CodeHead Posted August 6, 2016 Report Posted August 6, 2016 Installed the linux version of Enpass today (5.3.0) on my Ubuntu box. I setup folder syncing... if I like it I'll sync the folder elsewhere. Then while running enpass, I noticed it had two programs running, Enpass and EnpassHelper. Enpass had an open socket connection with EnpassHelper talking to Enpass. Specifically, checking the network connections on my box for Enpass gave this: netstat -anp|grep 11095 tcp 0 0 127.0.0.1:10391 0.0.0.0:* LISTEN 11095/Enpass tcp 0 0 127.0.0.1:10391 127.0.0.1:54452 ESTABLISHED 11095/Enpass tcp 0 0 127.0.0.1:10391 127.0.0.1:54354 ESTABLISHED 11095/Enpass unix 2 [ ACC ] STREAM LISTENING 55350 11095/Enpass /tmp/qtsingleapp-Enpass-cf80-3e8 unix 3 [ ] STREAM CONNECTED 51738 11095/Enpass etc... My questions are: 1) Is internal enpass apps communicating over local sockets secure? (I've not tcpdump it yet) 2) Why is the main Enpass app listening to all IP address? Why is it 0.0.0.0:* and not 127.0.0.1:*? Thanks!
Vinod Kumar Posted August 8, 2016 Report Posted August 8, 2016 On 8/6/2016 at 6:33 AM, CodeHead said: 2) Why is the main Enpass app listening to all IP address? Why is it 0.0.0.0:* and not 127.0.0.1:*? Here, 0.0.0.0:* in foreign address field signifies an invalid address. Enpass is listening on loopback address only, it is so secure that addresses only in the 127.0.0.0/8 range can make a connection, which is a range exclusively reserved for connections only possible by other processes running on that system. On 8/6/2016 at 6:33 AM, CodeHead said: 1) Is internal enpass apps communicating over local sockets secure? (I've not tcpdump it yet) Secure is a relative definition in this context. The data transmitted is not secure from you (or anyone with root access of the machine). You can dump and analyse the data. But it is secure from anyone else, because communication is only happening over loopback. We use various other measures to restrict the processes who tries to connect to Enpass. You can probably have a look at this link (https://www.enpass.io/docs/desktop-mac/browser_ext_working.html) to know how browser extension communication works.
CodeHead Posted August 8, 2016 Author Report Posted August 8, 2016 7 hours ago, Vinod Kumar said: Here, 0.0.0.0:* in foreign address field signifies an invalid address. Actually, 0.0.0.0:* is not an invalid address, as it represent any foreign ip/port combo. My mistake was that I thought it was the local address, not the foreign address. So no issue here. 7 hours ago, Vinod Kumar said: Secure is a relative definition in this context. The data transmitted is not secure from you (or anyone with root access of the machine). So its clear-text but we're okay since its not discoverable outside of the computer since its not broadcasted where you can dump the data via wireshark or tcpdump on a separate device. The assumption is that the computer running Enpass isn't compromised. Hard to argue there being that all bets are off once you no longer own your machine. I have to ask... though I know SQLCipher has been though peer audits... has Enpass itself been audited for security leaks?
Recommended Posts