-
Notifications
You must be signed in to change notification settings - Fork 87
Publish and commit to security goals #146
Comments
Hey @FiloSottile, This is an interesting question you are asking. The project is essentially being driven by community, there are no "official" security goals, and my personal reasons to use browserpass are very much the same as yours. I would certainly invite you to audit the project and start the discussion on what you believe should be the security goals. Anyone interested is welcome to share the feedback, and I would definitely do so. What I can offer once we have some kind of a shared agreement on the security goals is the following: if I see a feature request or a pull request that breaches the current agreement, I'll give my best to question this change and I'll ping you and others who were active in this thread with a grace period of say 1 week before merging the change. |
One of my goals is to make |
I've seen such suggestion before, and an argument against this. That being said, I don't know if that claim is actually true, and I'm fine with trying to make use of |
I use a yubikey too - definitely looks like using x/crypto/openpgp won't work for now. |
I gave it a try in #153. To be clear, I did not audit the codebase to check that these hold true, but they seem to be a sane set of goals. Unfortunately, golang.org/x/crypto/openpgp can't indeed use a gpg agent, so is incompatible with smartcards and probably not an option. |
These principles make phishing prevention a stated goal and mitigate potential vulnerabilities as seen in other password managers: https://bugs.chromium.org/p/project-zero/issues/list?can=1&q=label:Product-LastPass Closes #146
Just found this: https://godoc.org/go.mozilla.org/gopgagent - I will try to put together a test to see if I can use Go / gpg-agent and smartcards! |
AFAICT that does not implement any encryption commands. |
Wouldn't it use the OpenPGP lib to do the encryption stuff? (similar to this: https://github.com/mozilla/sops/blob/master/pgp/keysource.go#L120) |
I don't think either gopgagent or x/crypto/openpgp support using the agent to have private key operations done, for example by a YubiKey. (I might be mistaken.) |
@qbit I definitely encourage you to try it and come back with some results, positive or negative, awesome finding! |
The reason I would personally use an extension instead of
-c
is that it can extract the hostname securely, blocking phishing attempts. The reason I would personally use this instead of, say, LastPass is that there would be no way for the page to trigger autocomplete (and exploit potential host-matching vulnerabilities) without user input and confirmation.These are however only my speculations on the security goals of the extension. I could audit it myself, but I would have to worry about functionality changing later as there is no commitment. Also, that would make clear what is and what isn't a security vulnerability.
Essentially, what's your threat model? (I know it's cliche.)
(Thanks for the work! ✨)
The text was updated successfully, but these errors were encountered: