[Cryptography] Clipperz

Jonas Magazinius jonas.magazinius at assured.se
Tue Nov 3 20:08:55 EST 2015 

Hi there,

We did a pentest of Clipperz some time ago
(https://cure53.de/pentest-report_clipperz.pdf). From what I remember,
they do encrypt your data client side and store the blob encrypted. The
key is derived from password, so unless they get ahold of the password
they should not be able to decrypt the blob. If you forget your password
there is no way of recovering your data. Naturally, since they provide
the website, and thereby control the code, they could include javascript
that steals your password as you enter it.

Take it for what it's worth, at least the issues we found are all fixed.

"Come back when you can install and pin down peer reviewed third party
crypto code in your browser".
Will do, working on it.


Cheers,
Jonas


On 2015-11-03 21:24, grarpamp wrote:
> On Tue, Nov 3, 2015 at 10:29 AM, Stéphane Mourey
> <stephane.mourey at impossible-exil.info> wrote:
>> Has anyone tryied Clipperz (https://clipperz.is) ?
>> In any case, have you an opinion to share about it ?
> If they're pushing their miracle crypto code down into your
> browser for execution, then it's garbage. So are all other
> self proclaimed centralized corporate crypto services that
> do the same thing, or force you to use their special client.
> Because someday they will either be forced or subverted into
> pushing bad code and compromising some user, quite possibly you.
> Come back when you can install and pin down peer
> reviewed third party crypto code in your browser,
> or use any client that meets an open API spec they publish.
> Better yet, support and use p2p storage and messaging instead
> of central corporate services. Or at least do it locally
> and store it on a few $5 shells if you need it online.
>
>> Clipperz... "knows nothing about you and your data"
> Nothing? Really? I'll bet anyone on these lists .1337 BTC they do.
> _______________________________________________
> The cryptography mailing list
> cryptography at metzdowd.com
> http://www.metzdowd.com/mailman/listinfo/cryptography

More information about the cryptography mailing list