Security code review

Every time you visit Clipperz login page, your browser downloads just a single index.html file that contains about 1 MB of JavaScript code. This code represents the whole Clipperz web application: it takes care of everything from logging you in to signing you out, from drawing the interface to encrypting your data.

Therefore you probably want to make sure that:

  1. the Clipperz code is secure and makes what it says;

  2. the code you downloaded to your browser is genuine.

The more people review Clipperz source code the safer Clipperz users will be!

1. How to get and review the code

This task is quite easily accomplished: just follow the link below to reach the list of Clipperz releases. The current release is the one on top.

Clipperz password manager - Releases

However, you are not limited to examine static code: in order to analyze the traffic Clipperz generates between client and server, there is an easy way to locally deploy the whole application and host on your machine a web service identical to Clipperz. Just choose one the available backends (PHP/MySQL, Python/AppEngine, …) or contribute your own.

Build instructions are available in the README file on GitHub.

2. How to check if you are running a genuine version

All Clipperz code is compressed into the single index.html file in order to reduce download time and memory space. This file is quite difficult, almost impossible to work with: spaces and comments have been removed, variables have been renamed.

However you can reproduce the entire build process starting from the neat hierarchy of files in the Github repository. The outcome of the build process should be identical to the index.html file of the live service.

git clone git@github.com:clipperz/password-manager.git
cd password-manager
./scripts/build checksum --frontends beta gamma

Checksums

A checksum (or message digest) is a string of characters generated by algorithms called cryptographic hash functions. These algorithms take a message (e.g. a text file) of any length as input and produces a fixed length string as output. Good hash functions are such that it’s very difficult to:

  • find a message that matches a given checksum;

  • generate “collisions”, wherein two different messages have the same message digest.

For these reasons it is a good idea to use checksums as an handy identifier for a text file. Even if only a single character is changed, the checksum of that text file will be completely different. To date the two most commonly used hash functions are MD5 and SHA-1, producing respectively 128-bit and 160-bit outputs.

EXAMPLE: checksums for release tagged "release.2013.01.18" 
MD5: 32f3 27d8 1c99 9efc 7d80 74ab 9070 f029
SHA1: a8f5 b0e9 6d6c 22c5 d3fc ff3e fa8a c990 64f8 3aeb

These are the steps to compute the checksum of the current page served by our servers:

  1. Run the following commands to compute MD5 and SHA1 checksums of the “live” index.html file.

    curl -s https://clipperz.is/versions/delta/index.html 2>/dev/null | md5

    curl -s https://clipperz.is/versions/delta/index.html 2>/dev/null | openssl sha1

  2. Locate the index.html file generated from the Github repository as described above and run the same commands.

    cat index.html | md5

    cat index.html | openssl sha1

  3. Eventually, compare the values obtained. If they don’t match please report immediately.