me for any further information,
Marco
Clipperz co-founder

PS
(ed. note: changed the direction to the prev commenter) @CJ @Dave Lewis Changed from “exploits” to “leverages”. Thanks!

]]> By: Dave Lewis http://www.liquidmatrix.org/blog/2008/04/22/thought-process-behind-online-password-services/#comment-69118 Dave Lewis Tue, 22 Apr 2008 16:04:41 +0000 http://www.liquidmatrix.org/blog/?p=2936#comment-69118 @ CJ "exploits the capabilities" I think they might be better served with "leverages the capabilities" But hey, what do I know. Ha! @ CJ

“exploits the capabilities” I think they might be better served with “leverages the capabilities”

But hey, what do I know.

Ha!

]]> By: CJ http://www.liquidmatrix.org/blog/2008/04/22/thought-process-behind-online-password-services/#comment-69116 CJ Tue, 22 Apr 2008 14:15:18 +0000 http://www.liquidmatrix.org/blog/?p=2936#comment-69116 Entrusting Joe Schmoe with your credentials is bad in a "Don't cross the streams" kind of way. From the FAQ: "Clipperz exploits the capabilities of modern browsers to efficiently execute Javascript code. All your private information are locally encrypted before storing them on Clipperz servers. So you don’t need to trust Clipperz because you are just giving Clipperz a bunch of scrambled and twisted bits." Not only are they telling people to give up their goodies, they're conditioning them that they don't even need to trust them. A bunch of scrambled and twisted bits indeed... Entrusting Joe Schmoe with your credentials is bad in a “Don’t cross the streams” kind of way. From the FAQ:

“Clipperz exploits the capabilities of modern browsers to efficiently execute Javascript code. All your private information are locally encrypted before storing them on Clipperz servers. So you don’t need to trust Clipperz because you are just giving Clipperz a bunch of scrambled and twisted bits.”

Not only are they telling people to give up their goodies, they’re conditioning them that they don’t even need to trust them. A bunch of scrambled and twisted bits indeed…

]]>