 Loading… |
| « Previous post | Next post » |
Posted by Cyndy Aleo-Carreira on April 3rd, 2007
I recently professed my love for PassPack. However, I am a techno-weenie, and when something that promises to be even cooler comes along, I am compelled to at least give it a test run. Clipperz has been getting quite a bit of press lately, and when we here at Profy were asked to give it a look, I jumped on the task. I'm not the most organized of people, and if someone is going to promise to keep me organized even better than someone else, well, I'm going with whoever emulates an online Martha Stewart best.
Clipperz claims it is “more than a password manager” by touting its three features: secure password manager, single sign-on solution, and “digital vault for all your secrets.” By using Clipperz as your go-to site, you can log into any site from their interface, simply by saving your log-in information for the site to Clipperz. It also claims anonymity because, like PassPack, you don't ever use your email address to log in.
Clipperz is tied to Mozilla-based browsers, meaning that unless you are using Mozilla, Firefox, or SeaMonkey, you are out of luck if you'd like to use it. They also claim that their site is safe because the information is encrypted by the browser before it is ever sent up to the Clipperz servers, meaning that even the Clipperz DBA can't access your information.
Now, here's where my heebity-bejeebies come into play; Clipperz uses a JavaScript library for its cryptographic functions that's been released under BSD. It includes several third-party libraries as well. Now, I'm a suspicious ex-coder by nature, and the minute you start adding third-party code, you add any possible number of security holes from developers you don't know. Mind you, I'm a huge proponent of open-source software, but when it comes to protecting things like my credit card information, I really would like the software to be kept in-house as much as possible. Their model seems to almost beg for hackers to reverse-engineer things. The very fact that it allows you to log in directly from their app would be enough to taunt anyone phishing to see how much they could pull out of the browser on log-in. Add in that it is tied into the browser, and I'm afraid of the possibility of an exploit that would take over your browser, access credit card information, and spend away.
Don't get me wrong; Clipperz is a very attractive application. The interface is very user-friendly and looks smooth. And the functionality is impressive. However, I wouldn't be able to trust it with my information. I'm just not that trusting.
|
|
| « Previous post | Next post » |
Trackbacks |
(Trackback URL) |
| Web2.0 Effect Blog Web 2.0 Blog Technology Help » Blog Archive » Ajax Exploit Threatens Web 2.0 Security | April 6th, 2007 at 7:42 am |
|
[…] In the comments section of my review of Clipperz, CEO of Clipperz Marco Barulli disagreed with my concerns about using third-party libraries for Clipperz, as well as an open-source JavaScript cryptographic library. Fortify Software would seem to agree with me, releasing an advisory this week on a known vulnerability in Web 2.0 sites that rely on Ajax. […] | |
| PassPack and Clipperz: The Difference? « PassPack - The Blog | April 10th, 2007 at 4:58 am |
|
[…] April 10th, 2007 I’m writing this post in reply to this comment: “[…]maybe you could say something about why PassPack is better than Clipperz - if you are? The technical solutions look very similar …” . Additionally, a few articles have recently popped up comparing Clipperz as a new competitor for PassPack. So far, it’s been very exciting to see this discussion grow, particularly on Profy where it spawned a second article on Ajax and Web 2.0 Security. […] | |
| Clipperz Updating with Greater Accessibility | June 13th, 2007 at 2:00 am |
|
[…] Since my initial review, Clipperz has added language support created by dedicated Clipperz users in Portuguese and Japanese, added support for Internet Explorer and Opera browsers, released a scaled-down version called Clipperz Compact that works with Firefox and Opera to allow direct login to sites from the sidebar, and introduced card templates that allow easier input of data using pre-defined information. […] | |
| My password manager | The Danesh Project | June 30th, 2007 at 4:18 pm |
|
[…] Clipperz - Competition for PassPack? […] | |
| dev » Blog Archive » My password manager | July 8th, 2007 at 1:18 pm |
|
[…] Clipperz - Competition for PassPack? […] | |
Comments |
 |
| Marco Barulli | April 3rd, 2007 at 2:26 pm |
|
Cyndy, Transparency is the only way for us! We are paranoid about it. Thanks for the review, PS ;-) | |
| Alex | April 6th, 2007 at 9:34 am |
|
Hey Marco, I’m a passpack user. I had a look at Clipperz and… | |
| Marco | April 6th, 2007 at 10:01 am |
|
Ciao Alex, 1. Anti-phishing 2. Password scramble 3. Data backup 4. Rollback 5. Auto-lock You can get your drink in London on April 19th. Regards, | |
| Francesco | April 7th, 2007 at 2:40 am |
|
Hello all. I'm Francesco Sullo, Software Architect for PassPack (http://www.passpack.com). Marco, I agree that the base security level of Clipperz and PassPack are fundamentally the same. We also use open sources libraries, which we have (obviously) fully studied and modified to adapt to PassPack's needs. However, I disagree on your reply to Alex's comment. The checksums to verify code integrity is *not* an anti-phishing mechanism. It is useful to check for code injection (for example, during a Man-in-the-middle attack), but SSL alone is sufficient to guarantee a good level of security in this case. Anti-phishing is different. For an anti-phishing technique to work, the user must not only be *able* to authenticate the server - but he must be *required* to do so. Why? Because users are lazy, or in a hurry, or tired, or multi-tasking or any combination of those things. If they aren't forced to be careful, they won't be. PassPack's anti-phishing Welcome Message is a technology that allows the user to immediately recognize the server - they have no choice. It's similar to Yahoo's pattern, but eliminates the need for cookies (which we all know are inherently unsafe). This is possible thanks to our double access technique for access first the account, then the encrypted pack. The user logs in with User ID and Pass, the server authenticates the login and, if the user is connecting from one of the IP addresses saved inside his account, he will be shown his personal Welcome Message. Remember that at this point in the process, the user's data is still completely secure and encrypted. Only *after* the user reads the Welcome Message, he can type in his Packing Key - or not. If the Welcome Message is incorrect or missing, he will immediately become suspicious and check the address bar. Simple, isn't it? But the 99% of web sites on the web can't use a similar mechanism because they use a single password approach. I just want to clarify that the user chooses his own welcome message, and that together with his standard set of IP addresses is saved to his account. You know, as well as I do, that there is no way for PassPack to access that information without the user's password, which naturally, we don't have. PassPack, like clipperz, employs the Host-Proof Hosting Pattern (http://ajaxpatterns.org/Host-Proof_Hosting) - but we also add the extra layer of security with the Packing Key. About "offline version" and "data backup" - these are two very different things. Despite the fact that I'm an advanced user, I had a difficult time using your offline version. On the other hand, making a backup or restore in PassPack is extremely simple. Should a PassPack user accidentally delete his entire account, he could simply make a new account then upload all his passwords at once using his backup copy. With your offline version, if I accidentally delete my online account, I cannot restore my data except maybe by copying and pasting the cards one-by-one from my offline version to my new account. However, despite the differences, I'm sure that just as you'll introduce a backup procedure in the near future, PassPack will introduce an offline version. PassPack's rollback feature is a great way to allow a user who has changed his Pass or Packing Key, and then forgotten the new one, to recover his previous data. I, personally, had this problem and I was able to fully recover my data because the restore-points have been active since PassPack's Beta 1 version (we're at Beta 4 now). Ok, I didn't want to be long winded. Let me just say that I am a good judge of good work, and Clipperz has a solid foundation. It's just that your philosophy is different from PassPack's. I guess only time will tell. | |
| Danielle De Nora | May 6th, 2008 at 3:40 pm |
|
Another site similar to these two is NeedMyPassword.com. Needmypassword.com is a great way to store all of your usernames, passwords, and urls. Imagine only having to remember one password to gain instant access to all of your log-in needs! Needmypassword.com is safe and secure so you don’t have to worry about anyone seeing your information except for you. It is also free and easy to use, so sign up now! | |
| Already have an account on Profy? |
| Lost your password ? |
Profy partners
