Could you trust an online password manager?
-
https://www.clipperz.com/beta/[^] Before you shoot it down... It's open source and all data is encrypted in the browser using encryption algorithms strong enough for US Top Secret data. Could you trust it? I'm not affiliated with the site, but was kicking around the idea of developing something similar. [edit]Here's their javascript crypto library from google code if you are interested http://code.google.com/p/clipperz/[^][/edit]
I just finished developing a similar application (for learning and fun: the business model is poor) and it is as safe as it is probably possible to make it bearing in mind that, given sufficient time and resources, virtually any system can be cracked. Most of these sites found the security on javascript libraries encrypting everything client side and there are quite a few libraries readily available for free: googling will pick up several quite quickly. Personally I keep all of my private and confidential data scrawled on a piece of paper under my mattress...
-
I just finished developing a similar application (for learning and fun: the business model is poor) and it is as safe as it is probably possible to make it bearing in mind that, given sufficient time and resources, virtually any system can be cracked. Most of these sites found the security on javascript libraries encrypting everything client side and there are quite a few libraries readily available for free: googling will pick up several quite quickly. Personally I keep all of my private and confidential data scrawled on a piece of paper under my mattress...
Even if it's a fully trust worthy service you're still dealing with a single point of failure as a user. I refuse to use a locally stored password safe for that very reason.
Otherwise [Microsoft is] toast in the long term no matter how much money they've got. They would be already if the Linux community didn't have it's head so firmly up it's own command line buffer that it looks like taking 15 years to find the desktop. -- Matthew Faithfull
-
https://www.clipperz.com/beta/[^] Before you shoot it down... It's open source and all data is encrypted in the browser using encryption algorithms strong enough for US Top Secret data. Could you trust it? I'm not affiliated with the site, but was kicking around the idea of developing something similar. [edit]Here's their javascript crypto library from google code if you are interested http://code.google.com/p/clipperz/[^][/edit]
patnsnaudy wrote:
using encryption algorithms strong enough for US Top Secret data.
:laugh: :laugh: :laugh: you do realize there is no such monster. No algorithm in the universe is strong enough to encrypt US top secret data and use on a non DoD network. Once TS data touches the medium, it is forever TS, network, machine, disk, or even a monitor. There is no such thing as a "cleaner" or an "encryption" that is strong enough for TS data. Period. Why? because the future is unknown. Just because we cannot break the encryption today does not mean someone won't find a flaw, a chink in the armor, or a short cut in the process, tomorrow.
_________________________ Asu no koto o ieba, tenjo de nezumi ga warau. Talk about things of tomorrow and the mice in the ceiling laugh. (Japanese Proverb)
-
patnsnaudy wrote:
using encryption algorithms strong enough for US Top Secret data.
:laugh: :laugh: :laugh: you do realize there is no such monster. No algorithm in the universe is strong enough to encrypt US top secret data and use on a non DoD network. Once TS data touches the medium, it is forever TS, network, machine, disk, or even a monitor. There is no such thing as a "cleaner" or an "encryption" that is strong enough for TS data. Period. Why? because the future is unknown. Just because we cannot break the encryption today does not mean someone won't find a flaw, a chink in the armor, or a short cut in the process, tomorrow.
_________________________ Asu no koto o ieba, tenjo de nezumi ga warau. Talk about things of tomorrow and the mice in the ceiling laugh. (Japanese Proverb)
Not for connection to the internet, but communication to/from satellites, aircraft, and ships is largely done via wireless and much of that data is classified. AFAIK the wired networks between installations are encrypted to protect against a cable tap as well. TS data send this way does have stronger crypto requirements than secret on the assumption that it needs to stay unbreakable for longer to avoid bad things happening if intercepted.
Otherwise [Microsoft is] toast in the long term no matter how much money they've got. They would be already if the Linux community didn't have it's head so firmly up it's own command line buffer that it looks like taking 15 years to find the desktop. -- Matthew Faithfull
-
Not for connection to the internet, but communication to/from satellites, aircraft, and ships is largely done via wireless and much of that data is classified. AFAIK the wired networks between installations are encrypted to protect against a cable tap as well. TS data send this way does have stronger crypto requirements than secret on the assumption that it needs to stay unbreakable for longer to avoid bad things happening if intercepted.
Otherwise [Microsoft is] toast in the long term no matter how much money they've got. They would be already if the Linux community didn't have it's head so firmly up it's own command line buffer that it looks like taking 15 years to find the desktop. -- Matthew Faithfull
dan neely wrote:
and much of that data is classified.
you know classified is a long way from TS.... TS satellite data is direct beam. You would pretty much have to fly in the path of the beam... and if you survive long enough to do that, you still have the job of unencrypting, but TS must be done multi-method, not just encryption.
_________________________ Asu no koto o ieba, tenjo de nezumi ga warau. Talk about things of tomorrow and the mice in the ceiling laugh. (Japanese Proverb)
-
https://www.clipperz.com/beta/[^] Before you shoot it down... It's open source and all data is encrypted in the browser using encryption algorithms strong enough for US Top Secret data. Could you trust it? I'm not affiliated with the site, but was kicking around the idea of developing something similar. [edit]Here's their javascript crypto library from google code if you are interested http://code.google.com/p/clipperz/[^][/edit]
It looks pretty good, but there are some obvious problems if you are security paranoid: 1) it's only 128 bit RSA encryption, which while not easily brute forced by the average phisher or trojan writer would be almost trivial for any organized system (FBI, NSA, etc..) 2) The encryption code is downloaded each time you access it (or stored in cache), which means that it's vulnerable to man-in-the-middle attacks. The code could get trojaned or "secretly" updated by an outside agent. It really needs a nice FF plug-in or ActiveX control that does a real client-side encryption with a strong key and cipher. I also don't like that you have to log into their system first and access the sites from their bookmark list.
-- Where are we going? And why am I in this handbasket?
-
Did you try Keepass (a free desktop password manager hosted at sourceforge.net)?
Vasudevan Deepak Kumar Personal Homepage
Tech Gossips
A pessimist sees only the dark side of the clouds, and mopes; a philosopher sees both sides, and shrugs; an optimist doesn't see the clouds at all - he's walking on them. --Leonard Louis LevinsonYeah I've been using keepass for a long time, but I have it installed on several machines on different networks and I don't want to use the ftp feature for storing a common password list. My problem is when I update the password file I have to update all of my PCs.
-
Even if it's a fully trust worthy service you're still dealing with a single point of failure as a user. I refuse to use a locally stored password safe for that very reason.
Otherwise [Microsoft is] toast in the long term no matter how much money they've got. They would be already if the Linux community didn't have it's head so firmly up it's own command line buffer that it looks like taking 15 years to find the desktop. -- Matthew Faithfull
So what do you use? I have too many passwords to remember them all.
-
patnsnaudy wrote:
using encryption algorithms strong enough for US Top Secret data.
:laugh: :laugh: :laugh: you do realize there is no such monster. No algorithm in the universe is strong enough to encrypt US top secret data and use on a non DoD network. Once TS data touches the medium, it is forever TS, network, machine, disk, or even a monitor. There is no such thing as a "cleaner" or an "encryption" that is strong enough for TS data. Period. Why? because the future is unknown. Just because we cannot break the encryption today does not mean someone won't find a flaw, a chink in the armor, or a short cut in the process, tomorrow.
_________________________ Asu no koto o ieba, tenjo de nezumi ga warau. Talk about things of tomorrow and the mice in the ceiling laugh. (Japanese Proverb)
I realize all encryption can be cracked, but I think this is using AES which is strong enough for TS data. Based on a quote on wikipedia, so it must be true. :) "The design and strength of all key lengths of the AES algorithm (i.e., 128, 192 and 256) are sufficient to protect classified information up to the SECRET level. TOP SECRET information will require use of either the 192 or 256 key lengths. The implementation of AES in products intended to protect national security systems and/or information must be reviewed and certified by NSA prior to their acquisition and use."[^]
-
It looks pretty good, but there are some obvious problems if you are security paranoid: 1) it's only 128 bit RSA encryption, which while not easily brute forced by the average phisher or trojan writer would be almost trivial for any organized system (FBI, NSA, etc..) 2) The encryption code is downloaded each time you access it (or stored in cache), which means that it's vulnerable to man-in-the-middle attacks. The code could get trojaned or "secretly" updated by an outside agent. It really needs a nice FF plug-in or ActiveX control that does a real client-side encryption with a strong key and cipher. I also don't like that you have to log into their system first and access the sites from their bookmark list.
-- Where are we going? And why am I in this handbasket?
Good points, but I thought they were using AES not sure why (not really sure if that's better than RSA). Did you see data that said they were using RSA?
-
I realize all encryption can be cracked, but I think this is using AES which is strong enough for TS data. Based on a quote on wikipedia, so it must be true. :) "The design and strength of all key lengths of the AES algorithm (i.e., 128, 192 and 256) are sufficient to protect classified information up to the SECRET level. TOP SECRET information will require use of either the 192 or 256 key lengths. The implementation of AES in products intended to protect national security systems and/or information must be reviewed and certified by NSA prior to their acquisition and use."[^]
patnsnaudy wrote:
Based on a quote on wikipedia, so it must be true.
if you found it on wikipedia, it must of course be right... and since the quote came in 2003 the quote must be good forever also. :-D
_________________________ Asu no koto o ieba, tenjo de nezumi ga warau. Talk about things of tomorrow and the mice in the ceiling laugh. (Japanese Proverb)
-
patnsnaudy wrote:
Based on a quote on wikipedia, so it must be true.
if you found it on wikipedia, it must of course be right... and since the quote came in 2003 the quote must be good forever also. :-D
_________________________ Asu no koto o ieba, tenjo de nezumi ga warau. Talk about things of tomorrow and the mice in the ceiling laugh. (Japanese Proverb)
I'm glad that you see it my way. ;P I'm not at all up to date on my enctyption algorithms, but I'm thinking that a good implementation of AES still must be decent.