Encryption?

[mpern]

Am I mistaken or does the extension store usernames and passwords as plaintext?

I quick look at the code does not show any kind of encryption.

[krtek4]

Hi there,

You are right, the content is not encrypted locally. It is however encrypted using your Chrome Sync passphrase when synced to your Google Account.

This means that someone with access to your computer will be able to read anything stored using the extension, ie url, username and passwords.

I understand this might be a security risk, but the point was never raised before and it will add complexity to the extension.

Also, there are basically two choices to do encryption effectively:

• Ask for the passphrase each time a credential is needed, which kind of defeat the purpose of the extension in the first place

• Ask for the passphrase the first time and somehow keep either the passphrase or the decrypted credentials in memory. Although a bit better, this still means the credentials are readable most of the time given access to the computer.

This being said, I am open to a PR introducing encryption, or I might even do it myself if enough people are interested.

Let me know what you think.

[timluedtke]

How about using OAuth or some other sort of already existing login-service to provide a secret for encrypting our data?

[krtek4]

Hi @timluedtke ,

Thanks for the proposition. I would require a bit more information about your idea however, as I don't fully understand how you want to achieve that ?

[timluedtke]

First security rule I would like to obey is: Never implement security on your own. Basically if we want to store a secret, we have to choose between synchronous an asynchronous encryption.

Synchronous mean one password for both encryption and decryption - therefore the password shall under no circumstances be hardcoded, but would at least be plaintext in memory, if entered by the user on each browser startup (which is bad usability). Here comes the idea to use an official service to provide a user based secret. For example an OAuth Token - which is based on the user Authentification and generated external. Thus it does not need to be stored on the users machine.

However maybe my thinking is not correct, I would like this to be challenged.

[krtek4]

Hey there @timluedtke ,

Thanks for your answer. Like you said "Never implement security on your own", and, AFAIK, oAuth is a protocol meant for authorization, not at all doing any kind of encryption.

Also, I kind of fail to see the connection between symmetric and asymmetric encryption (which are more regularly used than synchronous and asynchronous I think) and using oAuth.

Going back to what I said earlier, I think we agree my first option is pretty bad from an usability standpoint. You also kind of say the same thing about my second option (asking for the password once every browser launch).

I don't think using an external service, being it oAuth or something dedicated for encryption will make it better. As I said, the password are already securely stored when synced, and the only one to secure them meaningfully on your own computer is to ask for a key on a regular basis which defeats, IHMO, the whole purpose of the extension.

I am not 100% familiar with more general password apps like 1Password or LastPass, but I imagine at least some of them might be able to autofill Basic Authentication popin and store your password securely, that might be an option for you. For example see https://lastpass.com/support.php?cmd=showfaq&id=275

As for adding encryption to this extension, I personally don't have the time, but feel free to provide a PR or find someone to do so, I will gladly accept it if it doesn't not impair users that don't want encryption.

Best,

[krtek4]

Closing this with new inputs in the last year