[pass] A web view/integration
Alexandre PUJOL
list at pujol.io
Mon Feb 8 10:35:04 CET 2016
According to what I have understood, in lastpass the decryption process
takes place in the browser extension. They might find a way to run the
decryption in a secure way (calling a desktop program I suppose). The
problem with lastpass is it is not open source therefore we really don't
know how it works.
The point here is you don't need such thing, because you already have
passff the firefox extension for pass, it calls pass for all sensitive
operation.
Moreover it is important to keep the system simple then secure. Use a
JavaScript system to decrypt the passwords would be:
- Useless because of the passff extension and all the other client for
pass (ios, android even windows...)
- Would add a layer a complexity to "pass web app" exposing pass to
security risk that have been avoided until today: browser security,
XSS... This is why JavaScript is not good for sensitive process.
Furthermore it is too slow for asymmetric encryption and then it
requires external plug-in or Java. Both add a security risk and a layer
of complexity to the system.
Regards,
Alex
On 08/02/16 10:04, GOYOT Martin wrote:
> Hello Alexandre,
>
> Thanks for the tip, I decided to use the android app.
>
> This said I would love you to explain me why this would be a bad idea.
> This could work exactly like what LastPass is doing for instance.
>
> Regards,
> -- Martin
>
> On Mon, Feb 8, 2016 at 10:00 AM Alexandre PUJOL <list at pujol.io
> <mailto:list at pujol.io>> wrote:
>
> Using git, you can use any git sever and git web app (like cgit) as a
> pass web viewer. Then, the git server will allow you to sync your
> passwords between you device, and thus use the good pass client for your
> device (pass, pass-ios, Android-Password-Store...)
>
> However the git web app only output the tree of the password directory.
> The content itself stay encrypted. Do NOT try to create a tool in order
> to decrypt and output it in a web browser. As said Dashamir Hoxha it
> would not be a good idea at all.
> Because you must NOT:
> - Use any server to decrypt your password.
> - Use JavaScript to decrypt the password directly in a web browser.
>
> This is why there is not pass web app, all the pass server you would
> ever need already exist it is a git server.
>
> Regards,
> Alex
>
> On 07/02/16 20:57, GOYOT Martin wrote:
> > Oh I didn't know of keybase. Looks like a really interesting project!
> >
> > Also I don't know if Kenny Stier had the mailing list in copy when he
> > replied to me, but he pointed me to two mobile applications that can
> > deal with pass:
> >
> > https://github.com/zeapo/Android-Password-Store
> > https://github.com/davidjb/pass-ios#readme
> >
> > I decided to give the android app a try, and for my really small test
> > until now, looks good!
> >
> > On Sun, Feb 7, 2016 at 8:24 PM Santiago Borrazás <sanbor at gmail.com
> <mailto:sanbor at gmail.com>
> > <mailto:sanbor at gmail.com <mailto:sanbor at gmail.com>>> wrote:
> >
> > Also, maybe using the Keybase
> > filesystem https://keybase.io/introducing-the-keybase-filesystem
> >
> > On Sun, Feb 7, 2016 at 10:22 AM, Dashamir Hoxha
> > <dashohoxha at gmail.com <mailto:dashohoxha at gmail.com>
> <mailto:dashohoxha at gmail.com <mailto:dashohoxha at gmail.com>>> wrote:
> >
> > In principle, you can use `git clone` or `rsync` to copy
> > ~/.password-store to a portable device (usb, phone,
> smartphone,
> > etc.). You can copy there the corresponding GPG key as well.
> > Then, on another computer, you can tell pass to use the
> data on
> > the portable device by setting environment variables like
> this:
> >
> > export PASSWORD_STORE_DIR="/dev/sdb1/.password-store"
> > export PASSWORD_STORE_GPG_OPTS="--homedir=/dev/sdb1/.gnupg"
> >
> > Or you can define an alias like this:
> >
> > alias pass="PASSWORD_STORE_DIR='/dev/sdb1/.password-store'
> > PASSWORD_STORE_GPG_OPTS='--homedir=/dev/sdb1/.gnupg' pass"
> >
> > I haven't tried this but it should work. Maybe somebody has
> > written any blog or tutorial about this, with more detailed
> > instructions.
> >
> > Sorry, I know nothing about any web interface to pass. And I
> > don't even think it would be a good idea.
> >
> > Regards,
> > Dashamir
> >
> > On Sun, Feb 7, 2016 at 6:11 PM, GOYOT Martin
> <martin at piwany.com <mailto:martin at piwany.com>
> > <mailto:martin at piwany.com <mailto:martin at piwany.com>>> wrote:
> >
> > Hello there,
> >
> > This is my first mail here, so if I'm doing anything wrong
> > please tell me. I just wanted to know if there was any web
> > app or mobile app that was able to deal with the pass
> > utility as a backend.
> >
> > I'm using pass since quite some time now, and I really
> love
> > it. But sometimes I need to access my passwords and sadly
> > I'm not on my own computer with pass installed, my gpg key
> > and so on. So I was wondering if something like a web or
> > mobile interface capable to answer this problematic
> already
> > exists.
> >
> > Regards,
> > -- Martin
> >
> > _______________________________________________
> > Password-Store mailing list
> > Password-Store at lists.zx2c4.com
> <mailto:Password-Store at lists.zx2c4.com>
> > <mailto:Password-Store at lists.zx2c4.com
> <mailto:Password-Store at lists.zx2c4.com>>
> > http://lists.zx2c4.com/mailman/listinfo/password-store
> >
> >
> >
> > _______________________________________________
> > Password-Store mailing list
> > Password-Store at lists.zx2c4.com
> <mailto:Password-Store at lists.zx2c4.com>
> > <mailto:Password-Store at lists.zx2c4.com
> <mailto:Password-Store at lists.zx2c4.com>>
> > http://lists.zx2c4.com/mailman/listinfo/password-store
> >
> >
> >
> >
> > _______________________________________________
> > Password-Store mailing list
> > Password-Store at lists.zx2c4.com <mailto:Password-Store at lists.zx2c4.com>
> > http://lists.zx2c4.com/mailman/listinfo/password-store
> >
> _______________________________________________
> Password-Store mailing list
> Password-Store at lists.zx2c4.com <mailto:Password-Store at lists.zx2c4.com>
> http://lists.zx2c4.com/mailman/listinfo/password-store
>
More information about the Password-Store
mailing list