passifox
passifox copied to clipboard
pfn
Certified Security
Hi, I want to use ChromeIPass or FoxIPass in my Company as an extension to the already in use KeePass2. But we need to have some level of guaranteed Security and that's why I ask if these extensions (including KeePassHttp) have been tested by some kind of Security Organization.
If not I suggest that this is done, since this would allow many more companies to actually use these extensions. Maybe a Pen-Test by the German Chaos-Computer-Club would be possible and maybe even free?
KeePass has been audited (version 1.31, some details here) but KeePassHTTP and the browser extension isn't.
The key transfer in chromeipass/passifox is made in base64 encoded data which is as secure as plain text. Still, the traffic is restricted to localhost so it's as safe as your localhost is.
+1
The main purpose of Keepass is to secure your passwords and data... For now, this extension does not seem very secure at all.
For example, I do not understand why does the extension needs the rights to be able to :
- access and modify the data on every website we visit
- modify the data we copy/past
Why do you need all of those rights ? I try to avoid as much as possible chrome extension which requires this kind of things.
access and modify the data on every website we visit
This is because of the content scripts. It allows to add password generator icon, autocomplete menu etc..
modify the data we copy/past
This allows the password generator to copy data to clipboard.