Can someone download say a Facebook or Reddit login, host it and have enpass see it and send over the credentials?

Can you describe that a bit more closely? I don't quite understand your question.

Spoofing a site to Enpass should be easy, because it's not built to_verify_ the identity of a host, only to filter out a match that's as accurate as possible . Always check the certificate and hostname before using autofill. 

2 hours ago, Ivarson said:

Spoofing a site to Enpass should be easy, because it's not built to_verify_ the identity of a host, only to filter out a match that's as accurate as possible . Always check the certificate and hostname before using autofill. 

But only the items with the same domain name are shown.

Edited April 16, 20179 yr by Tobias S.

Of course, maybe i was a bit misleading. The point is that Enpass doesn't do security validation on the URLs you're doing autofill on.

That's part of the reason the devs require the user to hit autofill via the hotkey or plugin-button.

The security has to lie in you, your OS and the browswer.

 

Like when you visit your home router at "192.168.x.1" which of course isnt even an dnsname. At best, you've got a self-signed certificate which the browser hopefully warns you about, That does encrypt the traffic but doesnt ensure the identity of the router. Enpass doesn't care though, neither should it imho.

Edited April 16, 20179 yr by Ivarson

Hi @ctrl_alt_pasta,

What @Ivarson said is certainly right. Enpass doesn't do any security validation for you. Your browser is equipped with the best tools to do any security validations about identity of host. Constant updates are provided to guard against spoofing attacks like address bar spoofing. So, one should always pay attention to browser address bar warnings for broken or invalid certificates.

However before autofilling, Enpass always match the domain name for saved items and shows only relevant items. This protects you against phishing attacks with look-alike domains.