Technology

81451 readers

5677 users here now

This is a most excellent place for technology news and articles.

Our Rules

Follow the lemmy.world rules.
Only tech related news or articles.
Be excellent to each other!
Mod approved content bots can post up to 10 articles per day.
Threads asking for personal tech support may be deleted.
Politics threads may be removed.
No memes allowed as posts, OK to post as comments.
Only approved bots from the list below, this includes using AI responses and summaries. To ask if your bot can be added please contact a mod.
Check for duplicates before posting, duplicates may be removed
Accounts 7 days and younger will have their posts automatically removed.

Approved Bots

founded 2 years ago

MODERATORS

L3s@lemmy.world

enu@lemmy.world

technopagan@lemmy.world

L4s@lemmy.world

L3s@hackingne.ws

254

Password managers are less secure than promised (ethz.ch)

submitted 2 days ago by Beep@lemmus.org to c/technology@lemmy.world

117 comments fedilink hide all child comments

Millions of people use password managers. They make accessing online services and bank accounts easy and simplify credit card payments.
Many providers promise absolute security – the data is said to be so encrypted that even the providers themselves cannot access it.
However, researchers from ETH Zurich have shown that it is possible for hackers to view and even change passwords.

you are viewing a single comment's thread
view the rest of the comments

[–] BennyTheExplorer@lemmy.world 2 points 1 day ago (2 children)

This comment shows that you know less about computers, than you may think. You can definetly make end to end encryption work using a Website. JavaScript runs client side. So as long as you trust the encryption algorithm (which in elements case you definetly can, because it is OSS), the encryption is safe and your unencrypted data never leaves the device.

[–] bcnelson@lemmy.world 3 points 22 hours ago (1 children)

The point is you are trusting the JavaScript that the server delivered to you. If the server is compromised, it hands you compromised JavaScript and you're screwed. It's the exact same thing as going to evil.com and entering your master password. I think that you inherently understand that evil.com is untrusted. However, if passwordmanager.com is compromised by the same people who own evil.com. there's really no difference.

[–] BennyTheExplorer@lemmy.world 2 points 21 hours ago

I understand, but wouldn't the same problem occur, if the server for the website you download your software from or the server for your package manager would be compromised? Even if you would buy your software physically on a CD, there would be a chance someone has messed with the content on a CD.

So I don't really see this as a flaw unique to browsers. Am I wrong?

[–] unexposedhazard@discuss.tchncs.de 1 points 23 hours ago* (last edited 23 hours ago)

Yes of course you CAN make it safe in theory, but unless you run the web interface locally or on your own server, you cant be certain that the javascript delivered to you from the hoster hasnt been modified. Its like having autoupdates on but you have zero control over when or how the updates take place, because every time you open the page it could be different code from the last time.

So as long as you trust the encryption algorithm (which in elements case you definetly can, because it is OSS)

How do you know that the code on elements github repo is actually the same code that you get delivered from your homeserver that is hosting the web client? Your homeserver can just modify the web clients code however it wants and deliver a backdoored or faulty version to you. Which means you dont just have to trust the open source code, but also the admin who is managing the homeserver and also the hosting provider.

Is this really so hard to understand? Literally the entire client is delivered on demand from a remote server, obviously that is insecure if you dont control that server.