In the previous post I wrote about our zeal in building zero-knowledge web applications and our pledge to never introduce features that could compromise the integrity of our model.
Now I present a comparative analysis of Clipperz and PassPack with regard to the implementation of one-click logins. The analysis will clearly show the benefits of adopting a rigorous zero-knowledge methodology.
I usually don’t write about competitors, but the ability to log into a website with just one click is a very important and appreciated feature for any password manager and it deserves special attentions. Clipperz introduced “direct logins” in April, while PassPack re-launched the “auto login” feature few days ago.
Clipperz “direct login”
Setup and configurations
To create a new “direct login” for a specific website:
- launch the “Add to Clipperz” bookmarklet from the login page;
- copy the configuration collected by the bookmarklet to the card containing the login credentials.
No activation required. More detailed information here.
The one-click process
As the name says, it’s just one click on the desired “direct login” link.
Under the hood
What happens when a Clipperz user clicks on the “direct login” link for a specific website?
- A new empty browser window opens.
- The matching encrypted card is downloaded from the Clipperz server in order to obtain the following data:
- the structure of the login form as collected by the Clipperz bookmarklet during the setup process;
- login credentials for the specific website.
- The decrypted data are used to create a copy of the original login form in the new browser window. Form fields are already filled in with the correct credentials.
- The form is automatically submitted.
Clipperz cannot log any browsing usage or pattern because:
- the Clipperz server does not play any role when the user setup new “direct logins”;
- no data is transmitted to the Clipperz server when a user click on a “direct login” link.
- “Referrer obfuscation” to protect user privacy is obtained by simply loading HTML code into a blank browser window.
- “Direct logins” can be accessed from any PC and any browser without the need to install any custom bookmarklet.
- To keep the collection of “direct logins” always at hand Clipperz released the Compact version, designed to be opened in the Firefox sidebar.
- If the Clipperz server is down “direct logins” can still be accessed from the offline copy and they will work smoothly.
PassPack “auto login”
Setup and configurations
Users need to activate the “auto login” functionality and install the custom “PassPack It!” bookmarklet.
The one-click process
It’s actually a two step procedure:
- click on the “Go” icon or the “Go there” link of an entry to open the login page in a new browser window;
- launch the “PassPack It!” bookmarklet within 100 seconds to automatically fill in and submit the form.
Under the hood
When a PassPack user clicks on the “Go” icon of an entry:
[…] the browser makes a mini-encrypted pack and sends it, together with the URL for the website, over HTTPS to the PassPack server.
It’s sensible to imagine that the “mini pack” contains the user credentials for the specific website. The website then opens in a new window, but
[…] not directly though, first it passes (via HTTPS) through the PassPack server which does a little obfuscation […]
Afterward, when the user clicks on the “PassPack It!” bookmarklet, the “mini pack” will be moved back from the PassPack server to the new browser window together with the instructions, retrieved from the PassPack database, on how to fill in this particular website’s login form.
The “mini pack” is then locally decrypted using the “bridgelet key” that is generated during the “auto login” activation and then wired into the bookmarklet. At this point all information required to fill in the login form are available to the browser that can eventually perform the “auto login”.
Privacy issue 1
The PassPack server plays a central role and can potentially log lots of information about the online behavior of its users. They say:
We are not interested in your browsing habits, […] no information on who visits that link is stored.
Well, I’m sure it’s true, but they are explicitly asking their users to simply trust them. They will do no evil with your data, but the fact remain: PassPack could track your login patterns. What PassPack does with data traveling to its server cannot be monitored and verified by its users.
Privacy issue 2
Those taking the extra efforts to teach PassPack how to login to a new website, get a nice reward:
For security purposes, we need to be able to track down anyone who attempts to abuse the system. To help us do so, we store information that may help us identify the account that registered PassPack the site using the teaching process.
So if you are helping PassPack to grow the collection of websites that “auto login” can handle, consider that your username and email will be linked to every website you “teach” them!
- PassPack maintains a database with “URLs of recognized websites and their relative structure”. Even if the content of the database can’t be related to specific users, it represents a further leak of information about the encrypted data stored in PassPack accounts.
- The “PassPack It!” bookmarklet contains the user’s “bridgelet key”. This is a critical piece of information since it’s involved in the encryption of the “mini pack” as it travels to and fro the PassPack server.
Even if no information are provided about how the “mini pack” is built and encrypted (always a bad decision), chances are that the “bridgelet key” could potentially disclose information to an attacker. And it’s available to anybody accessing a computer where the PassPack bookmarklet has been installed.
Furthermore, the “bridgelet key” does not change if the user deactivates and then re-activates the “auto login” functionality.
- PassPack users need to install their own “PassPack It!” bookmarklet on every PC and every browser they use.
- The “auto login” process relies on the availability of the PassPack server.
- “Auto login” always requires two clicks: one on the “Go” icon and another one on the “PassPack It!” bookmarklet.
- Often login forms are hosted on different web pages, sometimes even on pages with dynamic URLs. If the URL saved by a user in her PassPack entry does not match the URL stored in the PassPack database, it’s quite likely that PassPack needs to be “taught” how to “auto login”.