PWSAFE KEYBOARD CODE
The source code is not obscured or minified in any form, just unpack the extension and examine it at will. When designing the extensions, we took great care to protect your passwords at all times, but you are welcome to examine the extensions source-code at any time. If you happen to find any problem we missed, please report it back to us, so that we can fix it as soon as possible. Session keys depend on both sides random number generators, making it harder to exploit a PRNG fault.Ī new sequence number to prevent agains replay attacks, and On every session, new encryption and authentication keys are generated, so as to guarantee perfect forward secrecy (PFS). The user then matches both, defending against man in the middle attacks.Īfter validation, the extension and pwSafe save the other party's public key and verify it on every new connection, closing it if it changed, preventing man-in-the-middle attacks. When you first connect, both sides calculate an identifier which is a hash of both parties' public keys (RSA-2048) and display it to the user. Since the SSL certificate validation logic cannot be overridden by the extension, we use a non-encrypted HTTP connection with our own security (encryption and authentication) layer on top.Įverything but the handshake is fully encrypted (AES-CBC-256) and authenticated (HMAC-SHA-256). To defend against malicious apps on your Mac:Ĭommunications between the extensions and pwSafe are run over a standard HTTP Websocket connection to localhost. It can only report which fields are present on the webpage and, when ordered to, fill them with the provided values. The component which runs on the webpage context can't connect to pwSafe directly, so it can't send commands to it asking for more passwords.
When listing entries, it only gets titles, details (username and url) and groups.Įxtensions are broken in two main components: one running inside the displayed webpages (more vulnerable) and another one running in an isolated context (more secure).
PWSAFE KEYBOARD FULL
The full list of passwords is never sent to the extension, which only gets the password needed to fill the currently displayed webpage.
These two facts pose a series of security concerns that we address. This makes them more susceptible to malicious websites and also very restricted when it comes to interacting with the local machine.
Modern browser extensions are javascript apps that run inside the web-browser.
0 kommentar(er)
