Jump to content
Gili

Security audit

Recommended Posts

On 5/15/2018 at 12:05 AM, Anshu kumar said:

Hi @Kamute,

Thanks for writing in.  

Yes, we will get the Enpass 6 audited for security. The development is on the way and the beta is due by end of this month. Here's a sneak peek at the latest UI which comes along with the update.

I appreciate your patience in the meantime.

Thank you for responding, @Anshu kumar

Share this post


Link to post
Share on other sites

As 1Password has changed their licensing policies I'm looking elsewhere for a more affordable solution and came across Enpass, as well as LastPass and DashLane. With 1Password numerous 3rd party audits are available on the internet, and also with DashLane I could find a pretty interesting 3rd party audit alas for an older version. For LastPass it was more difficult fo find such audits (although I did find several mentions of vulnerabilities) but I discovered hackergroups discussed the security of LastPass and appear to feel safe with it - that's a good second best for a security audit.

So I started looking for a 3rd party audit onto Enpass and stumbled upon this discussion and got surprised about the reluctance of Enpass to have the 5 version audited. In my opinion it's just ridiculous to postpone an audit because of a new version is going to be launched. Why not having version 5 audited? Isn't it secure enough to be audited? I actually don't care about the last version of your software being audited. Audits are about gaining trust. I would be very interested to read 3rd party audits for any older version even though you might have several vulnerabilities in those fixed already. Each and every audit tells something about you, the company writing the software.

If you are really serious about getting a 3rd party audit involved then do so immediately, with the current version of the software. Right now this discussion reads like a joke. I cannot take Enpass as a serious alternative to 1Password. I'd rather pay the hefty fees for 1Password.

Share this post


Link to post
Share on other sites

@rembert While I fully agree that it is annoying to wait for ver 6 to get an audit they kinda do have a point.

 

Audits are probably expensive as hell and where a new versionis in development it would kinda be ugly to audit the old version and users would take that as a reason to not get the newer version, or that users wouldnt trust the new ver as much as the old one.

Share this post


Link to post
Share on other sites

well finally we have some visible progress. the Beta of EP6 started, so now we have something to work with.

Share this post


Link to post
Share on other sites

We are on it and the audit will start with the final Betas of Enpass. We assure you that the final release in the market will be duly audited. Thanks a lot for your patience and understanding.

 

Share this post


Link to post
Share on other sites

I think one thing that would help at the VERY least, is to provide some insightful details about the types of cryptography going on here, and how it's handling that. Something LastPass also does is they provide reasonable levels of details about what they do, where it does it, and what algorithms are being used.\

For one example I note, just looking at the Enpass binary I run ldd on it in Linux, and see that it's linked against libgcrypt, libssl-1.0.0, etc.. But also note that it's linked with libsodium, however that's not found, specifically. Which is a bit odd and concerning to me. A well known library that is linked but not used?

I personally like the concept of Enpass. I'd like to know a little more what's under the hood of its design from a security standpoint. A lot of people can say, they use military grade AES-256 encryption, but HOW they implement it could completely break it in a snap. 

Some people here pointed out the country of origin. To me that is mostly immaterial. What is more important is security itself, and the fact is: Security Is Hard, as Steve Gibson himself always says on his podcast show, SecurityNow. 

Take a look at how LastPass describes what they do for security from a technical point of view: https://lastpass.com/whylastpass_technology.php

 

  • Like 1

Share this post


Link to post
Share on other sites

Hi @Psi-Jack,

You can find more details about security and cryptography in Enpass here:
https://www.enpass.io/security/
https://www.enpass.io/docs/enpass-security-whitepaper/index.html

 

8 hours ago, Psi-Jack said:

For one example I note, just looking at the Enpass binary I run ldd on it in Linux, and see that it's linked against libgcrypt, libssl-1.0.0, etc.. But also note that it's linked with libsodium, however that's not found, specifically. Which is a bit odd and concerning to me. A well known library that is linked but not used? 

libsodium is being used for encrypting browser extension communication channel. It is present in /opt/Enpass/lib folder that's why running ldd on Enpass binary says
libsodium.so.18 => not found

which just means that ldd couldn't find the library in your system at standard locations.

Share this post


Link to post
Share on other sites

btw regarding Sodium, I just did a search on my PC for anything sodium related and I didnt find any Sodium Files in the Enpass related folders. is it that because windows is using something else or is there something wrong?

Share this post


Link to post
Share on other sites

Hi @My1,

Thanks for writing in.

Yes , windows version uses libsodium as well. You can see it alongside the main Enpass binary in installation folder. However if you have installed Enpass form Windows Store, it won't appear in a system search.

Hope this helps!

Share this post


Link to post
Share on other sites

as I am HEAVILY against W10 I can assure you that I dont have the store version.

 

These are the folder views for enpass 5 and 6 respectively with no sodium to be found.

Screenshot (455).png

Screenshot (456).png

Share this post


Link to post
Share on other sites

Hi @My1 

Thanks for writing back.

It seems that you are running an older version of Enpass Portable. The latest version is available here on the website. Please check and let us know.

Cheers!

Share this post


Link to post
Share on other sites

true enough. although I wouldnt have expected that Sodium gets droppen in v6.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×