Entre las diversas aplicaciones existentes para guardar contraseñas online (Shibbo, Agatra o PassPack, por ejemplo), Clipperz entra en la guerra de cabeza.
Clipperz no recibe la contraseña y la guarda encriptada, ya la recibe encriptada gracias a un programa ejecutado en el navegador del cliente. De esta forma aseguran que ellos NUNCA reciben la contraseña del usuario.
De esta forma podéis guardar datos de acceso a sitios, cuentas bancarias, emails, redes.. cualquier contraseña que necesitéis recordar sin tener que confiar en extraños.
En el email que Marco Barulli me ha enviado me manda algunas direcciones interesantes para conocer mejor el servicio. Entre ellas un vídeo con el paso a paso de esta interesante web.
Actualización: lo bueno de este trabajo es que cada noticia escrita recibe comentarios y aclaraciones de varios usuarios de todo el mundo. La afirmación de que Clipperz encripta las contraseñas antes de enviarlas al servidor debe ser ampliada después del email recibido de la competencia: Passpack.
Según el email, que anexo más abajo, passpack realiza el mismo procedimiento que clipperz, guardando también la contraseña ya encriptada por el navegador del usuario, usando una técnica conocida como Host-Proof Hosting Ajax Pattern.
La diferencia de Clipperz es ser open-source, por el resto.. podéis usar passpack sin problemas.
Email de Tara, de Passpack:
** About the Cryptographic process **
PassPack uses the same technique "of delivering the Ajax code to the
user's browser and then storing user's data in an encrypted form on its
servers" as Clipperz does. In fact, this technique is called the
Host-Proof Hosting Ajax Pattern
(http://ajaxpatterns.org/Host-Proof_Hosting#Solution). Both PassPack and
Clipperz use this pattern. Neither Clipperz nor PassPack invented it.
The last sentence of Marco Barulli's email is misleading. It does not
concern the Host-Proof Hosting process. It concerns the fact that
Clipperz is open source code, while the others are not. This is why
Marco refers to "checking for yourself".
In other words, the following statement is true (just changing
"Clipperz" with "PassPack"):
"PassPack no recibe la contraseña y la guarda encriptada, ya la recibe
encriptada gracias a un programa ejecutado en el navegador del cliente.
De esta forma aseguran que ellos NUNCA reciben la contraseña del usuario."
Would it be possible for you to fix that on your blog? I would greatly
appreciate it.
** Trust Issues **
- If you do not have advanced cryptographic and programming experience,
then checking Clipperz code is a futile effort. You will not understand it.
- If you are a cryptographic and programming expert, and are able to
analyze and study Clipperz code - then you are also able to analyze and
study PassPack's code as well. Since both applications work by
downloading javascript into the browser, there is no need for the code
to be open source for you to look in side it: just save what is already
in your browser.
- In order for the applications to run as quickly as possible, If you
decide to save the Javascript code for Clipperz and/or PassPack from
inside the browser, then you will need to decompress it first. However,
the code that Clipperz makes available on Google Code is not compressed
- that makes those two versions different: one compressed, the other
not. Personally, I don't think Clipperz would do anything unethical like
change the code between compressed and decompressed. However this
difference does *require that you trust them* not to change the code
between what is published and what is actually used in the website.
As you can see, trust is still an essential part of any online
application. Clipperz requires just as much trust as PassPack does,
regardless if it is open source or not.
Passwords are a very serious business, and you *must* trust the people
that provide a password protection service. If you can't trust a
service, don't use it.
Autor: Juan Diego Polo
Contenido relacionado
Otros contenidos de interés
