Clipperz – Una aplicación muy segura para guardar contraseñas online

Publicado el

clipperz.jpg

Entre las diversas aplicaciones existentes para guardar contraseñas online (Shibbo, Agatra o PassPack, por ejemplo), Clipperz entra en la guerra de cabeza.
Clipperz no recibe la contraseña y la guarda encriptada, ya la recibe encriptada gracias a un programa ejecutado en el navegador del cliente. De esta forma aseguran que ellos NUNCA reciben la contraseña del usuario.
De esta forma podéis guardar datos de acceso a sitios, cuentas bancarias, emails, redes.. cualquier contraseña que necesitéis recordar sin tener que confiar en extraños.
En el email que Marco Barulli me ha enviado me manda algunas direcciones interesantes para conocer mejor el servicio. Entre ellas un ví­deo con el paso a paso de esta interesante web.

Actualización: lo bueno de este trabajo es que cada noticia escrita recibe comentarios y aclaraciones de varios usuarios de todo el mundo. La afirmación de que Clipperz encripta las contraseñas antes de enviarlas al servidor debe ser ampliada después del email recibido de la competencia: Passpack.

Según el email, que anexo más abajo, passpack realiza el mismo procedimiento que clipperz, guardando también la contraseña ya encriptada por el navegador del usuario, usando una técnica conocida como Host-Proof Hosting Ajax Pattern.

La diferencia de Clipperz es ser open-source, por el resto.. podéis usar passpack sin problemas.

Email de Tara, de Passpack:

** About the Cryptographic process **
PassPack uses the same technique «of delivering the Ajax code to the
user’s browser and then storing user’s data in an encrypted form on its
servers» as Clipperz does. In fact, this technique is called the
Host-Proof Hosting Ajax Pattern
(https://ajaxpatterns.org/Host-Proof_Hosting#Solution). Both PassPack and
Clipperz use this pattern. Neither Clipperz nor PassPack invented it.

The last sentence of Marco Barulli’s email is misleading. It does not
concern the Host-Proof Hosting process. It concerns the fact that
Clipperz is open source code, while the others are not. This is why
Marco refers to «checking for yourself».

In other words, the following statement is true (just changing
«Clipperz» with «PassPack»):

«PassPack no recibe la contraseña y la guarda encriptada, ya la recibe
encriptada gracias a un programa ejecutado en el navegador del cliente.
De esta forma aseguran que ellos NUNCA reciben la contraseña del usuario.»

Would it be possible for you to fix that on your blog? I would greatly
appreciate it.

** Trust Issues **
– If you do not have advanced cryptographic and programming experience,
then checking Clipperz code is a futile effort. You will not understand it.

– If you are a cryptographic and programming expert, and are able to
analyze and study Clipperz code – then you are also able to analyze and
study PassPack’s code as well. Since both applications work by
downloading javascript into the browser, there is no need for the code
to be open source for you to look in side it: just save what is already
in your browser.

– In order for the applications to run as quickly as possible, If you
decide to save the Javascript code for Clipperz and/or PassPack from
inside the browser, then you will need to decompress it first. However,
the code that Clipperz makes available on Google Code is not compressed
– that makes those two versions different: one compressed, the other
not. Personally, I don’t think Clipperz would do anything unethical like
change the code between compressed and decompressed. However this
difference does *require that you trust them* not to change the code
between what is published and what is actually used in the website.

As you can see, trust is still an essential part of any online
application. Clipperz requires just as much trust as PassPack does,
regardless if it is open source or not.

Passwords are a very serious business, and you *must* trust the people
that provide a password protection service. If you can’t trust a
service, don’t use it.

8 comentarios en “Clipperz – Una aplicación muy segura para guardar contraseñas online

  1. hi. I look at you post but I don’t understand. Passpack works exactly as you say about clipperz and so, why is it clipperz more secure?

  2. Axel, see the email from clipperz to me:

    Clipperz does solve the password management problem, but it also gives a practical demonstration of a new breed of web applications: the «zero-knowledge» web apps.

    Applications where the provider is simply in charge of delivering the Ajax code to the user’s browser and then storing user’s data in an encrypted form on its servers.
    Clipperz lets you submit confidential information into your browser, but your data are locally encrypted by the browser itself before being uploaded.

    Other online services (including Shibbo, Agatra and PassPack) requires the users to trust them, while Clipperz invite users to check for themselves!

  3. Hello.
    I am a founding partner at PassPack. I’m sorry, but there is a misleading sentence in Marco Barulli’s message.

    I have sent you a detailed email explaining it. I hope that you will share it with everyone. Thanks!

    I appreciate it,
    Tara Kelly

  4. juan, clipperz email says the clipperz local encrypts the data while other services not. but passpack works in the same matter. clipperz and passpack uses open source libraries as well, and I can see the javascript in my browser for both the services. so, or clipperz doesn’t know its competitors or they intentionally says the false. this is not good 🙂