Last week Google announced AppEngine: a service that provides the option to deploy custom applications on the legendary Google infrastructure.

Nowadays there are tons of hosting solutions available offering a huge variety of features; nevertheless, Google’s new service has some unique functionalities not available elsewhere. To me, the most interesting is BigTable; the persistent engine used by Google itself to implement its own services.

BigTable architecture is quite odd, if compared with common DBMS accessed using SQL. And the different architecture requires a different mindset in order to use it efficiently. Brett Morgan wrote an effective description of the very different perspective that BigTable requires:

Remember what GFS and BigTable were originally designed for. Each BigTable entry contained a whole web page, and all the data relating to that web page as the various stages of the google processing pipeline are applied to the page. So storing two numbers in a BigTable entry is like putting a person in a 747, then complaining how long it takes to get the person 50 feet along the ground in said 747 - it would be quicker to get the person to walk.

The power of BigTable comes to the fore when you fill the 747 with people, fire up the engines, and then get the aircraft to cruising altitude. That’s when you are using the tool properly.

Clipperz online password manager does not really require all that power since its zero-knowledge web architecture moves almost all of the computation to the clients, leaving to the server only some trivial tasks that can be executed with very little resources.

However, since I had recently ported the Clipperz backend to PHP, I though it would be nice to port Clipperz to Python too, with the extra bonus of testing BigTable on a real, even if quite simple, problem.

In a matter of a few days (mostly due to my complete lack of experience with Python) I have been able to run Clipperz on the AppEngine SDK. It works fine, but I don’t have an account on the real thing yet, so I cannot say much about how the aforementioned constraints affect the behavior of the application.

The most difficult part was to avoid Google’s authentication service and implement a custom solution to manage sessions (still very rough) in order to allow users to perform a more secure SRP authentication.

Experiment outcome:

• BigTable is quite impressive; simple yet very flexible, with the intriguing promise of unlimited scalability.

• Clipperz’s server side code base is not very suitable for a massive application of the map/reduce pattern, but it is very easy to port to different platforms

At the moment we have no plans to officially release the AppEngine version of Clipperz, but if you are interested in playing with the code, get in touch with us.

So, what’s the next experiment? A different client for a very popular platform to prove how flexible is the Clipperz’s architecture. Stay tuned!

We moved the code repository of Clipperz’s open source projects from Google Code to SourceForge, because Google doesn’t like AGPL and is kindly requesting all developers that opted for this license to leave.

It is also not okay to host an AGPL covered program on code.google.com […] So sadly, the answer is to remove your project and host somewhere else like SF or Savannah.
Chris DiBona, the Open Source Programs Manager at Google on Google Groups

Ok, message received! But why is Google against AGPL? Just to stop the proliferation of open source licenses? Noble cause, but are we sure that this strong position is not related to AGPL closing the “ASP loophole”? Russel Beattie has little doubts:

Makes perfect sense, really. Google has made bazillions of dollars using free software in their backend without having to release any of their modifications back into the world. Something like the AGPL which requires server-side modifications to also be released is a direct threat to their way of doing business. Refusing to add AGPL to the list of open source licenses on Google Code to help promote is unsurprising, and in fact expected.

However, I’m sure that AGPL will be adopted by tons of projects going forward. I see no chances for Google to stop or delay this trend. If they don’t want us, they don’t deserve us.

Google Code is a great hosting service and we really enjoyed it while it lasted. I will miss its clean and ad-free interface. Adieu!

All Clipperz’s open source projects are now hosted on SourceFourge. The Community Edition of our password manager is available for downloads here, while the Javascript Crypto Library can be found here.

(another brilliant gapingvoid cartoon)

We are happy to announce Clipperz Community Edition! Now you can host Clipperz password manager on your own server. Clipperz Community Edition offers same features and functionalities of the online service hosted at http://www.clipperz.com with an added warm feeling of having your precious passwords and confidential data on your own server.

Most importantly Clipperz Community Edition is the first online password manager to be released under an open source license. We opted for AGPLv3, recently approved by OSI, since it solves the “ASP loophole” in GPL.

But why would you prefer running Clipperz password manager from your own server instead of using the online service?

• “Clipperz security architecture is great, but I prefer to store my data on my hardware. I just feel better this way!”
• “Clipperz password manager could be very useful in my department, but our internal policies does not allow to store data, even encrypted data, on an external server.”
• “I would like to modify the look & feel of Clipperz and embed this powerful password manager within my family intranet.”
• “Clipperz works nicely, but I would love to play with the source code in order to improve feature X and add new features Y and Z.”
• …

Whatever is your motivation, we would love to hear from you about how and where you use Clipperz Community Edition. Get in contact or leave a comment below.

Elma Li sent us this message about the role played by Clipperz password manager in her everyday life.

In the world where I have more online logins than I can remember, I use Clipperz almost every day to store or access login information. That way, I can keep track of all the accounts that I’ve signed up for.

Not only is Clipperz convenient when I’m online, I also use Clipperz when I’m traveling without Internet access and I need to look up a number using the offline feature.

The direct login is also nice because I don’t have to rely on AutoComplete on Internet Explorer (for security purposes). I just open the Clipperz Compact in the sidebar and login to various accounts with a simple click.

Since I work in both a Mac and a Windows environment, the web option is the best because I have no compatibility issues which keeping all my information safe without having to install software at every computer that I use.

Thanks Elma! You made our day!

Would you like to run Clipperz from your own server? Then you will be happy to know that we just decided to provide our password manager as a downloadable package.

The system requirements to install it on your server will be minimal (just PHP 5) and we will provide it as donationware. Moreover the Clipperz package will be distributed with a very flexible AGPL v3 license.

But we first need a little help from you …

The actual Clipperz service has a complex backend built with Java,Tomcat, Cayenne, Postgres. It needs to be very robust and scalable, but most the features implemented are not really relevant for a personal or corporate installation (such as hashcash policies to defeat bots). Therefore we want to write a simplified version of the backend using PHP, in order to obtain a very simple installation procedure.

The only challenging part of the new PHP backend will be the development of a “proxy module” to interact with DWR calls.

But if DWR allows smooth interaction between the Javascript code on the browser and the Java backend, why we need to preserve DWR calls once we get rid of Java?

Good question. The answer is that we prefer to have a single version of the Javascript code running on the browser, regardless of the backend. This will make security reviews easier and we will have more eyeballs looking at the very same code.

Unfortunately we have very limited PHP skills and we are looking for a good PHP developer willing to help us.

If you are interested, please drop us a line. Thanks!

Dojo is an Open Source DHTML toolkit written in JavaScript that allows web developers to build user interfaces, prototype interactive widgets and animate transitions.

The Dojo toolkit is not a core element for Clipperz, since it only uses Dojo ShrinkSafe to compress the Javascript code of the online password manager into a single large file, in order to save downloading time and memory space.

However we are very intrigued by DojoX Cryptography, a project led by Tom Trenka that aims to build a large collection of Javascript implementations of cryptographic algorithms. The project is far from being completed and today it includes only MD5 and Blowfish with a few other algorithms under development.

We would like to contribute what we have already packed into the Javascript Crypto Library. There you can find AES-256, SHA-256, Fortuna PRNG, the SRP authentication protocol and a very partial implementation of elliptic curve cryptography.

DojoX Cryptography could become a good starting point if you are interested in browser-based cryptography and zero-knowledge web applications.

Now that we have signed the Contributor License Agreement and sent it to the Dojo Foundation, we are ready to give back to the open-source community!

Giulio did a great job explaining zero-knowledge web applications to the crowd of entrepreneurs, bloggers and VCs gathered for the Venture Night at the Lift conference in Geneva.

Giulio reveals that Clipperz online password manager is not just an extremely secure and convenient tool, but also a living lab where we can test the potential of a new breed of web services that know nothing about the data they handle.

You will discover what health records, poker games and password managers have in common!

The complete slideshow is also available as a Slidecast from SlideShare.

Clipperz is one of the 8 European startups selected to present at the Venture Night during the upcoming Lift08 conference.

Thanks to Pierre Chappaz, Robert Scoble and all the members of the venture night jury. I hope they will never find out that Clipperz password manager has been recently nominated one of the 20 dumbest startups of 2007!

The Venture Night is held February 6th, from 17.30 to 19.00. It is open to the public. Join us at the Salle Communale de Plainpalais, 52 rue de Carouge, Geneva.

Cristian just sent this nice shot of him wearing the Clipperz t-shirt on the sidewalks of Avenida Paulista in São Paulo, Brazil. Cool! Thanks and keep enjoying your favorite password manager!

Clipperz online password manager just won its first award: it is one of the 20 dumbest startups of 2007! Too bad I’ve not prepared my acceptance speech to thanks the nice folks at Mashable and Drama 2.0.

Why did Clipperz get on that list?

A web-based tool that enables you to store your passwords, PIN numbers and other sensitive information in one place and to share them with others if desired? If you don’t see the potential problem with this, you probably deserve to have your identity stolen. Who knows - perhaps you’ll get lucky and someone with a little more intelligence will assume it.

Are we upset by this award? Not at all! We firmly believe that trust is a major issue for the future of online services and we appreciate any initiative that can bring more attention on this subject. It certainly gives Clipperz a chance to advocate zero-knowledge web applications to a broader audience.

However, if you are interested to find out if Clipperz is a dumb idea or not, I suggest to read the privacy and security section of this website. You can also visit the Clipperz forum and ask our users, or just browse the many interesting discussions about trust, transparency and cryptography. As an example, yesterday I really enjoyed this thread.

Happy holidays!

From xkcd