Better protection for a browsers local storage from being read

[Lantizia]

This is a FR based on an IRC chat with @varjolintu

Essentially if KeePassXC-Browser keeps the keys it uses to talk to the proxies (and therefore KeePassXC) in the browsers local storage... and you had some malicious bit of software on your computer that directly reads the local storage of your Firefox / Chrome / whatever... then it could ask the proxies for passwords directly - even though it's not the extension itself.

This may result in KeePassXC's site permissions dialog box popping up, but if you've ever picked 'remember' on that for the site which it is querying (something that is likely to be in a lot of databases like Facebook, Google, etc...) then it'll likely just be handed them, no questions asked.

Possibly these keys should be stored in the browsers local database in an encrypted form and you need to 'unlock' the extension before it can read them. This could just be a password (like unlocking your main KeePassXC database) and shouldn't be too tedious if people use Auto-Type.

[varjolintu]

Few years ago I had this in my TODO list as "Paranoid mode", and it would encrypt the localStorage with a password.

This is why permissions are always asked by default. Even if there were some application that could potentially connect using existing keys, it wouldn't have permissions to do anything automatically.

[Lantizia]

Even if there were some application that could potentially connect using existing keys, it wouldn't have permissions to do anything automatically.

It would if you've ticked "Remember this decision" though I'm guessing? As the "some application" would be indistinguishable from the the proper extension - if it has the right key. So it wouldn't be hard for something malicious to guess possible sites you've got in the database to ask for, especially if it can see your browser history too.

[varjolintu]

Yes. But you'll need both the right key + the client ID to get access.

[LeBaux]

Then again... how many of us have "autofill"? Yes, way more secure, but people will be people.

[Lantizia]

Client ID? As in the user chosen string that in the column on the left of the key? I thought you'd said (granted in another conversation on IRC) that this bit didn't really do anything but help you identify which key is used by what.

[varjolintu]

@Lantizia Maybe I wasn't clear enough. KeePassXC stores the key and ID, and those must match in the extension to verify the connection. Also, localStorage stores the calculated hash for the database, so even if you could copy the key and ID from another database, it won't work until a new connection is made. In this way the key and ID are always matched with the database the connection has been made with.