In the previous post I wrote about our zeal in building zero-knowledge web applications and our pledge to never introduce features that could compromise the integrity of our model.
Now I present a comparative analysis of Clipperz and PassPack with regard to the implementation of one-click logins. The analysis will clearly show the benefits of adopting a rigorous zero-knowledge methodology.
I usually don’t write about competitors, but the ability to log into a website with just one click is a very important and appreciated feature for any password manager and it deserves special attention.
Clipperz introduced “direct logins” in April, while PassPack re-launched the “auto login” feature few days ago.
Clipperz “direct login”
Setup and configurations
To create a new “direct login” for a specific website:
launch the “Add to Clipperz” bookmarklet from the login page;
copy the configuration collected by the bookmarklet to the card containing the login credentials.
No activation required. More detailed information here.
The one-click process
As the name says, it’s just one click on the desired “direct login” link.
Under the hood
What happens when a Clipperz user clicks on the “direct login” link for a specific website?
A new empty browser window opens.
The matching encrypted card is downloaded from the Clipperz server in order to obtain the following data:
the structure of the login form as collected by the Clipperz bookmarklet during the setup process;
login credentials for the specific website.
The decrypted data are used to create a copy of the original login form in the new browser window. Form fields are already filled in with the correct credentials.
The form is automatically submitted.
Zero-knowledge analysis
Clipperz cannot log any browsing usage or pattern because:
the Clipperz server does not play any role when the user setup new “direct logins”;
no data is transmitted to the Clipperz server when a user click on a “direct login” link.
Furthermore:
“Referrer obfuscation” to protect user privacy is obtained by simply loading HTML code into a blank browser window.
The “Add to Clipperz” bookmarklet is a generic tool, the same for every user. When launched it does not send any request to Clipperz (except for the IE version that cannot contain all the Javascript code and has to load it from Clipperz).
Usability
“Direct logins” can be accessed from any PC and any browser without the need to install any custom bookmarklet.
To keep the collection of “direct logins” always at hand Clipperz released the Compact version, designed to be opened in the Firefox sidebar.
If the Clipperz server is down “direct logins” can still be accessed from the offline copy and they will work smoothly.
PassPack “auto login”
Setup and configurations
Users need to activate the “auto login” functionality and install the custom “PassPack It!” bookmarklet.
The one-click process
It’s actually a two step procedure:
click on the “Go” icon or the “Go there” link of an entry to open the login page in a new browser window;
launch the “PassPack It!” bookmarklet within 100 seconds to automatically fill in and submit the form.
Under the hood
When a PassPack user clicks on the “Go” icon of an entry:
[…] the browser makes a mini-encrypted pack and sends it, together with the URL for the website, over HTTPS to the PassPack server.
It’s sensible to imagine that the “mini pack” contains the user credentials for the specific website. The website then opens in a new window, but
[…] not directly though, first it passes (via HTTPS) through the PassPack server which does a little obfuscation […]
Afterward, when the user clicks on the “PassPack It!” bookmarklet, the “mini pack” will be moved back from the PassPack server to the new browser window together with the instructions, retrieved from the PassPack database, on how to fill in this particular website’s login form.
The “mini pack” is then locally decrypted using the “bridgelet key” that is generated during the “auto login” activation and then wired into the bookmarklet. At this point all information required to fill in the login form are available to the browser that can eventually perform the “auto login”.
Zero-knowledge analysis
Privacy issue 1
The PassPack server plays a central role and can potentially log lots of information about the online behavior of its users. They say:
We are not interested in your browsing habits, […] no information on who visits that link is stored.
Well, I’m sure it’s true, but they are explicitly asking their users to simply trust them. They will do no evil with your data, but the fact remain: PassPack could track your login patterns. What PassPack does with data traveling to its server cannot be monitored and verified by its users.
Privacy issue 2
Those taking the extra efforts to teach PassPack how to login to a new website, get a nice reward:
For security purposes, we need to be able to track down anyone who attempts to abuse the system. To help us do so, we store information that may help us identify the account that registered PassPack the site using the teaching process.
So if you are helping PassPack to grow the collection of websites that “auto login” can handle, consider that your username and email will be linked to every website you “teach” them!
Security issues
PassPack maintains a database with “URLs of recognized websites and their relative structure”. Even if the content of the database can’t be related to specific users, it represents a further leak of information about the encrypted data stored in PassPack accounts.
The “PassPack It!” bookmarklet contains the user’s “bridgelet key”. This is a critical piece of information since it’s involved in the encryption of the “mini pack” as it travels to and fro the PassPack server.
Even if no information are provided about how the “mini pack” is built and encrypted (always a bad decision), chances are that the “bridgelet key” could potentially disclose information to an attacker. And it’s available to anybody accessing a computer where the PassPack bookmarklet has been installed.
Furthermore, the “bridgelet key” does not change if the user deactivates and then re-activates the “auto login” functionality.
Usability
PassPack users need to install their own “PassPack It!” bookmarklet on every PC and every browser they use.
The “auto login” process relies on the availability of the PassPack server.
“Auto login” always requires two clicks: one on the “Go” icon and another one on the “PassPack It!” bookmarklet.
Often login forms are hosted on different web pages, sometimes even on pages with dynamic URLs. If the URL saved by a user in her PassPack entry does not match the URL stored in the PassPack database, it’s quite likely that PassPack needs to be “taught” how to “auto login”.
Delicious
Digg
Reddit
Facebook
Yahoo
Netscape
StumbleUpon
A little surprised and disappointed
Hi Marco,
I’m a little surprised and disappointed by your tone.
I don’t want to go into a detailed description correcting what, in my opionion, sounds like an attempt to diminish the work that we do here at PassPack.
Right now I’m not peased, so I’m going to limit myself to saying that I find your analysis is imprecise, borderline incorrect. We can address these issues in due time (we’re working on a developers center that should see the light in September sometime). I will, however touch on some key points below:
1. “Zero Knowledge Methodology” is not a recognized industry standard.
It’s your invention, and as far as I know, there is no public or community accepted definition of it’s rules, principals or standards anywhere. PassPack is not, nor does it strive to be, a Zero Knowledge Application. We do strive to protect our users privacy and security, but we do not pretend that we can do this without any knowledge.
Let me ask you a question. Your web server is based in Colorado. What happens if the US government decides to search through your provider’s logs? You can’t do a thing to stop them, you’re under their legislation, and your provider is required by law to comply. They’ll find the IP addresses of all of your users, and easily use this data to arrive at them - know who they are, when they connected, how data much (in kb) they transfered, and from where. Is that Zero Knowledge?
Just because you don’t know anything about your users, doesn’t meant that no one does. Where is the “zero knowledge” line drawn? Zero knowledge, while a respectable ideal, is unfortunately an unattainable utopia. At PassPack we work very hard to find a real world balance between flexibility, privacy, usability and security - that’s attainable.
2. PassPack’s primary objective is Privacy.
All of our choices are made with the highest regards to user privacy and data protection. Any insinuation to contrary is not only incorrect, but offensive as well.
In particular, I’ll briefly point out that:
The advantages to our approach are many. It allows us to constantly fine-tune the tool in a way that is completely transparent to the users. We can, and have, added the ability to login to many more types if sites. It’s a continual evolution. In a worst case scenario, they’ll have to update their button, but certainly not recreate their entire lists of captured logins. It’s feasible that a year from now, few new PassPack users will have to do any “teaching” at all.
In general, I can say this of PassPack’s auto-login tool: Our goal is to obtain a user experience similar to using a browser plugin - but without the plugin. We’ve just this morning released a 1 click version which achieves just that: http://tinyurl.com/2bpxgx
This plugin-type approach allows users to login to the large majority of HTML based forms, including far more than Clipperz direct login can handle. Try this: make a list of sites that wont’ work with your direct login and try them on PassPack. You’ll be surprised at the results.
Regards to you and Giulio Cesare. Perhaps when you get back to Rome we can talk about it over a glass of wine. And after this stunt… you’re buying [wink].
Tara
Why disappointed?
Dear Tara, you have had a fairly biased Clipperz vs. PassPack comparison table for months on your blog and I did not complain. It was your right to do so.
In my post I simply presented what Clipperz and PassPack know about their users with regard to one-click login. My conclusion is that PassPack knows a lot more than Clipperz does.
In your long comment you talk about many things, but you don’t (and can’t) deny this simple fact.
I’m sure there are many pros and cons in both online password managers, but PassPack users know that their one-click logins can be recorded. Clipperz users don’t have to worry about this.
Ciao, Marco
Disappointed in your tone.
Yes Marco.
PassPack knows more than Clipperz does. Clipperz believes in Zero Knowledge and PassPack does not.
Not only do I not deny this (why would I?), but I had stated it clearly and gave our reasoning.
Our post may have a product bias, sure, but it does not attempt to cast a bad light on you. To make sure of this, we went as far as to send you a copy via email giving you the opportunity to suggest corrections if you thought that we had misrepresented your product in some way. You requested a correction, and we made it. Beyond that you thought that the post was “in our opinion” but had no further objections to it. The post was outdated so I added a warning to it which reminded that it was old, and then updated it recently - in direct response to your suggestions.
What disappoints me is your tone. It has nothing to do with a product bias. But, I’m going to give you the benefit of the doubt and assume it’s unintentional and due to the fact that English is not you mother tongue.
Post new comment