Open jficz opened 3 years ago
ChameleonScales
commented
3 years ago btw wouldn't it be best that nothing be cached in the first place? I'm no add-on or security expert but it seems safer to have the add-on always communicate to the server rather than caching.
marius-wieschollek
commented
3 years ago The master password is not cached anywhere right now.
… button to force deletion of stored login credentials - the Master password and the login token.
If the login token is deleted, users will have to add a new one in the settings. I'm not sure if that's a great idea.
Maybe two buttons
But where? In the "browse" tab or always present?
"panic" (forget everything and clear any caches)
everything including the server login data? like a factory reset?
I'm no add-on or security expert but it seems safer to have the add-on always communicate to the server rather than caching.
Passwords, Folders and Tags are cached in RAM because making a request to the server for every time the extension needs something will be incredibly slow and cause lots of requests to the server. Whenever you switch tabs or click on a link, the extension checks all passwords to suggest the matching entries. Fetching all passwords every time will take several seconds every time and the amount of requests will probably DDOS small Nextclouds on RaspberryPI hardware. There is also no security benefit, because the login data needs to be present in the extension anyway and if someone gets into your browsers RAM area, there is no stopping them from an extension.
ChameleonScales
commented
3 years ago Ok, very understandable then. Actually I don't think this issue belongs in the web extension but rather in the Nextcloud app since the idea of a panic button is to secure your vault across all devices that may have opened it, so the "clear cache/log out"command should be sent from the Nextcloud app down to all the devices that were connected to your account through either the web extension or the android app.
But in any case once E2E encryption is implemented in the Android app, you (the user) could then change the master password whenever you feel unsafe. Then it's just a matter of the android app and web extension catching up with that and clearing the cache if the master password has been changed. So wouldn't the issue be exceedingly solved by then ?
jficz
commented
3 years ago I was actually thinking just about the extension/browser/computer. The extension has a local cache with all the passwords, the login/token tuple and I'd imagine some kind of a cookie to access the cloud app and decrypt the passwords.
The token, as I understand it, can be used to access arbitrary function in the NC instance.
The "panic" situation, as I imagined it, is a situation where a relatively immediate threat to the browser and/or the user's computer is about to materialize and the user only has a few minutes, or even seconds to react. Clearing all the cached data, including tokens, should be enough to prevent exploitation.
I had not thought of the server side at all. That's why I posted the FR here.
If an attacker already has access to your RAM without you knowing it then it is already too late for any preventive actions. If such an attack is detected the only action to remedy the situation is changing all passwords asap, including all NC tokens, and checking all services for breaches. That is way beyond this extension imho.
Current Status Currently there is no apparent way to force logout (i.e. forget login token and/or the Master password)
Feature Description An easily accessible button to force deletion of stored login credentials - the Master password and the login token.
Maybe two buttons - one "logout" (forget Master pw) and the other "panic" (forget everything and clear any caches)