undefined | Better HN

0 pointsicebraining9y ago0 comments

Lastpass also only syncs data after it's encrypted locally, so the threat model is the same.

0 comments

Not entirely, since you download the encryption code way more often (for example, when you open the "Lastpass Vault", which is just a website like any other). Parts of Lastpass are simply a website, not part of the browser extension, and as an avid Lastpass user in all honesty I don't know which parts.

This matters because even if it's client-side encryption, the encryption code just got downloaded when you opened the site so if the server or the network was compromised, you got compromised. [0]

With Keepass, the only time you run that risk is when you download Keepass.

[0] As far as I can tell, this is the core argument of tptacek's "javascript crypto considered harmful" rant (https://www.nccgroup.trust/us/about-us/newsroom-and-events/b...). I'm not sure, because it's written worse than his most drunken HN comment, but I believe it is.

milkey_mouse9y ago

I'm pretty sure when using the Chrome extension, all the HTML/JS is downloaded locally once when installing the extension, as logging in via the extension brings you to a chrome-extension:// URL. When logging in via lastpass.com, of course, you will be redownloading the crypto code every time.

icebrainingOP9y ago

Ah, yes, I was assuming the website would be avoided. I didn't realize it was hard to distinguish (I don't personally use LastPass, I prefer Firefox Sync).

starquake9y ago

You're right about that. The threat model is equal when using Dropbox. It's still different when you use a local LAN share or a USB stick though.

j / k navigate · click thread line to collapse