Security/Quality of plugin? Open protocol?

Have questions about LastPass, or having problems using it? Ask for help here!

Moderators: admin, anatoly_LP, chantieLP, Israel, JoeSiegrist, robyn

Security/Quality of plugin? Open protocol?

Postby MxxCon » Fri Aug 22, 2008 5:43 pm

How can we be sure that your plugin is secure?
Will you make it open source?
Publish specs for (trusted) 3rd party plugins to talk to LastPass service?
MxxCon
 
Posts: 108
Joined: Fri Aug 22, 2008 5:27 pm

Re: Security/Quality of plugin? Open protocol?

Postby sameer » Sat Aug 23, 2008 4:56 pm

Hi MxxCon,

Joe answered this question on another forum earlier, so I will just paste his response:

We're standing on the shoulders of the open source movement to make LastPass.com happen,
and nothing would make me happier than to release it as open source, but we can't do that right now.

We can release an open source version of how our encryption works (the website is this already actually),
and using that you can audit it, and compare it to what we upload and download -- since we're just storing
the locally encrypted data at LastPass.com, if you verify our local encryption implementation you can safely
use LastPass because LastPass is just storing that encrypted data.

Joe


So, in short, you can currently verify that we're LP is doing everything as it says it is by viewing the
source code of our website and sniffing all traffic leaving your computer. You can reverse engineer the
encryption and decryption algorithms and how we use the credentials you supply to create your secret key (we're using AES 256).
You could go even further and implement your OWN AES 256 routines to decrypt/encrypt the files that LP stores on your
hard drive - provided you know your username and password of course.

For site sharing, we use RSA to sign/encrypt/verify/decrypt.
And again, you can verify this is true by sniffing what leaves your computer and arrives
at the destination computer.

We really want everyone using lastpass to trust it implicitly.
So in time, we might open source all of the front end local encryption/decryption stack and/or
have a trusted 3rd party verify/audit everything LP does.

Thanks for using LastPass!
sameer
sameer
Site Admin
 
Posts: 268
Joined: Tue Aug 19, 2008 9:43 pm
Location: Toronto, Canada

Re: Security/Quality of plugin? Open protocol?

Postby MxxCon » Mon Aug 25, 2008 4:41 pm

What's preventing you right now from releasing your plugin and server side software as opensource with license for business to buy a license.
That would allow everybody to ensure that this software is secure more than just "trust us, it's secure".
MxxCon
 
Posts: 108
Joined: Fri Aug 22, 2008 5:27 pm

Re: Security/Quality of plugin? Open protocol?

Postby JoeSiegrist » Mon Aug 25, 2008 6:32 pm

We've spent a lot of time working on LastPass, and to open source the application would be fun but it's probably not the best move we can make right now if we want to prevent others from copying us, and would likely impact our ability to do an enterprise version (because those who would copy us would get an enormous boost from seeing our code).

That being said, we want you to be able to verify that what we're sending back and forth is encrypted data, and verify that if you put in your key it encrypts/decrypts to the same thing -- we have nothing to hide from that perspective, and want to make it easy to verify. It's not super easy but can be done today with the website, and we're looking into releasing a stand alone application that makes it easier (and makes it so you can put it on a USB drive).

Ultimately our enterprise plans involve having the server be hosted by the enterprise, so we may see some value in open sourcing the server at that time; but opening up everything right now just isn't in our best interest.

Joe
JoeSiegrist
 
Posts: 4185
Joined: Wed Aug 20, 2008 10:40 am


Return to General Support & Troubleshooting

Who is online

Users browsing this forum: Exabot [Bot] and 37 guests