Jump to content
Enpass Discussion Forum

Website icons in plain sight


Ivarson

Recommended Posts

why are you not encryping or at the very least obfuscating the names of a users cached favicons when this is enabled?

I know, the icons are only cached on each device not synced to the cloudproviders, and if your OS content can be read by someone else it cannot be assumed to be secure yadayada.

But on a shared- or work-related machine, Im pretty sure a Enpass-user expects the entries to be confidential as well.

So if someone has a strange affection to... crows, whatever, there will be a  login.ilovecrows.com within %AppData% or the portable directory. If someones has several hundred entries, it gives quite alot intel about that person..

This applies to the Portable versions as well, so having website icons enabled on Enpass Portable on a USB stick means youre running around with all the URL's in your vault unencrypted..

There's no disclaimer or warning in Enpass about this, nor on the link https://www.enpass.io/support/kb/beta/what-happens-when-i-enable-website-icons/ that you provide from within Enpass.

Just store them within the main vault and save your API's some queries, or at least encrypt them separately..  image.png.4300e4dd5ada19b211102e24a00e76e2.png

image.thumb.png.8b7f4627f968b8fa5d17cebcffe1264a.png

Edited by Ivarson
screenshots
Link to comment
Share on other sites

Hi @Ivarson,

Thanks for bringing this into our notice. You are right we should have provided a better warning message.

Icons are not treated as sensitive data and are for UI enhancement only. Obfuscating cache filename can avoid causal guessing but will not resolve the problem completely. Also, different devices resolutions, scrolling performance issues & complex updating mechanisms are few situation where we decided to avoid storing them in the main database. This was a trade-off decision we made than. Maybe it’s the time we look for alternate strategy that satisfy all the requirements.

Thanks.

  • Like 1
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...