Match: Try without TLD - Githubissues

browserpass / browserpass-legacy

Legacy Browserpass repo, development is now happening at:

https://github.com/browserpass/browserpass-extension

MIT License

1k stars 80 forks source link

Match: Try without TLD #183

Closed soullivaneuh closed 6 years ago

soullivaneuh commented 6 years ago

Some websites may have multiple TLDs and at some cases it's better to store only the site name and not the tld like github instead github.com.

If default search of extension is github.com, nothing will be found.

It would be very great to have a double match if a TLD is provided.

Search with the full term.
If not match and if the term contains a TLD (e.g. .com), try again without the TLD.

maximbaz commented 6 years ago

Hey, one of the main purposes of this extension is to prevent fishing attacks. What you suggest will be a huge security flaw, as an attacker might create a fishing website github.co where we absolutely do not want browserpass to fill in credentials.

There is another way to reuse the same credentials on multiple websites, that I personally use and recommend everyone else. Just create symlink for every secondary website where you allow these credentials to be used!

For example, your password store might look like this:

amazon.com.gpg
amazon.co.uk.gpg -> amazon.com.gpg

Unfortunately due to #85 right now you cannot symlink entire directories, so if you have multiple credentials for amazon.com, you'd have to symlink every single one separately:

amazon.com/
    user1.gpg
    user2.gpg
amazon.co.uk/
    user1.gpg -> ../amazon.com/user1.gpg
    user2.gpg -> ../amazon.com/user2.gpg

UPDATE: the bug is fixed, now this works!

soullivaneuh commented 6 years ago

@maximbaz Thanks for the reply.

I understand the security "issue", even if I think this is not belonging to the extension. Maybe as an option?

Does simlinks are created with pass command or have to be done manually?

Is that correctly handled with pass ls?

maximbaz commented 6 years ago

This is a serious security issue, please see #146 for a discussion about this. This will not be created even under an option.

Symlinks is a secure way to whitelist those websites that need certain credentials. Create symlinks with ln -s, pass does not provide functionality to create them - but it handles the existing symlinks well.

soullivaneuh commented 6 years ago

I don't see the issue for an option if the user is correctly warned. It's up to him to take care of the website URL IMHO.

But ok if you don't want. At least it's open-source and can be edited. ;-)

soullivaneuh commented 6 years ago

BTW about link creation, passwordstore does not handle it actually.

So yes you can do ls but:

Password manager will not see any difference.
What about windows?

Regards.

maximbaz commented 6 years ago

I use symlinks on linux and helped setting them up on windows (the command is mklink), pass on linux, qtpass on windows and browserpass on both OS recognize the links correctly - could you tell me what exactly is not properly handled in your case? I'd like to know about downsides of this approach, as I tend to recommend it to everyone 🙂