Closed soullivaneuh closed 6 years ago
Hey, one of the main purposes of this extension is to prevent fishing attacks. What you suggest will be a huge security flaw, as an attacker might create a fishing website github.co
where we absolutely do not want browserpass to fill in credentials.
There is another way to reuse the same credentials on multiple websites, that I personally use and recommend everyone else. Just create symlink for every secondary website where you allow these credentials to be used!
For example, your password store might look like this:
amazon.com.gpg
amazon.co.uk.gpg -> amazon.com.gpg
Unfortunately due to #85 right now you cannot symlink entire directories, so if you have multiple credentials for amazon.com, you'd have to symlink every single one separately:
amazon.com/
user1.gpg
user2.gpg
amazon.co.uk/
user1.gpg -> ../amazon.com/user1.gpg
user2.gpg -> ../amazon.com/user2.gpg
UPDATE: the bug is fixed, now this works!
@maximbaz Thanks for the reply.
I understand the security "issue", even if I think this is not belonging to the extension. Maybe as an option?
Does simlinks are created with pass
command or have to be done manually?
Is that correctly handled with pass ls
?
This is a serious security issue, please see #146 for a discussion about this. This will not be created even under an option.
Symlinks is a secure way to whitelist those websites that need certain credentials. Create symlinks with ln -s
, pass does not provide functionality to create them - but it handles the existing symlinks well.
I don't see the issue for an option if the user is correctly warned. It's up to him to take care of the website URL IMHO.
But ok if you don't want. At least it's open-source and can be edited. ;-)
BTW about link creation, passwordstore does not handle it actually.
So yes you can do ls but:
Regards.
I use symlinks on linux and helped setting them up on windows (the command is mklink
), pass
on linux, qtpass
on windows and browserpass
on both OS recognize the links correctly - could you tell me what exactly is not properly handled in your case? I'd like to know about downsides of this approach, as I tend to recommend it to everyone 🙂
Some websites may have multiple TLDs and at some cases it's better to store only the site name and not the tld like
github
insteadgithub.com
.If default search of extension is
github.com
, nothing will be found.It would be very great to have a double match if a TLD is provided.
.com
), try again without the TLD.