we have just released a new version of the application; there are no major feature in this version, but just some security fixes.
Most of the fixes are relevant only for future features of the application (sharing), but some smart guys have found a vulnerability on the direct login creation process that we have now fixed.
The vulnerability could be used by some ostile site to trick the bookmarklet into collecting a "wrong" configuration that could inject malicious code into the direct login. Clicking on the newly created direct login would later activate the code that could compromise the Clipperz account.
These are the new checksums: Size for file /index.html = 1580943 MD5 checksum for file /index.html = 604722c3d02f6c6c37b5879d5d71d938 SHA1 checksum for file/index.html = 86c8c28440ed12fd3825b8e6a1b800786593b855
We are still working on a greatly improved version of the application, but you need to be more patient for that.
we did not have time to upload the new version of the application, that Collin Jakson, the PhD student that found the original vulnerability on our code at the base of this new released, spotted a weakness in our fix.
Needless to say, a new version is already online.
THANKS Collin!!
Revision: 1251 Size for file index.html = 1580949 MD5 checksum for file index.html = 9eaafad47aaa1c3b31c433d3faa2dfbc SHA1 checksum for file index.html = 3f03395e396cccdc9d5ef6c1c0117387ffc14096
Regards,
Giulio Cesare
PS: someone still believes that security by obscurity works better. We obviously do not agree with this point of view, and we had our code available for inspection since we started. Even if very few people have the skills to actually inspect the code, when someone finds a problem the benefits everybody gets are huge.
On Fri, Oct 31, 2008 at 11:28 AM, Giulio Cesare Solaroli
> we have just released a new version of the application; there are no > major feature in this version, but just some security fixes.
> Most of the fixes are relevant only for future features of the > application (sharing), but some smart guys have found a vulnerability > on the direct login creation process that we have now fixed.
> The vulnerability could be used by some ostile site to trick the > bookmarklet into collecting a "wrong" configuration that could inject > malicious code into the direct login. Clicking on the newly created > direct login would later activate the code that could compromise the > Clipperz account.
> These are the new checksums: > Size for file /index.html = 1580943 > MD5 checksum for file /index.html = 604722c3d02f6c6c37b5879d5d71d938 > SHA1 checksum for file/index.html = 86c8c28440ed12fd3825b8e6a1b800786593b855
> We are still working on a greatly improved version of the application, > but you need to be more patient for that.
> we did not have time to upload the new version of the application,
> that Collin Jakson, the PhD student that found the original
> vulnerability on our code at the base of this new released, spotted a
> weakness in our fix.
> Needless to say, a new version is already online.
> THANKS Collin!!
> Revision: 1251
> Size for file index.html = 1580949
> MD5 checksum for file index.html = 9eaafad47aaa1c3b31c433d3faa2dfbc
> SHA1 checksum for file index.html = 3f03395e396cccdc9d5ef6c1c0117387ffc14096
> Regards,
> Giulio Cesare
> PS: someone still believes that security by obscurity works better. We
> obviously do not agree with this point of view, and we had our code
> available for inspection since we started.
> Even if very few people have the skills to actually inspect the code,
> when someone finds a problem the benefits everybody gets are huge.
> On Fri, Oct 31, 2008 at 11:28 AM, Giulio Cesare Solaroli
> > we have just released a new version of the application; there are no
> > major feature in this version, but just some security fixes.
> > Most of the fixes are relevant only for future features of the
> > application (sharing), but some smart guys have found a vulnerability
> > on the direct login creation process that we have now fixed.
> > The vulnerability could be used by some ostile site to trick the
> > bookmarklet into collecting a "wrong" configuration that could inject
> > malicious code into the direct login. Clicking on the newly created
> > direct login would later activate the code that could compromise the
> > Clipperz account.
> > These are the new checksums:
> > Size for file /index.html = 1580943
> > MD5 checksum for file /index.html = 604722c3d02f6c6c37b5879d5d71d938
> > SHA1 checksum for file/index.html = 86c8c28440ed12fd3825b8e6a1b800786593b855
> > We are still working on a greatly improved version of the application,
> > but you need to be more patient for that.
On Sat, Nov 1, 2008 at 12:04 PM, neoxx <n...@neotrinity.at> wrote:
> hi,
> thanks for the update. - unfortunately, the HTTP authentication > stopped working for both new and existing cards.
> greetz, > bernhard
> On Oct 31, 3:33 pm, "Giulio Cesare Solaroli" <giulio.ces...@gmail.com> > wrote: >> Hello,
>> we did not have time to upload the new version of the application, >> that Collin Jakson, the PhD student that found the original >> vulnerability on our code at the base of this new released, spotted a >> weakness in our fix.
>> Needless to say, a new version is already online.
>> THANKS Collin!!
>> Revision: 1251 >> Size for file index.html = 1580949 >> MD5 checksum for file index.html = 9eaafad47aaa1c3b31c433d3faa2dfbc >> SHA1 checksum for file index.html = 3f03395e396cccdc9d5ef6c1c0117387ffc14096
>> Regards,
>> Giulio Cesare
>> PS: someone still believes that security by obscurity works better. We >> obviously do not agree with this point of view, and we had our code >> available for inspection since we started. >> Even if very few people have the skills to actually inspect the code, >> when someone finds a problem the benefits everybody gets are huge.
>> On Fri, Oct 31, 2008 at 11:28 AM, Giulio Cesare Solaroli
>> > we have just released a new version of the application; there are no >> > major feature in this version, but just some security fixes.
>> > Most of the fixes are relevant only for future features of the >> > application (sharing), but some smart guys have found a vulnerability >> > on the direct login creation process that we have now fixed.
>> > The vulnerability could be used by some ostile site to trick the >> > bookmarklet into collecting a "wrong" configuration that could inject >> > malicious code into the direct login. Clicking on the newly created >> > direct login would later activate the code that could compromise the >> > Clipperz account.
>> > These are the new checksums: >> > Size for file /index.html = 1580943 >> > MD5 checksum for file /index.html = 604722c3d02f6c6c37b5879d5d71d938 >> > SHA1 checksum for file/index.html = 86c8c28440ed12fd3825b8e6a1b800786593b855
>> > We are still working on a greatly improved version of the application, >> > but you need to be more patient for that.
a new version is online that fixes the HTTP authentication problem in direct logins. The new version fixes also an issue in the creation of a new direct login for a website using HTTP authentication.
Oddly enough, the two problems where due to completely different causes.
Since a few weeks, a new member has joined the Clipperz team: Marco Fabbri. He will help us in keeping the development of the new version of the application going. He will also help us answering users' questions on this forum.
On Sat, Nov 1, 2008 at 12:04 PM, neoxx <n...@neotrinity.at> wrote:
> hi,
> thanks for the update. - unfortunately, the HTTP authentication > stopped working for both new and existing cards.
> greetz, > bernhard
> On Oct 31, 3:33 pm, "Giulio Cesare Solaroli" <giulio.ces...@gmail.com> > wrote: >> Hello,
>> we did not have time to upload the new version of the application, >> that Collin Jakson, the PhD student that found the original >> vulnerability on our code at the base of this new released, spotted a >> weakness in our fix.
>> Needless to say, a new version is already online.
>> THANKS Collin!!
>> Revision: 1251 >> Size for file index.html = 1580949 >> MD5 checksum for file index.html = 9eaafad47aaa1c3b31c433d3faa2dfbc >> SHA1 checksum for file index.html = 3f03395e396cccdc9d5ef6c1c0117387ffc14096
>> Regards,
>> Giulio Cesare
>> PS: someone still believes that security by obscurity works better. We >> obviously do not agree with this point of view, and we had our code >> available for inspection since we started. >> Even if very few people have the skills to actually inspect the code, >> when someone finds a problem the benefits everybody gets are huge.
>> On Fri, Oct 31, 2008 at 11:28 AM, Giulio Cesare Solaroli
>> > we have just released a new version of the application; there are no >> > major feature in this version, but just some security fixes.
>> > Most of the fixes are relevant only for future features of the >> > application (sharing), but some smart guys have found a vulnerability >> > on the direct login creation process that we have now fixed.
>> > The vulnerability could be used by some ostile site to trick the >> > bookmarklet into collecting a "wrong" configuration that could inject >> > malicious code into the direct login. Clicking on the newly created >> > direct login would later activate the code that could compromise the >> > Clipperz account.
>> > These are the new checksums: >> > Size for file /index.html = 1580943 >> > MD5 checksum for file /index.html = 604722c3d02f6c6c37b5879d5d71d938 >> > SHA1 checksum for file/index.html = 86c8c28440ed12fd3825b8e6a1b800786593b855
>> > We are still working on a greatly improved version of the application, >> > but you need to be more patient for that.
> a new version is online that fixes the HTTP authentication problem in
> direct logins.
> The new version fixes also an issue in the creation of a new direct
> login for a website using HTTP authentication.
> Oddly enough, the two problems where due to completely different causes.
> Since a few weeks, a new member has joined the Clipperz team: Marco
> Fabbri. He will help us in keeping the development of the new version
> of the application going. He will also help us answering users'
> questions on this forum.
> On Sat, Nov 1, 2008 at 12:04 PM, neoxx <n...@neotrinity.at> wrote:
> > hi,
> > thanks for the update. - unfortunately, the HTTP authentication
> > stopped working for both new and existing cards.
> > greetz,
> > bernhard
> > On Oct 31, 3:33 pm, "Giulio Cesare Solaroli" <giulio.ces...@gmail.com>
> > wrote:
> >> Hello,
> >> we did not have time to upload the new version of the application,
> >> that Collin Jakson, the PhD student that found the original
> >> vulnerability on our code at the base of this new released, spotted a
> >> weakness in our fix.
> >> Needless to say, a new version is already online.
> >> THANKS Collin!!
> >> Revision: 1251
> >> Size for file index.html = 1580949
> >> MD5 checksum for file index.html = 9eaafad47aaa1c3b31c433d3faa2dfbc
> >> SHA1 checksum for file index.html = 3f03395e396cccdc9d5ef6c1c0117387ffc14096
> >> Regards,
> >> Giulio Cesare
> >> PS: someone still believes that security by obscurity works better. We
> >> obviously do not agree with this point of view, and we had our code
> >> available for inspection since we started.
> >> Even if very few people have the skills to actually inspect the code,
> >> when someone finds a problem the benefits everybody gets are huge.
> >> On Fri, Oct 31, 2008 at 11:28 AM, Giulio Cesare Solaroli
> >> > we have just released a new version of the application; there are no
> >> > major feature in this version, but just some security fixes.
> >> > Most of the fixes are relevant only for future features of the
> >> > application (sharing), but some smart guys have found a vulnerability
> >> > on the direct login creation process that we have now fixed.
> >> > The vulnerability could be used by some ostile site to trick the
> >> > bookmarklet into collecting a "wrong" configuration that could inject
> >> > malicious code into the direct login. Clicking on the newly created
> >> > direct login would later activate the code that could compromise the
> >> > Clipperz account.
===== "We know nothing — that is the first point. Therefore we should be very modest — that is the second. That we should not claim to know when we do not know — that is the third."
