search

kee-org / KeeFox

Legacy browser and XUL application integration with KeePass Password Safe. See https://github.com/kee-org/browser-addon for the new version for Firefox 57+
https://forum.kee.pm
418 stars 48 forks source link

Update user documentation for KeeFox 1.3 #194

Closed luckyrat closed 10 years ago

luckyrat commented 11 years ago

Much of the technical documentation is already updated but there have been some changes and new features so some new screenshots and updated instructions should be put onto the manual pages before 1.3 leaves beta testing.

Priority should be given to any information that is actually wrong (Rather than just omitted) since UI changes in 1.4 might require a wider review of documentation later in the year anyway.

dlech commented 10 years ago

I finally got around to reading the technical details for KeePassRPC 1.3. One thing that jumped out at me was on the security levels. In medium security, it states that the secret key will be stored in the KeePass config file using encryption based on your Windows user login. We need to have a look a the mono source code, but I am pretty sure that whatever function you are using there is not implemented. We will want to include a note on the behavior of mono when we figure out what it is.

luckyrat commented 10 years ago

Thanks for taking a look at the docs. Much appreciated.

It was a while ago now that I chose that approach but I think I checked that Mono supported it before I started to use it; it's System.Security.Cryptography.ProtectedData.Protect() that I've used. Perhaps that's not strictly the same as being based on Windows user login though so maybe that part of the documentation needs some clarification (I was probably trying to oversimplify things).

I've just pushed a new version to the 1.3dev branch which appears to work (at least for a single test login) in Thunderbird and I've been running it in Firefox for a few days so I don't think we're too far from being able to release a beta version.

It doesn't work in Linux yet (something to do with the ".NET 2.0 version" of Fleck* requiring .NET 4 but hopefully that won't take me long to resolve. Hopefully there won't be too many further Mono related problems but I can't test the encryption side of things until the plugin compiles.

krbvroc1 commented 10 years ago

Not sure of the internal mono details, but I tested medium security and it works.

System.Security.Cryptography.ProtectedData.Protect and System.Security.Cryptography.ProtectedData.Unprotect do get executed under mono 2.10.8. I verified that keyBytes[] was returned from Unprotect. Also under KeePassRPC (KeeFox options), the authorized client is listed. username is actually some sort of GUID value, but it seems to work.

luckyrat commented 10 years ago

Yeah the username could be anything really but I went with guids so it would always be unique and requires no user interaction.

dlech commented 10 years ago

I llooked it up and it is implemented. I found what was in the back of my head that made me concerned. It was System.Security.SecureString

luckyrat commented 10 years ago

This is essentially done but I'm leaving it open as a reminder that the notes regarding 1.3 being in beta testing will need to be removed once Mozilla have approved the stable release.