Articles

  • As I mentioned previously, an efficient PBKDF2 implementation is absolutely essential for Easy Passwords in order to generate passwords securely. So when I looked into Microsoft Edge and discovered that it chose to implement WebCrypto API but not the PBKDF2 algorithm this was quite a show-stopper. I still decided to investigate the alternatives, out of interest.

    Posted , Author

  • My latest news validation adventure started because my wife overheard a show on Russian TV explaining the “real” reasons behind the Syrian civil war. The argument appeared to be balanced by explaining how various foreign forces have a hidden agenda in the conflict — including Russia which needs to prevent the Quatar-Turkey pipeline from happening. And what’s in for US? According to that show, vast amounts of oil were discovered in Syria and the US were looking for ways to exploit those. Such an easy and simple explanation for a very complex conflict seemed suspicious and so I decided to look into it.

    Posted , Author

  • With Easy Passwords I develop a product which could be considered a Last Pass competitor. In this particular case however, my interest was sparked by the reports of two Last Pass security vulnerabilities (1, 2) which were published recently. It’s a fascinating case study given that Last Pass is considered security software and as such should be hardened against attacks.

    I decided to dig into Last Pass 4.1.21 (latest version for Firefox at that point) in order to see what their developer team did wrong. The reported issues sounded like there might be structural problems behind them. The first surprise was the way Last Pass is made available to users however: on Addons.Mozilla.Org you only get the outdated Last Pass 3 as the stable version, the current Last Pass 4 is offered on the development channel and Last Pass actively encourages users to switch to the development channel.

    Posted , Author

  • My colleague Dave Barker is pushing me towards making Easy Passwords a full-featured LastPass alternative. Given the LastPass security vulnerabilities that were published recently and the ones I am about to publish myself soon I cannot really blame him. Getting there will take a while but we’ve reached an important milestone on the way: with Easy Passwords 1.1.0 user names will now be filled in automatically as well, so for most login forms you won’t need to type anything at all any more. Implementing this feature in a user-friendly way was more complicated than it sounds, if you are interested you can see the iteration process we went through in the corresponding issue.

    Posted , Author

  • As extension formats go, Apple clearly chose the most obscure and least documented one for their Safari browser. It’s based on the XAR (eXtensible ARchiver) format which is a dead project with barely existing and outdated format documentation (note how it suggests setting XAR_HEADER_VERSION to zero even though current header version is one). But Apple went further and added signing support to the format without documenting it. Why bother if everybody can use Safari to create an extension package? And so for a long time your best choice to automate the build process was a complicated list of instructions relying on a patched version of the xar command line tool. A year ago somebody apparently added a much more convenient xar-js library to the list but I didn’t find out until I started writing this blog post.

    Posted , Author

← Older Newer →