how would the channel feel about me pimping an unrelated project that I've recently released in alpha?
reardencode: i'm excited already
haha, http://github.com/reardencode/freekey http://reardencode.github.com/freekey
password management, for free, entirely in browser, stored to S3
I think it's pretty cool.
oh, github
what about it?
reardencode: ok, i already told somebody about it
reardencode: will you have tshirts?
hahaha, if it gets popular, absolutely.
freekey is like lastpass?
RandalSchwartz: roughly yeah
do you encrypt entirely on client side?
RandalSchwartz: yep
with seeded hashes on server side?
using JSCL AES256
nothing server side
er you mean initialization values?
what is "S3" in the above sententec?
sounds like "server" to me
it stores to your own Amazon S3 account
FreeKey itself is just a 130k HTML/javascript file
what does it store there?
your encrypted password data (and the IVs needed to decrypt it)
Ahh, then not at all like lastpass
what does lastpass do?
in lastpass, the cloud storage is impenetrable
only a client side password will decrypt it
RandalSchwartz: same in FreeKey
so now I'm not following
you are not being clear
RandalSchwartz: your password, processed by pbkdf2 encrypts everythign that is saved
you've just contradicted yourself
can you state my contradition so I can clarify wherever I've been unclear?
... <reardencode> your encrypted password data (and the IVs needed to decrypt it)
IVs meaning the random data used to seed the encryption -- required to decrypt
how is that not the opposite of "only a client side password will decrypt it"
either there is enough in the cloud to decrypt, or not
there is not enough in the cloud to decrypt
the password is required, period.
ok - then you misled me
the IVs are required, not sufficient to decrypt
I apologize for the confusion -- most folks don't bother mentioning IVs when talkign about encryption, I tend to call them out, to my detriment in this case
if you want to sell this to lay people, might note that :)
yep :)
not really looking to sell -- just looking to stop the flood of non-free software password management solutions
and to do it better
(I'll probably also have to put up my own storage solution to make it popular as lay people won't want to sign up for S3 necessarily)
well - until you have an iphone client, not useful for me
and it embeds in safari and firefox and chrome
RandalSchwartz: it should work on iphone in the browser just fine
RandalSchwartz: my whole point here was to make a program that just works in most modern browsers
what do you mean by embeds?
ie autofills forms?
how is it available on every page?
as in... I go to mail.google.com.  How does it fill my password there?
js?
sure - where is that loaded from, and why?
when does mail.google.com load your JS
RandalSchwartz: gotcha, doesn't do that yet, you leave it running in a tab and copy passwords over
oh - fairly useless for me then
definitely not even in the runnig
haha, give me a break, been working in it for like 30 days in my free time :-P
just telling you what you have to get to before even announcing it
because I'm a typical customer of 1password and lastpass
reardencode: you're going to have to do better than that if you want to run with the big boys
reardencode: there's no way i'm blogging about this until it has full iphone & android integration
the easy parts of that are easy
the hard parts are really f'ing hard
fink: can you define "full iphone and android integration"?
reardencode: unless i get a prerelease tshirt, that is
reardencode - see what I just said
iphone native app, first
since you can't force safari to load JS
so you have to build an iphone app with a browser embedded
reardencode: call me when apple buys you out
;)
RandalSchwartz: is that how the othe rpassowrd managers work? they embed a browser into which they stick their passwords?
yup
both lastpass and 1password have custom browsers
ah, I wouldn't use that, nor would my initial market interviews (friends) -- they want to be able to have an app that sticks their passwords either ont eh screen or clipboard for them to use as they choose
and I wouldn't use *that*
reardencode: maybe you could leverage some kind of XSS vulnerability in all the major browsers to get your password app to work
RandalSchwartz: gotcha :)
keep in mind copy/paste on an iphone is a real pain
fink: I think it'd be pretty easy to do with a bookmarklet on desktop browsers, will ahve to look into that
especially if you have *two* items (user + password)
RandalSchwartz: I actually didn't know that, never used an iphone in my life!
you get exactly one copy/paste buffer
hmm, interesting feedback -- I also hadn't envisioned needing to _lookup_ and supply username, but rather using the username as part of the lookup key.
the key is the website URL
not the username
ok, so android and iphone aside (for the moment) would it be interesting on the desktop if it was an app that you leave open in a page and interact with by clicking save and load bookmarklets in major browsers?
the website URL should result in one or more things to be pasted into that form
RandalSchwartz: I went back and forth on that -- for my personal usage, I prefer to have it dual key -- I have multiple logins on _many_ sites
yeah - so you take the website URL, then show me a list of possible named sets, and I pick one
that's the way lastpass and 1password work
*I* get to pick the name of the set
so for gmail, if I have 5 personalities, you'd pop up a list of 5
each of those might map to a username/password pair
but you are ok with it being a tab you have to keep open?  (So far I don't have a way around that without destroying what I want it to be, but I can make it so you don't have to go to that tab...
no, I'm not
as in, if you want to compete with 1p and lastpass
it sits as a browser extension
so it can intercept every normal page
in safari, chrome, and firefox on OSX
no need to intercept, just use bookmarklets
and as a separate browser on IOS
yeah, I don't think I'm going to satisfy your usecase -- I want something that doesn't involve installing browser extensions
security policies rightfully reject that for Safari
bookmarkelts run in their own origin-space
reject which?
or something like that
I know 1password can't run as bookmarklets any more because of some tightening of safari policy
hmm, I'm able to write a bookmarklet that does dom manipulation just fine at first glance...
interesting, I'll try it
on safari?
was in chrome.
yeah - safari is trying to prevent more XSS
so they've gone more for the letter of the law
not sure of details, but it broke old-school 1password
so now 1password is an extension
bagh mac
er apple
yes.  blame apple for Doing The Right Thing
nice stance
I don't think it's the right thing to prevent useful monkeypatch bookmarklets
if I want to be able to click a button to quickly do some dom on a page in _my_ browser, I shouldn't have to go write an extension for it
even if those could lead to security breaches?
again - I don't know all the details
but it was about security, as I recall
pretty sure that one is just a protect users from themselves type of thing, unless they allow sites to auto-add bookmarklets, in which case _that_ would be what you fix
if a user can install an extension to do a thing, they should be allowed to install a bookmarklet to do that same thing
(within technical capabilities)
hah - I know now
1password says "don't use this, because a malicious website could take advantage of it"
that makes sense now
so it still works, but it's preferred you don't use it
just looked up the docs
hmm, wonder what they're protecting against -- origin abuses?
if the bookmarklet looks up the password on user click based on the origin of the page on which it was clicked, where's the security hole?
reardencode: how about an active-x plugin?
reardencode: i guess a malicious js could be looking out for your bookmarklet?
fink: hmm, I wonder... I'm trying to come up with an attack vector what I had envisioned
yeay - three machines at arp being zfs send/recv cloned to texas!
no more "what if a bomb drops on wilshire annex" worries!
zxfer for the win
RandalSchwartz: are you doing round robin dns, or will you have to manually change dns entries, or something else... ?
i wonder why i'm getting a lot of small ubuntu orders lately
Huh.
another ubuntu order
they just realeased natty narwhal