[pass] web interface to password-store
Emil Lundberg
lundberg.emil at gmail.com
Wed Mar 9 23:40:21 CET 2016
Well, even if you carry the app with you on a USB stick you'll still need
to be able to trust what's on it. Otherwise someone could borrow it and
modify the app to, say, send your private key to their web server. So
unless you never let the USB stick out of your sight, you'll need to have
the block device encrypted and/or have the app cryptographically signed.
Either way, you'll need some separate trusted crypto software to either
decrypt the block device or verify the app signature. And then you'll still
be vulnerable to browser bugs allowing for, say, information leakage or
code injection across tabs (although that would probably need to be attacks
specifically targeted against your app).
If you do never let the USB stick out of sight - or manually check all the
source code each time you use it - then I suppose you should be reasonably
safe. If not, I suggest weighing the risks against how paranoid you want to
be.
/Emil
On Wed, 9 Mar 2016, 19:46 eirc, <eirc.eirc at gmail.com> wrote:
> I've made this https://github.com/eirc/pass.js which is a simple webpage
> where you drop the key & encrypted file and it decrypts the file in the
> browser. Many people have raised concerns about JavaScript security and I
> don't know if it really fits your use case but I'll just throw it out there.
>
> On Tue, Mar 8, 2016 at 9:14 AM, Sergei G <sergeig.public at gmail.com> wrote:
>
>> Hi,
>>
>> I just run into https://www.passwordstore.org and it appears to be a
>> great application. I especially like many import types. I would have to
>> import from 1password application as it is getting expensive to keep up.
>>
>> I have a self-hosted web server at home and I'd like to be able to access
>> my passwords using web interface. Is there a web application for that
>> scenario? Is it easy to maintain for family members?
>>
>> Or is it intended that iPhone/Android and other desktop applications can
>> get to the server data? What is the access method in this case (REST over
>> web, dropbox, ssh, etc)?
>>
>>
>> thank you
>>
>> _______________________________________________
>> Password-Store mailing list
>> Password-Store at lists.zx2c4.com
>> http://lists.zx2c4.com/mailman/listinfo/password-store
>>
>>
> _______________________________________________
> Password-Store mailing list
> Password-Store at lists.zx2c4.com
> http://lists.zx2c4.com/mailman/listinfo/password-store
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.zx2c4.com/pipermail/password-store/attachments/20160309/fecd0bdd/attachment-0001.html>
More information about the Password-Store
mailing list