Installed the linux version of Enpass today (5.3.0) on my Ubuntu box. I setup folder syncing... if I like it I'll sync the folder elsewhere. Then while running enpass, I noticed it had two programs running, Enpass and EnpassHelper. Enpass had an open socket connection with EnpassHelper talking to Enpass.  Specifically, checking the network connections on my box for Enpass gave this:

netstat -anp|grep 11095
tcp        0      0 127.0.0.1:10391         0.0.0.0:*               LISTEN      11095/Enpass    
tcp        0      0 127.0.0.1:10391         127.0.0.1:54452         ESTABLISHED 11095/Enpass    
tcp        0      0 127.0.0.1:10391         127.0.0.1:54354         ESTABLISHED 11095/Enpass    
unix  2      [ ACC ]     STREAM     LISTENING     55350    11095/Enpass        /tmp/qtsingleapp-Enpass-cf80-3e8
unix  3      [ ]         STREAM     CONNECTED     51738    11095/Enpass       

etc...

My questions are:

1) Is internal enpass apps communicating over local sockets secure? (I've not tcpdump it yet)

2) Why is the main Enpass app listening to all IP address? Why is it 0.0.0.0:* and not 127.0.0.1:*?

Thanks!

On 8/6/2016 at 6:33 AM, CodeHead said:

2) Why is the main Enpass app listening to all IP address? Why is it 0.0.0.0:* and not 127.0.0.1:*?

 

Here, 0.0.0.0:* in foreign address field signifies an invalid address. Enpass is listening on loopback address only, it is so secure that addresses only in the 127.0.0.0/8 range can make a connection, which is a range exclusively reserved for connections only possible by other processes running on that system.

On 8/6/2016 at 6:33 AM, CodeHead said:

1) Is internal enpass apps communicating over local sockets secure? (I've not tcpdump it yet)

 

Secure is a relative definition in this context. The data transmitted is not secure from you (or anyone with root access of the machine). You can dump and analyse the data. But it is secure from anyone else, because communication is only happening over loopback. We use various other measures to restrict the processes who tries to connect to Enpass. You can probably have a look at this link (https://www.enpass.io/docs/desktop-mac/browser_ext_working.html) to know how browser extension communication works.

7 hours ago, Vinod Kumar said:

Here, 0.0.0.0:* in foreign address field signifies an invalid address.

Actually, 0.0.0.0:* is not an invalid address, as it represent any foreign ip/port combo. My mistake was that I thought it was the local address, not the foreign address. So no issue here.

7 hours ago, Vinod Kumar said:

Secure is a relative definition in this context. The data transmitted is not secure from you (or anyone with root access of the machine).

So its clear-text but we're okay since its not discoverable outside of the computer since its not broadcasted where you can dump the data via wireshark or tcpdump on a separate device. The assumption is that the computer running Enpass isn't compromised. Hard to argue there being that all bets are off once you no longer own your machine.

I have to ask... though I know SQLCipher has been though peer audits... has Enpass itself been audited for security leaks?