Comments on: Clipperz and Zero-Knowledge Online Password Management http://ajaxian.com/archives/clipperz-and-zero-knowledge-online-password-management Cleaning up the web with Ajax Thu, 09 Feb 2012 06:55:33 +0000 hourly 1 http://wordpress.org/?v=3.2 By: Sullof http://ajaxian.com/archives/clipperz-and-zero-knowledge-online-password-management/comment-page-1#comment-276365 Sullof Fri, 06 Nov 2009 14:27:19 +0000 http://ajaxian.com/?p=7880#comment-276365 @Michael Mahemoff I am very happy for this (Marco Barulli is a friend of mine) but the article seems to talk about something of absolutely innovative. Instead, Clipperz is today the almost same Clipperz of a year ago. I think that a blog as Ajaxian needs to be more scrupolous. @joeri I am a Passpack founder and I deeply know as HPH works. The difference between a 'standard web app' and an 'Host-proof Hosting web app' (using analogous server-side security measures) is substantial: in the first case, the user cannot know if someone is cracking his data; in the second the user can check the code and verify that something is happening. I don't know what exactly Clipperz do, but Passpack check the client-side code from several external services. So if it changes, we know. I guess that Clipperz use similar security tecniques. @bentruyman This is false. An HPH application cannot send you your password because it doesn't know it. PS: Sorry for my poor English, I am Italian :) @Michael Mahemoff
I am very happy for this (Marco Barulli is a friend of mine) but the article seems to talk about something of absolutely innovative. Instead, Clipperz is today the almost same Clipperz of a year ago. I think that a blog as Ajaxian needs to be more scrupolous.

@joeri
I am a Passpack founder and I deeply know as HPH works.
The difference between a ‘standard web app’ and an ‘Host-proof Hosting web app’ (using analogous server-side security measures) is substantial: in the first case, the user cannot know if someone is cracking his data; in the second the user can check the code and verify that something is happening. I don’t know what exactly Clipperz do, but Passpack check the client-side code from several external services. So if it changes, we know. I guess that Clipperz use similar security tecniques.

@bentruyman
This is false. An HPH application cannot send you your password because it doesn’t know it.

PS: Sorry for my poor English, I am Italian :)

]]> By: bentruyman http://ajaxian.com/archives/clipperz-and-zero-knowledge-online-password-management/comment-page-1#comment-276364 bentruyman Fri, 06 Nov 2009 13:35:32 +0000 http://ajaxian.com/?p=7880#comment-276364 @joeri Agreed. I think the Ajaxian sysadmins should listen to you as it appears that they are storing passwords in the clear or at least in a decrypt-able state. Try using the "Forgot Password" tool and they'll email you your password. @joeri Agreed. I think the Ajaxian sysadmins should listen to you as it appears that they are storing passwords in the clear or at least in a decrypt-able state. Try using the “Forgot Password” tool and they’ll email you your password.

]]> By: Joeri http://ajaxian.com/archives/clipperz-and-zero-knowledge-online-password-management/comment-page-1#comment-276359 Joeri Fri, 06 Nov 2009 11:01:44 +0000 http://ajaxian.com/?p=7880#comment-276359 I understand the security value in encrypting the database, or rather specific values in the database, but I have my doubts about client-side encryption. What's to prevent a hacker from patching the web server code so it also sends the unencrypted data to the server, or to a different server? If the purpose of host-proof hosting is preventing hackers from running away with sensitive data, how does doing encryption client-side make any difference if they have access to the server-side code? I understand the security value in encrypting the database, or rather specific values in the database, but I have my doubts about client-side encryption.

What’s to prevent a hacker from patching the web server code so it also sends the unencrypted data to the server, or to a different server? If the purpose of host-proof hosting is preventing hackers from running away with sensitive data, how does doing encryption client-side make any difference if they have access to the server-side code?

]]> By: Michael Mahemoff http://ajaxian.com/archives/clipperz-and-zero-knowledge-online-password-management/comment-page-1#comment-276354 Michael Mahemoff Fri, 06 Nov 2009 01:27:28 +0000 http://ajaxian.com/?p=7880#comment-276354 The interview took place last week. Clipperz and host-proof hosting are living things and continue to evolve. The interview took place last week. Clipperz and host-proof hosting are living things and continue to evolve.

]]> By: Sullof http://ajaxian.com/archives/clipperz-and-zero-knowledge-online-password-management/comment-page-1#comment-276353 Sullof Fri, 06 Nov 2009 00:38:37 +0000 http://ajaxian.com/?p=7880#comment-276353 Host-Proof Hosting exists from years. Clipperz - like Passlet and Passpack - has born in the 2006. Ajaxian spoke about all them in these years. I am a bit surprised from this post. Host-Proof Hosting exists from years. Clipperz – like Passlet and Passpack – has born in the 2006. Ajaxian spoke about all them in these years. I am a bit surprised from this post.

]]>