![]() Once your safe password is set,the safe will be opened and pwSafe will automatically create a new entry for you.Īt any time, save your password by pressing Command-S or using the 'File' - 'Save' menu option. The fuller and greener it is, the stronger your password or passphrase is (a full indicator means your password has around 128 bits of entropy). Please mind the password strength indicator to the right. Once either path is chosen, a new safe will be created and you will be asked to create a new password for it: To create a new safe click the "New safe." button on the Welcome Screen or choose the 'New' option on the Whenever you need to come back to it, just use the 'Window' menu and choose the 'Welcome to pwSafe' option. From this window you can open and create documents. ![]() When you start pwSafe, you be shown the Welcome Screen. Welcome screen Creating a new Safe Opening a safe Using a safe Welcome screen If we failed to address any concern, please let us know.In this section you'll find information about: ![]() Please mind the code is fully copyrighted and that you are not supposed to reuse it in any form, you are granted a license just to find possible security issues in it. The source code is not obscured or minified in any form, just unpack the extension and examine it at will. When designing the extensions, we took great care to protect your passwords at all times, but you are welcome to examine the extensions source-code at any time. If you happen to find any problem we missed, please report it back to us, so that we can fix it as soon as possible. Session keys depend on both sides random number generators, making it harder to exploit a PRNG fault.Ī new sequence number to prevent agains replay attacks, and On every session, new encryption and authentication keys are generated, so as to guarantee perfect forward secrecy (PFS). The user then matches both, defending against man in the middle attacks.Īfter validation, the extension and pwSafe save the other party's public key and verify it on every new connection, closing it if it changed, preventing man-in-the-middle attacks. When you first connect, both sides calculate an identifier which is a hash of both parties' public keys (RSA-2048) and display it to the user. Since the SSL certificate validation logic cannot be overridden by the extension, we use a non-encrypted HTTP connection with our own security (encryption and authentication) layer on top.Įverything but the handshake is fully encrypted (AES-CBC-256) and authenticated (HMAC-SHA-256). To defend against malicious apps on your Mac:Ĭommunications between the extensions and pwSafe are run over a standard HTTP Websocket connection to localhost. It can only report which fields are present on the webpage and, when ordered to, fill them with the provided values. The component which runs on the webpage context can't connect to pwSafe directly, so it can't send commands to it asking for more passwords. When listing entries, it only gets titles, details (username and url) and groups.Įxtensions are broken in two main components: one running inside the displayed webpages (more vulnerable) and another one running in an isolated context (more secure). The full list of passwords is never sent to the extension, which only gets the password needed to fill the currently displayed webpage. These two facts pose a series of security concerns that we address. This makes them more susceptible to malicious websites and also very restricted when it comes to interacting with the local machine. Modern browser extensions are javascript apps that run inside the web-browser.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |