how would the channel feel about me pimping an unrelated project that I've recently released in alpha? reardencode: i'm excited already haha, http://github.com/reardencode/freekey http://reardencode.github.com/freekey password management, for free, entirely in browser, stored to S3 I think it's pretty cool. oh, github what about it? reardencode: ok, i already told somebody about it reardencode: will you have tshirts? hahaha, if it gets popular, absolutely. freekey is like lastpass? RandalSchwartz: roughly yeah do you encrypt entirely on client side? RandalSchwartz: yep with seeded hashes on server side? using JSCL AES256 nothing server side er you mean initialization values? what is "S3" in the above sententec? sounds like "server" to me it stores to your own Amazon S3 account FreeKey itself is just a 130k HTML/javascript file what does it store there? your encrypted password data (and the IVs needed to decrypt it) Ahh, then not at all like lastpass what does lastpass do? in lastpass, the cloud storage is impenetrable only a client side password will decrypt it RandalSchwartz: same in FreeKey so now I'm not following you are not being clear RandalSchwartz: your password, processed by pbkdf2 encrypts everythign that is saved you've just contradicted yourself can you state my contradition so I can clarify wherever I've been unclear? ... your encrypted password data (and the IVs needed to decrypt it) IVs meaning the random data used to seed the encryption -- required to decrypt how is that not the opposite of "only a client side password will decrypt it" either there is enough in the cloud to decrypt, or not there is not enough in the cloud to decrypt the password is required, period. ok - then you misled me the IVs are required, not sufficient to decrypt I apologize for the confusion -- most folks don't bother mentioning IVs when talkign about encryption, I tend to call them out, to my detriment in this case if you want to sell this to lay people, might note that :) yep :) not really looking to sell -- just looking to stop the flood of non-free software password management solutions and to do it better (I'll probably also have to put up my own storage solution to make it popular as lay people won't want to sign up for S3 necessarily) well - until you have an iphone client, not useful for me and it embeds in safari and firefox and chrome RandalSchwartz: it should work on iphone in the browser just fine RandalSchwartz: my whole point here was to make a program that just works in most modern browsers what do you mean by embeds? ie autofills forms? how is it available on every page? as in... I go to mail.google.com. How does it fill my password there? js? sure - where is that loaded from, and why? when does mail.google.com load your JS RandalSchwartz: gotcha, doesn't do that yet, you leave it running in a tab and copy passwords over oh - fairly useless for me then definitely not even in the runnig haha, give me a break, been working in it for like 30 days in my free time :-P just telling you what you have to get to before even announcing it because I'm a typical customer of 1password and lastpass reardencode: you're going to have to do better than that if you want to run with the big boys reardencode: there's no way i'm blogging about this until it has full iphone & android integration the easy parts of that are easy the hard parts are really f'ing hard fink: can you define "full iphone and android integration"? reardencode: unless i get a prerelease tshirt, that is reardencode - see what I just said iphone native app, first since you can't force safari to load JS so you have to build an iphone app with a browser embedded reardencode: call me when apple buys you out ;) RandalSchwartz: is that how the othe rpassowrd managers work? they embed a browser into which they stick their passwords? yup both lastpass and 1password have custom browsers ah, I wouldn't use that, nor would my initial market interviews (friends) -- they want to be able to have an app that sticks their passwords either ont eh screen or clipboard for them to use as they choose and I wouldn't use *that* reardencode: maybe you could leverage some kind of XSS vulnerability in all the major browsers to get your password app to work RandalSchwartz: gotcha :) keep in mind copy/paste on an iphone is a real pain fink: I think it'd be pretty easy to do with a bookmarklet on desktop browsers, will ahve to look into that especially if you have *two* items (user + password) RandalSchwartz: I actually didn't know that, never used an iphone in my life! you get exactly one copy/paste buffer hmm, interesting feedback -- I also hadn't envisioned needing to _lookup_ and supply username, but rather using the username as part of the lookup key. the key is the website URL not the username ok, so android and iphone aside (for the moment) would it be interesting on the desktop if it was an app that you leave open in a page and interact with by clicking save and load bookmarklets in major browsers? the website URL should result in one or more things to be pasted into that form RandalSchwartz: I went back and forth on that -- for my personal usage, I prefer to have it dual key -- I have multiple logins on _many_ sites yeah - so you take the website URL, then show me a list of possible named sets, and I pick one that's the way lastpass and 1password work *I* get to pick the name of the set so for gmail, if I have 5 personalities, you'd pop up a list of 5 each of those might map to a username/password pair but you are ok with it being a tab you have to keep open? (So far I don't have a way around that without destroying what I want it to be, but I can make it so you don't have to go to that tab... no, I'm not as in, if you want to compete with 1p and lastpass it sits as a browser extension so it can intercept every normal page in safari, chrome, and firefox on OSX no need to intercept, just use bookmarklets and as a separate browser on IOS yeah, I don't think I'm going to satisfy your usecase -- I want something that doesn't involve installing browser extensions security policies rightfully reject that for Safari bookmarkelts run in their own origin-space reject which? or something like that I know 1password can't run as bookmarklets any more because of some tightening of safari policy hmm, I'm able to write a bookmarklet that does dom manipulation just fine at first glance... interesting, I'll try it on safari? was in chrome. yeah - safari is trying to prevent more XSS so they've gone more for the letter of the law not sure of details, but it broke old-school 1password so now 1password is an extension bagh mac er apple yes. blame apple for Doing The Right Thing nice stance I don't think it's the right thing to prevent useful monkeypatch bookmarklets if I want to be able to click a button to quickly do some dom on a page in _my_ browser, I shouldn't have to go write an extension for it even if those could lead to security breaches? again - I don't know all the details but it was about security, as I recall pretty sure that one is just a protect users from themselves type of thing, unless they allow sites to auto-add bookmarklets, in which case _that_ would be what you fix if a user can install an extension to do a thing, they should be allowed to install a bookmarklet to do that same thing (within technical capabilities) hah - I know now 1password says "don't use this, because a malicious website could take advantage of it" that makes sense now so it still works, but it's preferred you don't use it just looked up the docs hmm, wonder what they're protecting against -- origin abuses? if the bookmarklet looks up the password on user click based on the origin of the page on which it was clicked, where's the security hole? reardencode: how about an active-x plugin? reardencode: i guess a malicious js could be looking out for your bookmarklet? fink: hmm, I wonder... I'm trying to come up with an attack vector what I had envisioned yeay - three machines at arp being zfs send/recv cloned to texas! no more "what if a bomb drops on wilshire annex" worries! zxfer for the win RandalSchwartz: are you doing round robin dns, or will you have to manually change dns entries, or something else... ? i wonder why i'm getting a lot of small ubuntu orders lately Huh. another ubuntu order they just realeased natty narwhal