Clipperz - Competition for PassPack?
by
on April 03, 2007,
I recently professed my love for PassPack. However, I am a techno-weenie, and when something that promises to be even cooler comes along, I am compelled to at least give it a test run. Clipperz has been getting quite a bit of press lately, and when we here at Profy were asked to give it a look, I jumped on the task. I'm not the most organized of people, and if someone is going to promise to keep me organized even better than someone else, well, I'm going with whoever emulates an online Martha Stewart best.
Clipperz claims it is “more than a password manager” by touting its three features: secure password manager, single sign-on solution, and “digital vault for all your secrets.” By using Clipperz as your go-to site, you can log into any site from their interface, simply by saving your log-in information for the site to Clipperz. It also claims anonymity because, like PassPack, you don't ever use your email address to log in.
Clipperz is tied to Mozilla-based browsers, meaning that unless you are using Mozilla, Firefox, or SeaMonkey, you are out of luck if you'd like to use it. They also claim that their site is safe because the information is encrypted by the browser before it is ever sent up to the Clipperz servers, meaning that even the Clipperz DBA can't access your information.
Now, here's where my heebity-bejeebies come into play; Clipperz uses a JavaScript library for its cryptographic functions that's been released under BSD. It includes several third-party libraries as well. Now, I'm a suspicious ex-coder by nature, and the minute you start adding third-party code, you add any possible number of security holes from developers you don't know. Mind you, I'm a huge proponent of open-source software, but when it comes to protecting things like my credit card information, I really would like the software to be kept in-house as much as possible. Their model seems to almost beg for hackers to reverse-engineer things. The very fact that it allows you to log in directly from their app would be enough to taunt anyone phishing to see how much they could pull out of the browser on log-in. Add in that it is tied into the browser, and I'm afraid of the possibility of an exploit that would take over your browser, access credit card information, and spend away.
Don't get me wrong; Clipperz is a very attractive application. The interface is very user-friendly and looks smooth. And the functionality is impressive. However, I wouldn't be able to trust it with my information. I'm just not that trusting.
If you enjoyed this post, make sure you subscribe to profy RSS feed!
skindeep
Svetlana Gladkova
Michael Fidler 
jiri
Cyndy,
hackers don’t need to reverse-engineering anything: the source code is in plain sight, they (and security experts as well) can freely download it.
We also provide detailed instructions here
http://www.clipperz.com/learn_more/reviewing_the_code
Transparency is the only way for us! We are paranoid about it.
Otherwise how can we expect people to trust us?
Thanks for the review,
best regards,
Marco
PS
Show me one single point where Clipperz security is weaker than Passpack and I’ll buy you a drink!
(Not to mention features: offline version, secure automated login, …)
Hey Marco, I’m a passpack user. I had a look at Clipperz and…
Passpack has a anti-phishing message, password scramble, data backup and rollbacks, auto-lock functions…
Where can I get my drink?
Ciao Alex,
1. Anti-phishing
Clipperz has checksums to verify the integrity of the code.
(Clipperz does not want to know any personal data of you in clear, when we say zero-knowledge app we mean it!)
2. Password scramble
Click on the star of your masked password and then Ctrl-C.
Your password is already in your clipboard.
3. Data backup
We have way more than simply a backup! We have a read-only offline version.
Download your offline copy and you are done! Move it on a USB stick and enjoy Clipperz security and mobility.
4. Rollback
Clipperz will add card versioning very soon.
(It’s already there, we need just to design the interface)
5. Auto-lock
You got it! Clipperz is still missing this feature, but not for long.
You can get your drink in London on April 19th.
I’m going to attend the OpenCoffe meeting at Starbucks on Regent Street.
I will demo Clipperz to anyone interested.
Regards,
Marco
Hello all. I'm Francesco Sullo, Software Architect for PassPack (http://www.passpack.com).
Marco, I agree that the base security level of Clipperz and PassPack are fundamentally the same. We also use open sources libraries, which we have (obviously) fully studied and modified to adapt to PassPack's needs.
However, I disagree on your reply to Alex's comment.
The checksums to verify code integrity is *not* an anti-phishing mechanism. It is useful to check for code injection (for example, during a Man-in-the-middle attack), but SSL alone is sufficient to guarantee a good level of security in this case.
Anti-phishing is different. For an anti-phishing technique to work, the user must not only be *able* to authenticate the server - but he must be *required* to do so. Why? Because users are lazy, or in a hurry, or tired, or multi-tasking or any combination of those things. If they aren't forced to be careful, they won't be.
PassPack's anti-phishing Welcome Message is a technology that allows the user to immediately recognize the server - they have no choice. It's similar to Yahoo's pattern, but eliminates the need for cookies (which we all know are inherently unsafe). This is possible thanks to our double access technique for access first the account, then the encrypted pack. The user logs in with User ID and Pass, the server authenticates the login and, if the user is connecting from one of the IP addresses saved inside his account, he will be shown his personal Welcome Message. Remember that at this point in the process, the user's data is still completely secure and encrypted. Only *after* the user reads the Welcome Message, he can type in his Packing Key - or not. If the Welcome Message is incorrect or missing, he will immediately become suspicious and check the address bar.
Simple, isn't it? But the 99% of web sites on the web can't use a similar mechanism because they use a single password approach.
I just want to clarify that the user chooses his own welcome message, and that together with his standard set of IP addresses is saved to his account. You know, as well as I do, that there is no way for PassPack to access that information without the user's password, which naturally, we don't have. PassPack, like clipperz, employs the Host-Proof Hosting Pattern (http://ajaxpatterns.org/Host-Proof_Hosting) - but we also add the extra layer of security with the Packing Key.
About "offline version" and "data backup" - these are two very different things. Despite the fact that I'm an advanced user, I had a difficult time using your offline version. On the other hand, making a backup or restore in PassPack is extremely simple. Should a PassPack user accidentally delete his entire account, he could simply make a new account then upload all his passwords at once using his backup copy. With your offline version, if I accidentally delete my online account, I cannot restore my data except maybe by copying and pasting the cards one-by-one from my offline version to my new account.
However, despite the differences, I'm sure that just as you'll introduce a backup procedure in the near future, PassPack will introduce an offline version.
PassPack's rollback feature is a great way to allow a user who has changed his Pass or Packing Key, and then forgotten the new one, to recover his previous data. I, personally, had this problem and I was able to fully recover my data because the restore-points have been active since PassPack's Beta 1 version (we're at Beta 4 now).
We currently do the rollback manually, and we've successfully done this already for a number of our clients.
Ok, I didn't want to be long winded. Let me just say that I am a good judge of good work, and Clipperz has a solid foundation. It's just that your philosophy is different from PassPack's. I guess only time will tell.
Another site similar to these two is NeedMyPassword.com. Needmypassword.com is a great way to store all of your usernames, passwords, and urls. Imagine only having to remember one password to gain instant access to all of your log-in needs! Needmypassword.com is safe and secure so you don’t have to worry about anyone seeing your information except for you. It is also free and easy to use, so sign up now!