undefined | Better HN

story

0 pointsLukaAl10y ago0 comments

Same way as the encryption key used to secure the communication with your bank. It doesn't.

The idea behind TLS is that the client and the server agree on a temporary key to exchange the information in a secure way (there's a ton of literature on it) without saving the key locally. The good news is that it is something already implemented in a safe way in all sufficiently recent browser (for sufficiently recent I mean, sufficiently recent to support plugins, because also IE 6 supports some old form of SSL) and make them available to plugins.

TL;DR: It's trivial to do it right, screwing it up in this way means they have no clue on what security means.

0 comments

jeeyoungk10y ago

In this case, client = server. If your computer is compromised then they can get access to both private and public keys of 1Password and 1Password Mini.

It also doesn't prevent MITM unless both the client & server. Nothing stops you from presenting a fake public key pair between the communication

How doe TLS work then? Because public keys are signed by central authorities. Who do we know what to trust? Browsers and OSes have default list of certificate authorities to trust. How do we know that we can trust them? Technically they should be communicated outside the internet. If the version of Chrome you download is compromised with a rogue certificate authority (ex: SuperFish) then you're hosed.

It's turtles all the way. Unless keys are communicated securely somehow you cannot guarantee secure communication.

LukaAlOP10y ago

Yeah, you should stop the turtle sequence. Maybe don't make it so easy that a script kid could exploit it, though...

cyphar10y ago

How do you exploit it without already having root or sufficient capabilities to attack 1Password in other ways?

j / k navigate · click thread line to collapse