Attempts to break clipperz?
10 views
Skip to first unread message
David Whiting
Mar 18, 2009, 9:49:58 AM3/18/09
to Clipperz
Hi,
First I have to say that I love clipperz. I have been using it for a
few days now and think it is so useful I have subscribed to the
monthly plan. I guess I am still a little nervous about how secure it
really is. I have read the FAQ and some posts in this group but don't
have a good understanding of security to be really sure how safe this
is. I really *want* it to be safe. The process of moving my logins
into clipperz has been a little frightening: I had a rather large
number of logins either stored in my browser password manager (with no
encryption) and/or in emails in an online email account. So using
clipperz has to be an improvement on my previous practice.
But I would like to know if you aware of any attempts to attack your
server or any if there have been any attempts to develop malicious
websites that somehow intercept clipperz running on a client machine?
Could malicious code on a website interact with clipperz code and
expose all my secret info? I think I heard that a number of legitimate
websites had been infected with malicious code---is clipperz
vulnerable to this sort of attack?
Thanks again for a great tool.
David
First I have to say that I love clipperz. I have been using it for a
few days now and think it is so useful I have subscribed to the
monthly plan. I guess I am still a little nervous about how secure it
really is. I have read the FAQ and some posts in this group but don't
have a good understanding of security to be really sure how safe this
is. I really *want* it to be safe. The process of moving my logins
into clipperz has been a little frightening: I had a rather large
number of logins either stored in my browser password manager (with no
encryption) and/or in emails in an online email account. So using
clipperz has to be an improvement on my previous practice.
But I would like to know if you aware of any attempts to attack your
server or any if there have been any attempts to develop malicious
websites that somehow intercept clipperz running on a client machine?
Could malicious code on a website interact with clipperz code and
expose all my secret info? I think I heard that a number of legitimate
websites had been infected with malicious code---is clipperz
vulnerable to this sort of attack?
Thanks again for a great tool.
David
Giulio Cesare Solaroli
Mar 19, 2009, 11:14:24 AM3/19/09
to david.r...@gmail.com, Clipperz
Hello David,
the "simplest" way to compromise Clipperz is to change the code of its
application, that is the code your browser is downloading in order to
give you access to your data.
At the moment there are no perfect solutions to avoid this problem
altogether, but there are some simple steps that could alert you if
something wrong is going on. If you look into the forum for 'checksum'
you will find some hints about a script we have posted that could
check that the Clipperz application has not been tampered before
redirecting you to the real site.
To have a preview of what it looks like, take a look at my del.icio.us
bookmark at
- http://del.icio.us/gcsolaroli/clipperz
DISCLAIMER: the script used by that link is hosted on the same server
where the main Clipperz application is running, so it would be quite
trivial for an attacker to compromise both the script and the
application in case of an intrusion. But if you can host the same
script on another random host, using it as a gateway to Clipperz can
greatly improve your security.
Other than this, we have been included in a project done by some
Stanford/Berkley students on security vulnerabilities of javascript
bookmarklets and they have found a problem on how we used to handle
the direct login configurations collected through the bookmarklet. But
this problem has long been fixed.
We are not aware of other security issues with regard to our service.
Best regards,
Giulio Cesare
the "simplest" way to compromise Clipperz is to change the code of its
application, that is the code your browser is downloading in order to
give you access to your data.
At the moment there are no perfect solutions to avoid this problem
altogether, but there are some simple steps that could alert you if
something wrong is going on. If you look into the forum for 'checksum'
you will find some hints about a script we have posted that could
check that the Clipperz application has not been tampered before
redirecting you to the real site.
To have a preview of what it looks like, take a look at my del.icio.us
bookmark at
- http://del.icio.us/gcsolaroli/clipperz
DISCLAIMER: the script used by that link is hosted on the same server
where the main Clipperz application is running, so it would be quite
trivial for an attacker to compromise both the script and the
application in case of an intrusion. But if you can host the same
script on another random host, using it as a gateway to Clipperz can
greatly improve your security.
Other than this, we have been included in a project done by some
Stanford/Berkley students on security vulnerabilities of javascript
bookmarklets and they have found a problem on how we used to handle
the direct login configurations collected through the bookmarklet. But
this problem has long been fixed.
We are not aware of other security issues with regard to our service.
Best regards,
Giulio Cesare
Reply all
Reply to author
Forward
0 new messages