ctrl_alt_pasta Posted April 8, 2017 Report Posted April 8, 2017 Can someone download say a Facebook or Reddit login, host it and have enpass see it and send over the credentials?
Tobias S. Posted April 13, 2017 Report Posted April 13, 2017 Can you describe that a bit more closely? I don't quite understand your question.
Ivarson Posted April 16, 2017 Report Posted April 16, 2017 Spoofing a site to Enpass should be easy, because it's not built to_verify_ the identity of a host, only to filter out a match that's as accurate as possible . Always check the certificate and hostname before using autofill.
Tobias S. Posted April 16, 2017 Report Posted April 16, 2017 (edited) 2 hours ago, Ivarson said: Spoofing a site to Enpass should be easy, because it's not built to_verify_ the identity of a host, only to filter out a match that's as accurate as possible . Always check the certificate and hostname before using autofill. But only the items with the same domain name are shown. Edited April 16, 2017 by Tobias S.
Ivarson Posted April 16, 2017 Report Posted April 16, 2017 (edited) Of course, maybe i was a bit misleading. The point is that Enpass doesn't do security validation on the URLs you're doing autofill on. That's part of the reason the devs require the user to hit autofill via the hotkey or plugin-button. The security has to lie in you, your OS and the browswer. Like when you visit your home router at "192.168.x.1" which of course isnt even an dnsname. At best, you've got a self-signed certificate which the browser hopefully warns you about, That does encrypt the traffic but doesnt ensure the identity of the router. Enpass doesn't care though, neither should it imho. Edited April 16, 2017 by Ivarson
Vinod Kumar Posted April 17, 2017 Report Posted April 17, 2017 Hi @ctrl_alt_pasta, What @Ivarson said is certainly right. Enpass doesn't do any security validation for you. Your browser is equipped with the best tools to do any security validations about identity of host. Constant updates are provided to guard against spoofing attacks like address bar spoofing. So, one should always pay attention to browser address bar warnings for broken or invalid certificates. However before autofilling, Enpass always match the domain name for saved items and shows only relevant items. This protects you against phishing attacks with look-alike domains.
Recommended Posts