According to what I have understood, in lastpass the decryption process takes place in the browser extension. They might find a way to run the decryption in a secure way (calling a desktop program I suppose). The problem with lastpass is it is not open source therefore we really don't know how it works.
The point here is you don't need such thing, because you already have passff the firefox extension for pass, it calls pass for all sensitive operation. Moreover it is important to keep the system simple then secure. Use a JavaScript system to decrypt the passwords would be: - Useless because of the passff extension and all the other client for pass (ios, android even windows...) - Would add a layer a complexity to "pass web app" exposing pass to security risk that have been avoided until today: browser security, XSS... This is why JavaScript is not good for sensitive process. Furthermore it is too slow for asymmetric encryption and then it requires external plug-in or Java. Both add a security risk and a layer of complexity to the system. Regards, Alex On 08/02/16 10:04, GOYOT Martin wrote: > Hello Alexandre, > > Thanks for the tip, I decided to use the android app. > > This said I would love you to explain me why this would be a bad idea. > This could work exactly like what LastPass is doing for instance. > > Regards, > -- Martin > > On Mon, Feb 8, 2016 at 10:00 AM Alexandre PUJOL <[email protected] > <mailto:[email protected]>> wrote: > > Using git, you can use any git sever and git web app (like cgit) as a > pass web viewer. Then, the git server will allow you to sync your > passwords between you device, and thus use the good pass client for your > device (pass, pass-ios, Android-Password-Store...) > > However the git web app only output the tree of the password directory. > The content itself stay encrypted. Do NOT try to create a tool in order > to decrypt and output it in a web browser. As said Dashamir Hoxha it > would not be a good idea at all. > Because you must NOT: > - Use any server to decrypt your password. > - Use JavaScript to decrypt the password directly in a web browser. > > This is why there is not pass web app, all the pass server you would > ever need already exist it is a git server. > > Regards, > Alex > > On 07/02/16 20:57, GOYOT Martin wrote: > > Oh I didn't know of keybase. Looks like a really interesting project! > > > > Also I don't know if Kenny Stier had the mailing list in copy when he > > replied to me, but he pointed me to two mobile applications that can > > deal with pass: > > > > https://github.com/zeapo/Android-Password-Store > > https://github.com/davidjb/pass-ios#readme > > > > I decided to give the android app a try, and for my really small test > > until now, looks good! > > > > On Sun, Feb 7, 2016 at 8:24 PM Santiago Borrazás <[email protected] > <mailto:[email protected]> > > <mailto:[email protected] <mailto:[email protected]>>> wrote: > > > > Also, maybe using the Keybase > > filesystem https://keybase.io/introducing-the-keybase-filesystem > > > > On Sun, Feb 7, 2016 at 10:22 AM, Dashamir Hoxha > > <[email protected] <mailto:[email protected]> > <mailto:[email protected] <mailto:[email protected]>>> wrote: > > > > In principle, you can use `git clone` or `rsync` to copy > > ~/.password-store to a portable device (usb, phone, > smartphone, > > etc.). You can copy there the corresponding GPG key as well. > > Then, on another computer, you can tell pass to use the > data on > > the portable device by setting environment variables like > this: > > > > export PASSWORD_STORE_DIR="/dev/sdb1/.password-store" > > export PASSWORD_STORE_GPG_OPTS="--homedir=/dev/sdb1/.gnupg" > > > > Or you can define an alias like this: > > > > alias pass="PASSWORD_STORE_DIR='/dev/sdb1/.password-store' > > PASSWORD_STORE_GPG_OPTS='--homedir=/dev/sdb1/.gnupg' pass" > > > > I haven't tried this but it should work. Maybe somebody has > > written any blog or tutorial about this, with more detailed > > instructions. > > > > Sorry, I know nothing about any web interface to pass. And I > > don't even think it would be a good idea. > > > > Regards, > > Dashamir > > > > On Sun, Feb 7, 2016 at 6:11 PM, GOYOT Martin > <[email protected] <mailto:[email protected]> > > <mailto:[email protected] <mailto:[email protected]>>> wrote: > > > > Hello there, > > > > This is my first mail here, so if I'm doing anything wrong > > please tell me. I just wanted to know if there was any web > > app or mobile app that was able to deal with the pass > > utility as a backend. > > > > I'm using pass since quite some time now, and I really > love > > it. But sometimes I need to access my passwords and sadly > > I'm not on my own computer with pass installed, my gpg key > > and so on. So I was wondering if something like a web or > > mobile interface capable to answer this problematic > already > > exists. > > > > Regards, > > -- Martin > > > > _______________________________________________ > > Password-Store mailing list > > [email protected] > <mailto:[email protected]> > > <mailto:[email protected] > <mailto:[email protected]>> > > http://lists.zx2c4.com/mailman/listinfo/password-store > > > > > > > > _______________________________________________ > > Password-Store mailing list > > [email protected] > <mailto:[email protected]> > > <mailto:[email protected] > <mailto:[email protected]>> > > http://lists.zx2c4.com/mailman/listinfo/password-store > > > > > > > > > > _______________________________________________ > > Password-Store mailing list > > [email protected] <mailto:[email protected]> > > http://lists.zx2c4.com/mailman/listinfo/password-store > > > _______________________________________________ > Password-Store mailing list > [email protected] <mailto:[email protected]> > http://lists.zx2c4.com/mailman/listinfo/password-store > _______________________________________________ Password-Store mailing list [email protected] http://lists.zx2c4.com/mailman/listinfo/password-store
