Re: [clipperz] Direct Login - limitations, hopes and Clipperz mission!

[Steve Dee]

I've had the same sentiment. Unfortunately, the problem appears to be a very hairy one, as the reason Clipperz doesn't work on a lot of sites is that they're trying to prevent exactly what Clipperz is doing---that is, they're trying to stop other sites from initiating requests on your behalf. There have been some ideas tossed around -- the devs can provide more info -- but it looks like any solution is going to require a significant rework of the direct login system.

The workflow I've settled on is, for sites that don't cooperate with direct logins, to store the URL in Clipperz. Then, I load up the card, copy the password, click the URL, type in the username, and paste the password. Far from one-click, but good enough that it doesn't impair me very much, and it allows me to use secure passwords everywhere. For services that I need to log in to very frequently (e.g. Gmail), I bite the bullet and either memorize the randomly generated password or generate and memorize my own passphrase. It invites keyloggers, yes, but that can be mitigated by only typing the passwords on trusted computers.

On Mon, Jun 28, 2010 at 6:58 AM, <isz...@o2.pl> wrote:

Hi again :)

Recently I've tested some online password managers (clipperz, passpack, mitto, last pass, mashed life) and I liked Clipperz the best - the whole idea of "zero knowledge app", features (+ new and promised feats of gamma version), simplicity, nice looks of beta version (and gamma's even nicer). Well, I almost fell in love.. I stored all my passwords in Clipperz and started using it everyday - :) Well, actually it should be :( Direct logins - Clipperz greatest strength and greatest weakness the same time.

The idea behind direct logins is great - click to login. Simple as that. And I don't have to install any button like in Passpack (and it's personalized for me! and once a while I should "invalidate" my old buttons for security reasons!). Well, I need a button to create direct login but it's generic (same for everyone) and I don't have to install it on *every* pc I use.

The problem is that direct logins don't work with many sites. Yeah, everyone knows that. But this is a *major* problem, maybe the one that stops Clipperz from being in widespread use? I mean it's nice to login to my emails, to forums etc. But I'm not happy when I can securely use my non-critical services if the same time I have to non-securely use my critical services. Isn't "security & privacy for services that are important" the whole point about Clipperz? I'm sure most of us use such "critical services". For me those are:

1. https://secure.inteligo.com.pl/ - bank account, direct login works only once (session id?)
2. https://www.mbank.com.pl/ - bank account, same deal
3. http://allegro.pl/mainpage_login.php - it's our polish ebay, same deal
4. https://paczka.4logis.pl/ - this one's not critical for me but it's interesting because after using direct login (even for the first time) it says "csrf token: CSRF attack detected"

So I can go back and
a) use short, repetitive and easy to memorize passwords (keyloggers - this is an invitation!)
b) use last pass which is soo ugly, soo overbloated, soo not-portable - never! :)
c) use passpack - it's acceptable, although I like Clipperz much (much!) more :(

So the questions are:
Are there any hopes that direct login implementation will improve in future? Or is it that technical limitations won't allow it? Or maybe there is an alternative approach? Please tell me there is - I'm desperate ;) And then Clipperz "killing spree" would start :)))

Oh, did I mention I love Clipperz? :)

--
You received this message because you are subscribed to the Google Groups "Clipperz" group.
To post to this group, send email to clip...@googlegroups.com.
To unsubscribe from this group, send email to clipperz+u...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/clipperz?hl=en.

[giulio...@gmail.com]

Hello,

we are aware that direct logins are both a great feature and a great
pain (sometimes to setup them up, and sometimes because they just
don't work).

We have been long thinking about how to overcome this problem. We have
a few ideas, but nothing ground breaking.

The first option is to have a completely redesigned compact version
that could greatly simplify coping/pasting credentials to be used for
"uncooperative" login forms.

But lately we had a different idea that could help us fixing a few
issues altogether: thanks to a suggestion from one user (as it is
often the case), we have realized that simply changing an url inside
the application code (from relative to absolute), it is possible to
load the Clipperz application right from your hard disk, instead of
the Clipperz site; this while still being able to access the live data
stored on Clipperz site.

This solution would immediately fix the problem to verify the
application code, as the full application would be loaded locally.

But this same solution could also provide the option to greatly
enhance direct login compatibility. It took me a while to realize
this, but it actually allow us to put together a few test we had done
before, but that where not working due to browser security policies.

Loading the application locally will lower browser security concerns,
and we can probably find a way to make many of the now broken direct
login, working again. This is mostly true for direct logins not
working because of the use of session keys, but we may also find a way
to handle multi-step authentications (although this will require some
major tuning of the configuration, compared with what the bookmarklet
is now able to process).

Unfortunately at the moment I am very busy working on another project
and I have very few moments left to work on Clipperz. I am trying to
add missing features to the /gamma version (right now I am
implementing the change passphrase logic, something that would be
trivial if it didn't require updating also all OTPs).

We are keeping an open thread on a few 'waves' (Google Wave are a
great way to collect ideas); if anyone is interested in joining the
discussione, please get in touch with me (same username, at clipperz
domain) providing me some details about you (if we don't know each
other yet) and your google account.

Regards,

Giulio Cesare