Notably some sites are using fresh certificates that have the same (months-in-the-past) starting-validity date as their old certificates. For example, Heroku has done this.
(I can think of a few process and fee reasons this approach might be picked. Perhaps a CA might offer a free new cert and revocation, if and only if the new cert has the same validity range as the one it replaces. An ops team might prefer one consistent time of year for the ceremony of non-emergency certificate rotation.)
I didn't notice any field in the cert-viewers of Firefox or Chrome that could reliably tell the true issue-date of a new certificate.
Is LastPass just looking at the start of the validity, or does it have some way to know if the certificate is truly new?
We haven't found a way to do this -- we're using openssl s_client to get the start date, but one of our own certificates for LastPass.eu also reissued without changing the date so we know it's a problem.
We wish we had all site's certificate fingerprints from before this started so we could utilize that data -- if anyone has it, an email to securit@lastpass.com would be greatly appreciated.
You might consider reaching out to the people behind the Perspectives Project. They run 10 public notary servers [0], and chances are good that they have fingerprints for most of the widely-trafficked websites.
For example, here's the Perspectives report on lastpass.com showing the brand-new key as well as the old ones: http://i.imgur.com/hJkFTAy.png
I believe if you use a new private key but sign the same CSR the dates will not change. Ideally the old certs should be revoked which should provide some info on this. I saw this explanation on the discussion of the herokuapp.com's cert's dates not changing.
This is entirely up to the issuing CA's process. Thawte, for example, happily revokes-and-reissues certificates for free (perhaps only for "enterprise" customers?), and the newly issued certificate has the same end-validity date as the revoked certificate but the start-validity date is set to the time of issue.
I notice herokuapp.com's CA is DigiCert, so perhaps they have the opposite policy, of giving the reissued cert the same start date as the revoked cert.
I don't think there's a standard field in an X.509 cert for issue date.
It's possible to download a CA's CRL and look for revoked certs, but all you get are serial numbers and revocation dates, not subject names.
From what I had to go through, you can't really "sign the same CSR". What you do is generate a new CSR with a new private key, using the same details as the previous certificate. Then you ask your provider for a re-key. You provide the CSR, they provide you with a new certificate, and revoke the old certificate within 72 hours (in Go-Daddy's case).
The public key in the CSR should match the private key it's associated with so this wouldn't work. Also the notBefore date in the certificate is set by the CA; it's not in the CSR.
I've been meaning to switch to a password organizer rather than rely on my browser's built-in one (I know)... I've seen a few discussions on here but I haven't seen a clear victor. In your opinion, is LastPass the one I should go with? Or Keepass or OnePass or one of the others?
Edit just to say I think this is a very nice feature by LastPass and thanks for posting.
With a question like this, you're probably going to get a lot of biased options. Not because people want you to use an inferior product, but because obviously one think that what he uses it the best. For example, as a current KeePass user, I'd suggest it.
Lastpass overall is comfy, you do everything within your browser, it sync without much problems and you can use it on the go with the official applications and addons. One downside is that everything is closed source. The other one is that I find their addon is trying to do too much, and it's not polished enough (at least, their Firefox one). I've had tons of annoyances with it.
Keepass instead is awesome because it's opensource and you own your data. But you can feel that not everything is nicely integrated. I use a Firefox addon (PassIFox) for filling username/password, and it works pretty nicely, but you have to set it up (and it's kinda a pain to get it working on Linux). I use an application on Android (Keepass2Android) which has a different UX, and doesn't have the fancy input method that the lastpass app has (instead you just copy/paste, and there is a keyboard for autofilling but I find it mostly annoying). The integrated sync support only ftp/webdav, and not everyone has a server providing those around (and I never got webdav to work anyway). Sure, you can sync the file with dropbox or other "cloud" solutions, but this implies even more software in your chain.
I never got to try OnePass sadly, as there's no Linux version.
Anyway, I'd say: Try both, and see which one you prefer. Keepass is libre, and lastpass has a free tier, so you don't have to put any money in it. Just use them for a bunch of sites for a bunch of days, and then decide.
I have. KeeFox is good, and it's more akin to LastPass (feature-wise). I went with PassIFox because all I want is a simple "fill username & password" in the right-click menu, I'm fine with managing my passwords directly within KeePass.
I use LastPass and definitely recommend it. It will generate a random password for you based on definable criteria, which I like and use almost everywhere. The primary vector of mass attacks these days seems to be one compromised database leaks out, and then they use those cracked passwords to get into other sites where you used the same email/pass combination. Keeping track of hundreds of unique and secure passwords without a manager is untenable.
In a vote for lastpass (I haven't tried the others) - they just added auto filling passwords for the android app. It works pretty well (typing their generated passwords into apps that blocked copy/paste was my biggest gripe until then). I'd say that it's pretty easy to get duplicate entries for a single site which can get annoying, but it's relatively easy to delete ones if you don't get mixed up with which is the "correct" entry first.
I recently went over this and went with KeePass. It's open source, although apparently not with a public repo (just source zips). I'm in the process of verifying it and building it for myself. I used to use PasswordSafe, but I think I have a higher chance of missing a backdoor in C than in C#. (I removed all the native stuff from my copy of KeePass.)
For critical stuff, I want to minimize the amount of proprietary stuff. I already have Windows (as a VM host), Lenovo and VMware to trust - but at least that's not directly connected to the Internet[1]. Why add a third party that could suffer a remote compromise or worse?
1: Host runs VMs, has no protocols bound to NIC but passes it through to a gateway VM which acts as a router for the other VMs. KeePass can run on the host, so a VM compromise is somewhat limited.
I use and really like LastPass. In particular, its integration with browsers (and my smartphone) with the random password generation means that my passwords are all unique and non-rememberable (and thus unphishable, since I rely on LastPass to fill the password for me, which it only does on a domain match).
Things like their security check are just icing on the cake.
You are likely not to see a clear victor in this thread either. People who use/like LastPass will say so, and those who use others will throw in the vote there. You can also google 'Option 1 vs Option 2' and get a bunch of results. Best you try them yourself and see which one you like!
Lots of recommendations already, but I'll throw in a vote for Pass[0]. It's simple, cross-platform, and doesn't require trust in any service--although you do need to trust yourself not to lose your gnupg private key.
I've been using this too, highly recommended. Very simple and usable command-line interface, integrates with Git to share all encrypted passwords across machines.
It's a bad idea to trust your secrets with a proprietary web service. Free software is a prerequisite for digital security. Best to use a free software password manager that you can run on your own computer.
As recent events have clearly demonstrated, FOSS is by no means immune to security holes. Is paid, closed-source software less secure? On one hand, it does lack community oversight of the code base. (Although clearly with a sufficiently complex code base, backdoors can exist for years without anyone noticing anyway, and it could be argued that intentional back doors would be more easily installed in open source projects.) On the other hand though, paid software is operated by a team whose job it is to keep the service secure.
All that aside though, I certainly can't see any logical argument for the statement "Free software is a prerequisite for digital security." It could be argued that open source software is such a prerequisite (although I wouldn't necessarily agree), but if anything I expect that paying for software would ultimately tend to make it more secure.
I keep my KeePass database synced between devices using a Dropbox-like service that I self-host, so the file is never out of my control. But even if someone grabs the database off my machine or in transit, it's no good if they don't know my master password.
I've been using http://www.zx2c4.com/projects/password-store/ which handles that by integrating with Git, encrypted passwords are stored in a Git repo and all changes are recorded as Git commits. It's no more difficult than using a centralized third-party service, provided you have somewhere to host a Git server for it.
KeePass has a basic builtin sync, with addons for more/better protocols, or if you primarily use one device with others as more readonly, you can just copy the file yourself.
Because it's typical free-software-uber-alles posturing lacking logic.
Besides, it lacks applicability in this case. LP encrypts all your stuff client side before sending it along for storage, and the browser plugins that handle this are open source by way of being browser plugins. Whatever happens server side after that is mostly irrelevant.
My biggest problem with LastPass, and this is a small problem, is that it fucks up on a fair amount of input fields. So for example, it still works, but its icon is too huge for site example.com so it is awkaward or it thinks it is a username and password form but it is actually a signup form with username password1 password2.
Used to use LastPass, but I've disliked some of their recent decisions. Their Android app is getting bulkier by the update; it includes a full blown web browser inside the app. Their Firefox extension seems to be no longer maintained as well. I switched to KeePass + Dropbox and have been enjoying it. If you use OSX, I strongly recommend http://mstarke.github.io/MacPass/
We've always had a full blown web browser in the app -- it's been the only viable way to fill passwords in for years. Literally the first option we added.
We also have an extension into Dolphin, and you can utilize Chrome utilizing our fill method -- if you don't like them there are options to disable them too reducing the perceived extra bulk.
"it's been the only viable way to fill passwords in for years"
Call me old fashioned, but I'd rather copy/paste than rely on the web browser within the app. The lack of attention for the desktop Firefox extension is what drove me to alternatives. After switching away, I realized I was paying for a payed proprietary system with no real benefits from an open source solution.
Regarding firefox -- Are you speaking of the fact that Mozilla refused our Firefox updates for over a year?
We're happy you found a tool that works for you -- that's what we want everyone to do -- it doesn't need to be LastPass but people need to use something -- reusing passwords constantly is just painful.
Out of curiosity, what were their reasons for refusing the updates? I have my own gripes with the AMO team, but I've never had an extension update refused
I don't know about Safari, but the built-in password manager in most browsers are very light on features and have abysmal security. AFAIK Chrome still refuses to let you set a master password to protect your other passwords. Firefox is better, but the user interface is bare bones compared to a dedicated password manager.
I suspect that the password manager in most browsers have received less attention than it deserves, partly because all the vendors been trying very hard to get people to drop passwords altogether. Mozilla pushed Persona, Google pushed Google accounts, Microsoft pushed Microsoft accounts. I wonder if Mozilla will start paying attention to the password manager now that it has given up on Persona.
LastPass et al. have a lot of additional features that make a lot of sense once you accept that you'll be stuck with dozens of passwords for the foreseeable future. For example, LastPass offers to generate a random password for each site, recognizes when you change your password, helps you organize websites into categories, and alerts you to weak passwords.
There are some sites that try to disable the ability to save passwords and 3rd party password managers usually override this. Another thing that's really nice is having the LastPass extension on Firefox, Chrome, and Safari on the same computer and not having to worry about if they are using the system keychain or not. In my experience, form filling with credit card information has been less error prone with LastPass as well. I thought at one point Safari was requiring the CVV number to be manually entered too. I could be mistaken.
TL;DR Firefox with a strong master password was considered safe at the time of that article's writing (June 2013). That + Firefox Sync is what I use - I would also be interested in anything more up to date on why this is or isn't a good idea.
It’s not the job of the browser to secure your data against OS-level adversaries, that’s the job of the OS (e.g. by using file permissions to protect against other users and ideally also MAC to protect against other software). It’s not even the responsibility of the browser to protect against someone else walking up to your computer while you’re using the toilet, that’s the job of the screensaver.
It is, however, the browser’s job to protect your passwords against other websites and the like, and I would be worried if there were bugs in that area, but your link doesn’t say anything about them (note also that using a password manager with an extension for protection against someone taking over the browser is useless, as that someone also owns the extension and hence can impersonate it towards the seperate password manager).
This is what I'm going with. Something simple enough that I can understand what's going on and get to my passwords and create new passwords without the program.
It works on EVERY platform because gpg is available for EVERY platform and it's just a bunch of files in a hierarchy, so however your sync files, you sync these.
It has as strong a master encryption as your gpg key and git is a great way of versioning your passwords: "wait, I used to have the same password for gmail and yahoo mail, but then I stopped using yahoo mail and changed my gmail password to something really secure, but now I need to get into yahoo for some reason (yes, literati, I still love you). git log --grep accounts.google.com".
If you're looking for an open source alternative that is easy to use and not as clunky as KeePass, 1Password or LastPass, you should take a look at Padlock: http://padlock.io/
It's still in alpha but will be released on all major platforms once its ready.
KeePass if you don't trust third parties and security is top priority, so you want an open source product that isn't web-based. (Disclosure: I use KeePass personally).
LastPass if sync/mobility is most important and you're fine trusting a (US?) company.
I use LastPass for years now and I definitely recommend it. I tried to set up KeePass and god what a nightmare that was. You need a PhD in setting up the thing before you can use it comfortably.
I wish there was (or maybe there is) a protocol for updating your password. Then managers like lastpass and 1Password could more easily update your password. Maybe, behind the scenes they could rotate your password every x days automatically. Having a protocol in place would also make breach notices an easy "update all passwords" click away.
There's probably a reason this is a bad idea. Let's hear it! :)
It discourages two-factor auth for password change requests (such as site username and access to your email account), it adds an additional point of failure, and it would make it easier for attackers to lock you out of your account once they gain entry.
Plus, if any changes are to be made to the authentication process it should be migrating to two-factor auth across all services.
Definitely, as long as there was a common standard (and open source, of course). Have a keychain token that you can link to accounts, then enter a password on that and it gives you a (time limited) key to use to login.
there are some obvious discouragements, as outlined by grrowl in another comment, but I agree with you that it would be nice. Security and convenience have a well known relationship.
I've thought it would be nice to consolidate 2-factor authentication methods in a single service, then require a single, 2nd factor authenticator for access to the service or vault. So a yubi-key like authenticator with your lastpass that then authenticates using 2-factor protocols of some sort automatically; again, trading security for convenience, but would also allow for things like auto-changing of all passwords (which happening more often couldn't hurt security) while still under protection of a 2-factor authentication.
Wait. When I click "Security Check" in my LastPass Tools... menu (this is in Chrome), I get taken to an internet-hosted web page where I'm prompted to enter my master password. [1] I am not taken to a chrome:// page or some other client-side tool.
I take this to mean that I'm giving LastPass's web server my actual master password, and that they will do server-side decryption of my Vault and have server-side access to my passwords in cleartext.
NO! It's all done locally via JavaScript -- we never want to get your master password / encryption key -- we go through great pains to ensure that never happens.
If you wanted to, it's not too tough to extract the source code of their browser add-ons to verify for yourself that your vault is encrypted before being sent to their servers, and that your master password is not sent. (And of course with this tool it's relatively trivial to look through the javascript to verify the same.)
So while you can't look at the code running on their servers, it seems to me that you certainly can know they don't have access to your vault.
How does their "Updated Cert?" check work? If it's just checking notBefore, it's going to have a ton of false negatives, as a lot of CAs are just re-issuing certs using the original notBefore.
There really should be a disclaimer that this tool is useless when checking certificates re-keyed with the same starting and end dates. It could create a reputational risk for sites that are otherwise safe or patched.
I've love to see an actual list, officially backed, with website's URL and whether it has been fixed or not. Also with the ability to submit URLS. Seems this would be more productive than to let everyone look up their own sites manually.
perhaps it has been updated in the last 12 minutes, but that doesn't say LastPass is vulnerable. They are using a new cert, it's just saying they might be vulnerable because LastPass can't detect the server's operating system.
Computer Misuse Act 1990, section 1.1. The test for the vulnerability requires running the exploit, whose only function is to secure unauthorised access to data held on the remote machine. Seems fairly clear-cut to me.
(1)A person is guilty of an offence if—
(a)he causes a computer to perform any function with intent to secure access to any program or data held in any computer [F1, or to enable any such access to be secured]F1 ;
(b)the access he intends to secure [F2, or to enable to be secured,]F2 is unauthorised; and
Lastpass is not trying to secure the web wervers with the check
(I can think of a few process and fee reasons this approach might be picked. Perhaps a CA might offer a free new cert and revocation, if and only if the new cert has the same validity range as the one it replaces. An ops team might prefer one consistent time of year for the ceremony of non-emergency certificate rotation.)
I didn't notice any field in the cert-viewers of Firefox or Chrome that could reliably tell the true issue-date of a new certificate.
Is LastPass just looking at the start of the validity, or does it have some way to know if the certificate is truly new?