At the very least, this is stored in server memory until the key derivation process is complete.
ROBOFORM RELEASE NOTES PASSWORD
To derive two keys from the master password, the server must have the master password to begin with. Instead, two strings are derived from it the first string is stored on the server, the other in a browser cookie. and that's what we can see who knows what's going on behind the scenes.Įven with the best of intentions though, it's never as safe as simply not sending it in the first place. We already know the transport layer is horrendous. If you're sending the master password over any network, you have to trust it's being handled with care, every step of the way. Their paraphrased rebuttal of "ok, but we don't store it" is pretty weak, not to mention inaccurate. I specifically used the word "sent" because it was completely at odds with Vadim's (CEO) statement.Īs I've previously shown, it's not only sent to Siber Systems (which they now admit), but there's no hashing involved whatsoever. Your master password is sent to Siber Systems Sending vs Storing the Master PasswordĪssuming you've read the first article, you'll note I said they quietly patched it and presumably hoped nobody had noticed.
nothing! Just a few minutes before their reply though, the server miraculously started enforcing SSL (albeit insecure/weak).ĭid they own up, admit their mistake and allow users to change their passwords? Nope. Can you DM me with some details and we'll look into it again pls?- RoboForm August 15, 2014įor at least a week in August 2014, Roboform's Everywhere Portal sent data to/from their servers over HTTP! but what if it's not encrypted at Paul, we believe we addressed this with you a while ago. You'd have to be insane to willingly send your master password over a "secure" channel such as this. There's no forward secrecy, HSTS, pinning, elliptic curve crypto or indeed anything considered "military grade", to use their phrase. They also use RC4, which is considered weak. Unfortunately, it's SSLv3 and susceptable to the POODLE exploit, which is insecure. When the user submits the Master Password to decrypt a file, the Master Password is submitted to RoboForm Everywhere server, the server performs the decryption, and the decryped data is transmitted back to the client.Įven if the user selects to cache the Master Password, the Master Password still is not stored on server. These services are using SSL connection (https) for communication between the client (browser) and the server. The article clearly states "Roboform Everywhere Portal" as opposed to the Roboform desktop application. If you use the Roboform desktop application, the master password & passcard data do not travel across the network. RoboForm does not transmit any decrypted contents of the user data files (passcards/identities/safenotes) over any network.
RoboForm does not pass Master Password over any network The "Roboform Everywhere" portal was still insecure, but that clearly wasn't going to change any time soon.Ī couple of days ago, a concerned Roboform user sent this: So they couldn't replicate it, assumed it was inaccurate and publicly berated the researcher that reported it! Charmin'!Ī week later, Chris Gomez raised the issue again.Īlthough they still couldn't replicate it, they did at least release a patch. Security is our number one priority and we are working to ensure that no vulnerability exists, as it has still yet to be confirmed Fortunately, The HackerNews pulled the article and replaced it with this something which Scott Helme pointed out. In both replies, you'll note a link to the HackerNews article which tried to debunk my claims.
Well, 6 months have passed and although there's been no official public response from Siber Systems, they have made a number of comments to journalists and customers by email/Facebook and support tickets during which I've been labelled as "misinformed", "unpleasant" and "sarcastic". You may recall, I recently published an article entitled " How secure is Roboform: The 5 Minute Challenge".
0 kommentar(er)
