Clipperz, the recently launched online password manager, can be used to store any kind of sensitive information, such as passwords, confidential notes, credit and debit card details, and so on.
It is free and completely anonymous, and the real cool feature is the direct login: users can save the credentials of their online accounts into Clipperz and create a direct login link for each of them. Then they can access any of them with just one click without typing again any user name and password.
Direct logins are addictive, the convenience of one-click access to almost any web service is something you can’t live without after you have tried it! But having to go back and forth from the Clipperz web page was a little nuisance.
Clipperz Compact is a stripped down version of Clipperz designed to be opened in Firefox and Opera sidebars. Its purpose is to keep your collection of direct logins always at hand.
Once logged you have the option of locking the sidebar to prevent unauthorized accesses when you are away from your computer. The lock can be activated manually by clicking on “lock” or automatically after 60 seconds of inactivity within th sidebar, but only if “auto lock” is checked.
Now, you are ready to enjoy one-click access: clicking on any of the links in the sidebar will automatically access the related online service in a new browser tab or in a new browser page depending on your browser settings. - Marco
Comments
Are you recommending this?
As a sysadmin, the thought of an online service storing usernames and passwords makes me a bit nervous.
Just as Paypal and Ebay seem to be favorites of phishing scams - since gaining access to logins for those sites gives direct access to financial information - I can only imagine this service is already being targeted by The Bad People (TM).
A security breach of this service could be disastrous, right?
Can you comment on what the security architecture of this service is and why its safe for me to store my online banking credentials here (for example)?
Love the blog, btw…
Thanks!
Michael
Hi Michael,
Your concern about Clipperz being attacked are definitely sound.
Since the data hosted on Clipperz are encrypted with 256-bit keys derived from users’ passphrases, any offline attack it’s extremely hard since there are no known attacks on AES and SHA2, not even theoretical attacks. I can send you a complete dump of Clipperz database anytime. Or you can simply dump your portion of Clipperz database by downloading the “offline copy”, a perfect replica of the Clipperz platform.
To avoid any external intrusion while the Clipperz application is running we have taken some extra care. The application is loaded from a single file: all Javascripts and CSSs are included. This avoids any external reference to any resource other than the images. This is a first safeguard against XST attacks. All the communications with the server are done using DWR that as been reported as the most secure AJAX library.
Clipperz is a complex application running in the browser. So the real defense against phishing is to give users tools to quickly and conveniently check the source code of the login page. Simply checking that you are visiting the correct website is not enough!!! This is why we have been providing checksums and instructions on how to use them since the first release.
We liked the idea of the checksum because it would allow to solve a long list of threats that a project like Clipperz needs to address:
- getting p0wned by some hackers/employees;
- phishing;
- sudden changes in the business policy of Clipperz;
- law enforcement subpoena to hack the application in order to leak some data.The only problem left, is how to share the “right” checksum. We could provide a reference value for the checksum, but a really paranoid user should not trust it, as we would be able to update it together with an hacked version of the application. Once addressed this problem, it will be easy to develop tools to conveniently verify checksums. But we haven’t settled down yet on how to conveniently balance the simplicity of the service with the paranoia of the security.
Complete transparency is the only answer we can provide to our users. Please feel free to play with our source code. The full build environment allows you to check that the code we release is the same right code we have used to build the online version of the application.
Thanks for the reply, I’ll check this out…
Post a Comment
Contact
Have a hot hack? want to request a hack? let us know - editor [at] security-hacks.com
subscribe
Search
Latest Entries
- msramdmp: Dump RAM from a USB stick
- SWFIntruder: Are your Flash applications secure?
- Untidy: Python-based XML fuzzer
- Jailbreaking iPhone software v1.1.1
- Secure browsing with Squid and SSH
- Combat spam with Gmail aliases
- 5 Essential laptop security tips
- Email encryption with GPG and Mail.app
- Firefox: Disable suspicious JavaScript features
- aSSL: Add SSL to your Ajax application
Archives
