Encryption keys and usability in Vivaldi and other browsers
-
Have you ever wondered how browsers handle the user-facing portion of data-encryption? Julien Picalausa explains this in details, as well as goes into how Vivaldiβs encryption key is handled.
Click here to see the full blog post
-
Perfect.
-
Good to know, thanks for explanation @julien_picalausa
-
Awesome!
-
:knight:
-
Although this encryption stuff is a bit over the head of a guy like me who knows just enough to get himself into trouble (even though I use it daily) this is a great article, not dumbed down but just technical enough so I can comprehend what is written.
Great Job Julien!! -
Just so I am crystal clear, there was for a time a mechanism that would reuse the connexion password as an encryption password if no encryption password was provided.
Is that mechanism totally removed, and now an encryption password must be provided ? -
Great article. Thank you @julien_picalausa for a very informative and well written blog post.
-
Since these accounts are used for other services we provide and have been around since well before we started providing Sync, we cannot easily use a key derivation mechanism like Firefoxβs as it would require all existing users to change their login password.
Wouldn't it be possible to make this change voluntary?
-
just wanted to add that Firefox's way of securing accounts isn't that special
the splitting up the masterpassword into a separate authentication key and encryption key is basically default among password managers
separate Encryption password and authentication password also works, though less convenientthe problem I have with browser password security is the default of leaving everything unencrypted locally (or encrypted using user session), except firefox which prompts the masterpassword every time on login, IF you've enabled it
if you have access to someones PC, the only thing you need to steal their passwords is a USB with portable firefox on it
just plug in your USB
import all chrome/firefox/edge/vivaldi passwords (no security/password required on importing)
unplug your usb and leave with all the passwords -
Good read! The most surprising part of this post is how bad the Firefox signup page is. I never thought about it, it is indeed not ideal for a less technically apt user.
-
@gerardlouw: Keeping support for two different systems would be a mess and would ultimately end in one being phased out and lots of users having to change their passwords.
-
Therefore, inexperienced users may decide to reuse a password that is already used for another service, which means they have effectively leaked their encryption key.
Just to add that Firefox services probably check those accounts and rejecting pwnd/bad/reused passwords could be something every service does.
-
@gwen-dragon the one called pwned passwords is run by Troy Hunt - an aussie Microsoft security researcher who is (in my mind and several government security agencies, for what its worth) trustworthy - he made a blog post explaining how his system maintains privacy. Its also free to use.
https://www.troyhunt.com/ive-just-launched-pwned-passwords-version-2/
But as always with the Internet, you should make sure that you individually trust it before sending your passwords away on it.
-
@gwen-dragon said in Encryption keys and usability in Vivaldi and other browsers:
The only useful way is to send the login name and get a password list of the hacked ones back.
No No No! Then any attacker could put a username in, and get a list of passwords they could use to attack compromised accounts! (Assuming a user had not been notified to change it)
With the pwned passwords API, you can hash your passwords yourself and check them manually, [e.g.](https://api.pwnedpasswords.com/range/2DBD1, client-side. Using the auto-checker the only time they are reversible at the other end is when they are already compromised, in which case you would need to change them anyway.
If you still don't trust it, you can always download the dataset of pwned password hashes yourself. (at the bottom of https://haveibeenpwned.com/Passwords)
But yes, if you don't know what you're doing, you should default to never pasting your passwords anywhere other than your password manager and an HTTPS input.
-
@cqoicebordel: Reusing your login password as encryption password is still allowed, but you have to confirm that you are fine with lower security, and a warning will be permanently displayed in the sync settings. Even if we didn't allow it there and then, there would be other ways to achieve the same result by changing your vivaldi.net password to be the same as your encryption password after setting the encryption password. As such, I think it's better to let people do the wrong thing explicitly and letting them know it's a bad idea than having them find a clever way to do the wrong thing without being certain of consequences.
-
@dantesoft: Of course, and I certainly hope they do. But that doesn't prevent someone from re-using a non-compromised password for something they might not realize is an encryption key
-
@julien_picalausa: Ah, I'm not criticizing the current behavior, far from it.
I just remembered that you said earlier that if no encryption password were provided, the login password was used as the encryption password, unknowingly from the user, to allow for E2E even without a specific password provided.
And my question was if that behavior was still actual or not. And you kind of answered it already -
Such third party services are not cheap or limited to use. And sending login data to third party service may be a severe privacy issue.
In general, yes.
But in this particular case, the API call to check an email or password is free and reasonably anonymous, plus anyone could just download and integrate the full pwnd/bad database.
-
Thanks for the detailed explanation.