EmailDiscussions.com - View Single Post

kijinbear · 12 Oct 2013, 12:57 AM

The LastPass browser plugin is designed to download encrypted data from their servers, decrypt it locally with your password, and encrypt it again before uploading any changes. That way, the server only ever sees the encrypted data, and your password never leaves your own computer . . . until you go to their website and log in with the same password.

Once you log in via their website, it's an unholy mess of JavaScript-generated content that doesn't feel like a web page at all, and I can't tell what on Earth is going on behind the scenes. But one thing is certain: if somebody asked them to record my password the next time I visit their website, it would be easy for them to do that without anybody else being the wiser. And once they combine the password with the encrypted data they already have, voila, it ain't encrypted anymore.

Just like Hushmail was able to decrypt the (supposedly encrypted) emails of a user who logged in via the website. Just like Lavabit was told to intercept Snowden's password, and came very close to complying before they shut down everything.

Programs that run on your own computer and do the encryption/decryption locally are generally OK. But if somebody asks you to enter a password on a web page, there's always a possibility that your password will be intercepted.

12 Oct 2013, 12:57 AM	#3
kijinbear Cornerstone of the Community Join Date: Mar 2011 Location: ~$ Posts: 652	The LastPass browser plugin is designed to download encrypted data from their servers, decrypt it locally with your password, and encrypt it again before uploading any changes. That way, the server only ever sees the encrypted data, and your password never leaves your own computer . . . until you go to their website and log in with the same password. Once you log in via their website, it's an unholy mess of JavaScript-generated content that doesn't feel like a web page at all, and I can't tell what on Earth is going on behind the scenes. But one thing is certain: if somebody asked them to record my password the next time I visit their website, it would be easy for them to do that without anybody else being the wiser. And once they combine the password with the encrypted data they already have, voila, it ain't encrypted anymore. Just like Hushmail was able to decrypt the (supposedly encrypted) emails of a user who logged in via the website. Just like Lavabit was told to intercept Snowden's password, and came very close to complying before they shut down everything. Programs that run on your own computer and do the encryption/decryption locally are generally OK. But if somebody asks you to enter a password on a web page, there's always a possibility that your password will be intercepted.