We have just released a new version of Clipperz password manager that fixes a bug related to native JSON support. The bug was affecting only those using Firefox 3.1. Beta 1 or Beta 2.

Firefox 3.1 includes TraceMonkey, the new Javascript engine. It’s an evolution of SpiderMonkey that uses a new kind of Just-In-Time (JIT) compiler to boost Javascript performance by an order of magnitude or more.

Unfortunately Firefox 3.1 also introduced a DOM binding (the global object JSON) for the native JSON parser; the DOM binding “shadows” the JSON object from the json2.js library currently used by Clipperz for JSON de/serialization. The native parser doesn’t yet support de/serialization of primitive (string, number, boolean) objects (only object literals and arrays) hence the card creation process results in being broken in Firefox 3.1 Beta.

As soon as Firefox 3.1 will provide full support for JSON de/serialiazation (planned for Beta 3) we will switch to the native JSON parser, taking full advantage of speed improvements.

It’s really nice to start a new year with a bit of love twits from Clipperz users. Thanks!

The first thing most of you do every morning is to open the Clipperz password manager and start your daily routine by quickly accessing your online services. Just one click on a “direct login” link and you are logged in and, depending on your browser settings, each click will open a new window or a new tab. Unless you are using Safari …

In that case there is no way to tell Safari to open a “direct login” in a new tab, it will always open a new browser window. I find it quite annoying, I personally can’t stand having too many browser windows open.

Direct login links have a target = "_blank" attribute and Safari has no (evident) option to decide if the new page should be opened in a new window or a new tab (like Firefox has). But luckily Apple has added a hidden preference, since Safari 3.1, that allows you to tell Safari to stick to one window. Just paste into Terminal the following command and and you’re sorted!

defaults write com.apple.Safari TargetedClicksCreateTabs -bool true

This works great, unless you are like me: I usually launch tens of “direct logins” and I end up scrolling tabs back and forth within a single Safari window. Not very convenient. But with Safari I can solve this problem by easily detaching and grouping together tabs (all email accounts in one window, all bank accounts in another, …).

Unfortunately Firefox does not allow me to detach tabs the way Safari can, but I’ve found a very good solution: Duplicate Tab 1.0.2. A nifty Firefox add-on that allows you to detach tabs and merge windows.

So if you use Safari, I would suggest to set the above hidden preference, while if you prefer Firefox, choose the option to open new pages in a new tab and install the Duplicate Tab add-on. In any case, don’t let your browser degrade your Clipperz experience!

Thanks to Dennis and John for the tips!

picture from inju Flickr photostream

Giulio and I are looking for a job. We have been working at Clipperz for almost 3 years, investing our own money, time and energy. We cannot afford it any longer.

But don’t worry for the future of your favorite password manager, since we will take into consideration only job proposals that leave us enough free time to keep the service running. We won’t stop its development and we will continue to provide support to the about 20,000 registered users. Moreover, there will always be the option to run the Clipperz Community Edition on your own server.

To date Clipperz is a success and a failure all at the same time.

A success because thousands of users love the service and because the underlying zero-knowledge architecture is enjoying a growing acceptance and has spurred a stimulating debate over privacy and freedom for web applications.

A failure because we were unable to tell investors a convincing and easy-to-grasp story and therefore they didn’t see the huge business opportunity arising from zero-knowledge web applications. The presentation below is our latest attempt to tell this story. Hopefully better than we did before.

Feel free to send in your suggestions and to forward the presentation to reputable and passionate investors that could find it interesting. And, as usual, donations are always welcome!

Lately Giulio and I have been busy helping with the organization of BookCamp, a barcamp focused on books, ebooks and digital publishing.

Is there any direct relationship between a password manager and the future of books? Not really, but we do like books and we would like to see more freedom in the publishing industry.

The BookCamp will be a wonderful chance to discuss next generation textbooks, print-on-demand, ebook readers, why DRM (better known as Digital Restrictions Management) is bad and many other topics.

Richard Stalmann, President of the Free Software Foundation, will deliver a speech (via phone) with a quite straight title: “Fighting the Swindle of DRM on E-Books”.

See you at Castel Sismondo in Rimini, next Friday, starting at 16.00. Italian will be the official language, but anyone is welcome!

“Thanks Gutenberg. So long.” (Mario Guaraldi, publisher)

Thanks to the mighty name of Richard Stallman and, hopefully, to the relevance of our call for action, Clipperz ended up on Slashdot.

Ok, I submitted the story myself, but it was for a good cause: promoting freedom and privacy on the web. Clipperz password manager is tired of being the only web application around with a zero-knowledge architecture and an AGPL v3 license!

Interview with Thorsten Zoerner about a neat deployment of the Clipperz Community Edition for the eyeOS platform. Clipperz Community Edition allows you to host on your own server a web service identical to Clipperz online password manager. It’s open source and released under an AGPL license.

Thorsten, you’ve developed an application called “h3oPass 4 Clipperz Community Edition”. What’s that application about?

h3oPass 4 Clipperz Community Edition allows people to use Clipperz from within eyeOS. Web Operating Systems are getting more and more common these days and for any WebOS user it is common to rely on several web applications by different providers. So you need login credentials for each of those – as they do not share one common authentication platform. Users of h3oPass can now manage their passwords within Clipperz and they can access any web service with just one click.

Why Clipperz?

There are password managers around. Some of them come as browser plugins, others are installed on the server. In both cases, the user faces a challenge: either the passwords are not available when moving to another computer, or the user has to blindly trust the server where the passwords are stored. With Clipperz it is different: all the protection is done within the browser while the encrypted data gets stored on the server. Or, in other words, the role of the server is just to store scrambled bits and bytes, while the browser does all the work. This approach has several points of contact with the overall WebOS philosophy and provides better security and privacy.

Why h3oPass leverages the Clipperz Community Edition and not the hosted service at clipperz.com?

Because of the way to handle windows within the eyeOS environment.

On the hosted version of Clipperz, when you click on a direct login link, a new window or tab is opened to show the page you just logged into. Running the application from an eyeOS window I had to patch the JavaScript window.open function in order to let eyeOS handle the opening of new windows within the very browser window where eyeOS lives in.

If you look on the screecast below, you quickly recognize, that the applications has two windows: one is derived from the “Clipperz Compact” version that is usually displayed in a browser sidebar, the other is the full version of Clipperz, usually displayed in a regular browser window. I think that this is a very convenient way to use Clipperz within eyeOS.

However, there is another application, that will get released in a few days: h3opass 4 Clipperz Offline Edition. In this case you just download the offline copy generated by any Clipperz instance (a single HTML file) and upload it to your eyeOS account. The application than ensures the windows handling.

What makes a WebOS so fascinating for you?

For me a WebOS is the right tool to create my personal information mashups. It allows me to built my personal view of the world. It brings together my personal CRM page, my IM client, my weblog, my weather forecasts, my phone, … There are thousands of helpful applications out there and Clipperz can log you in with just one click in most cases!

And eyeOS in particular?

One thing I really like about eyeOS is that it was designed to be installed on your own company, school or university server. This gives you control over what people are doing with it - without building a vendor lock in.

Is h3oPass 4 Clipperz your only eyeOS application?

No there is h3oUpload, allowing users to upload documents to an eyeOS server using drag and drop from the real desktop. h3oLaunchr extends that: you are able to open a document directly on the server and edit it on the client.

**Why do you develop eyeOS applications? Which are your motivations?

I like to spend one hour of my life, if what I achieve can save me one minute on every working day. With this in mind, one year ago I started to play around with eyeOS and figured out that it could be used to implement a lot of time saving solutions, hacks that can saves you several clicks every day. For the very same reason I got interested in Clipperz as well: accessing my bank account, remember-the-milk and several other sites with just one click was awesome. h3oPass saved me those magic minute a day (actually even more).

Last question, where could I test h3opass 4 Clipperz or eyeOS?

h3oPass is freely available for download from the eyeOS application repository. You can install it on your eyeOS server or, if don’t have a server, you can get a free one from my homepage. And the quickest way to test it is on my demoserver (username: demo / password: demo).

AJAX Chat is one of the most popular project released under the AGPL license. The SourceForge stats page shows about 200 daily downloads! AJAX Chat represents today a cool integration for several Internet forums based on phpBB, MyBB, PunBB, SMF and vBulletin.

However AJAX Chat has a potential that goes beyond Internet forums: it could bring chat capabilities to any web page. It’s a great candidate for the AGPL Suite. It would also be nice to engage its developers to embrace a zero-knowledge architecture to make AJAX Chat a true off-the-record messaging system.

Its creator, Sebastian Tschan, was kind enough to answer some questions.

What is AJAX Chat and why did you start its development?

ST: It’s an open source web chat based on AJAX. At the start of its development I just wanted to learn more about AJAX. I also liked the idea of having a chat for my own phpBB based community forum which could be used with a browser and didn’t require any plugins to work.

Later I decided to release AJAX Chat as an open source project. The first release was targeted at the phpBB community. There were already some AJAX based chat applications around for phpBB, but all required some modifications to the forum software. AJAX Chat was outstanding for its extremely easy setup and the integration with the forum authentication system.

Why did you choose AGPL for AJAX Chat?

ST: The first version of AJAX Chat was released under plain GPL. As a GNU/Linux user I was already a free software fan, but I didn’t know much about the different licenses. Later I found the time to read about free software (e.g. ”Free Culture” from Lawrence Lessig, articles from Richard M. Stallman) and I eventually realized what it was all about. It was then that I decided to put AJAX Chat under AGPL.

What’s your opinion about the “ASP loophole”? Do you think that AGPL solves that problem?

ST: The “ASP loophole” was the very reason why I finally decided to put AJAX Chat under AGPL instead of using the GPL. I would recommend open source developers to use the AGPL for all their web projects.

Just to say thanks to the nice folks at Palamida. They wrote an interesting commentary to my post on building an AGPL suite and then move each application of the suite onto a zero-knowledge architecture.

Here is what they say:

Marco Barulli is taking the risk of blazing the trail for web services developers to come. Is AGPLv3 the right license? Who knows. Is “zero-knowledge” the right architecture? Maybe yes, maybe no.

• Zero-knowledge architecture is a web services framework in which secure information is distributed only to the endpoint, the service, through a secure and reliable framework that does not allow disclosure or residual existence of any user specific information. […]

• The AGPLv3 assures that the architecture and the source code is transparent and available for scrutiny, thereby insuring a clear implementation of secure practice that can be monitored and verified by the community. […]

Is this novel? No. Is it needed? Of course. “Zero-knowledge” architecture is based on old ideas applied to a new web services paradigm. Trust nobody, encrypt, and double check everything. Clipperz and the zero-knowledge concept is an old idea finding a proper place to start talking about transparent architecture which puts the responsibility of information security in the hands of the users. Is it perfect? Maybe yes, maybe no. It is licensed under AGPLv3, so Marco Barulli is inviting the community to grow what he started. Simple idea, great initiative. Well done.

Too kind! Who is going to join us in this adventure? Clipperz can certainly contribute its password manager to the AGPL Suite with, but who is next? I would love to hear from the smart guys that developed AJAX Chat …

This is a post about freedom. The freedom to keep your data for yourself and the freedom to run free software. You should be able to reclaim and enjoy these freedoms also when using web applications.

If you are a supporter of the free software movement, you can easily opt for Gimp instead of Photoshop, or Firefox instead of Internet Explorer. You can also protect the privacy of your data by using the many encryption tools that are available (GPG, TrueCrypt, …). But when it comes to web applications things get complicated.

The benefits of web apps (ubiquitous access, seamless upgrades, reliable storage, …) are many, but quite often users lose their freedom to study, modify and discuss the source code that powers those web apps.

Furthermore, we are forced to trust web applications provider with our data (bookmarks, text documents, chat transcripts, financial info, … and now health records) that no longer resides on our hard disks, but are stored somewhere “in the cloud”.

It’s not a nice situation when you have to chose between convenience and freedom.

Let me be clear: web apps are great and I’m in love with them. But I think it’s time to ask for more freedom and more privacy. Here is a three step plan to achieve both these results.

1. Choose AGPL

Why is AGPL important? Because it means that, if you are an application service provider and your services are based on software with an AGPL license, you have to make the source code available to anyone that uses the service! FSF guidelines suggest to add a “Source” link that leads users to an archive of the code right into the web application interface.

(Don’t ask me why it took so long to tackle this problem within the free software community!)

Action points

• Help Clipperz to assemble an “AGPL Suite”: a collection of web applications that provides tools for the most common needs.

  The suite should include: word processor, web chat, password manager, wiki, address book, to do list, calendar, bookmark manager, … Each web app must be released under an AGPL license! Therefore forget Google, del.icio.us, Plaxo, Meebo, … at least unless they switch to AGPL.

  There are already a couple of candidates for inclusion (Ajax Chat for the web chat and, of course, Clipperz for the password manager), but most of the spots in the suite are still vacant!

• Join Clipperz in its effort to evangelize the benefits of AGPL to the maintainers of open source web projects. Ask them to convert to AGPL.

2. Add zero-knowledge sauce

Web developers and web users are still largely ignoring the opportunity offered by browser-based cryptography to bring the privacy and security of traditional software programs to web applications.

At Clipperz we envisioned a new architecture paradigm called “zero-knowledge web apps” (here a more detailed description) that combines the idea of host-proof hosting with a set of rules focused on the “learn nothing” mantra.

The name was both an homage to cryptography (a “zero-knowledge proof” is a standard cryptographic protocol) and a promise of a specific relation between the application provider and the users. The server hosting the web app could know nothing of its users, not even their usernames! Clipperz applied this paradigm to implement its online password manager.

Action points

• Apply zero-knowledge techniques to each component of the “AGPL Suite”. Converting an existing web applications to the zero-knowledge architecture is not easy, but at Clipperz we have a considerable experience on the subject and we will be happy to share our knowledge and code base.

  We could eventually enjoy a web based word processor that can’t read our documents, a truly off-the-record web chat, a wiki where we could lightheartedly store valuable information, and so on.

• Build and maintain a list of ASPs that host the whole “AGPL Suite”. It will be a useful reference for those who value free software and privacy, but don’t possess the necessary skills and resources to run web apps from their own server.

3. Build a smarter browser

We are almost there, but we still need to provide users of web apps with an even more flexible and secure environment. In fact, given the architecture of a zero-knowledge web app, the server typically performs the following tasks:

• loads the Javascript code to the user’s browser (the actual program);
• optionally authenticates the user (using a zero-knowledge protocol);
• retrieves and stores encrypted data as requested by the user’s browser.

Free software implies full control over anything that runs in my computer. Therefore two questions arise:

• How can I run a modified version of the Javascript code instead of the one loaded by the server?
• How can I be alerted of changes in the Javascript code that the server loads to my browser?

I recently had the tremendous honor to exchange thoughts with the very Richard Stallman about the above issues and he proposed a smart solution to both problems.

Stallman suggests to add a feature to the browser allowing a user to say: “When you get URL X, use the Javascript from URL Y as if it came from URL X.” If the user does invoke this feature, he can run his copy of the Javascript and still being able to exchange data with the server hosting the web application.

A browser with such capabilities could also easily verify if the Javascript from URL X is different from the alternative Javascript stored at URL Y. If the user trusts the present release of the Javascript code from URL X, he could make a copy of it at URL Y and be alerted if any change occurs.

This solution protects the user from malicious code that could be unknowingly executed by his browser, stealing his data and destroying the whole zero-knowledge architecture.

Action points

• Write add-ons for the major free browsers (Mozilla, Webkit, …) that implement the Stallman’s solution.

• Advocate for including the “AGPL Suite” along with the above enhanced browsers into GNU/Linux distributions.

How to contribute

• Keep reading this blog where I will post regular updates.
• Send in your comments and suggestion.
• Spread the word writing in your blog, posting in forums, …
• Make a donation.

Last but not least: how would you name this ambitious project?
Let me know in the comments!