UPDATE: So, I just got word in the comments that I misunderstood things. In fact the javascript encryption libraries are licensed under the open source approved BSD license. I had read that the javascript that runs their website was under a reference license and made the mistake of believing that all their licenses were the reference license. I’m more than glad to hear that the encryption libraries are BSD. Thanks for the tip!

Clipperz is a web site where you can store your passwords (or really any information) very securely and it throws in single sign-on for good measure. Needing more and more registrations and services and servers and with my aging brain cells dieing faster than is good for me, there’s no way I can remember all my various passwords. It’s a good practice to keep them all securely in an encrypted database so that I just have to remember one password. It’s better than writing them all down on a piece of paper somewhere (which is better than not writing them down and using a single easy password for all accounts).

The executive review is that, this seems like a convenient and secure way to keep your passwords, with an offline backup strategy so you don’t have to worry about being connected to the internet or losing your data.

So I read about Clipperz with fascination and a healthy amount of skepticism. The skepticism stems from its being on the web and relying on javascript. Given all the crazy javascript based hacks, I just wasn’t sure that this was something I could trust so I went and checked it out. Here’s the interesting part, they’ve implemented all the encryption libraries in javascript so all of the encryption happens locally on your machine and what is transmitted to them is only the encrypted text (which they have no abillity to decrypt) - at no point is your password transmitted in either encrypted or plain text to their systems. Learning that opened my eyes and sat me down for a deeper look into the system. On top of that all communication with clipperz.com is conducted over ssl, so even your transmissions are encrypted.

The basic idea is that you register an account, select a (hopefully strong) passphrase and then you can start storing your information. Information is stored in “cards” which represent one record of data, for example one card might be “NYTimes” where you store your name and password, another card might be “Secret Tofu Recipe” where you store the recipe for your special tofu dish. Information in the cards consists of an optional note, for any big chunk of text and then discrete fields, so you could call one field the “url” and it’s value would be amazon or you could call a field “ingredient” and it’s value could be “1 tbsp soy sauce.” It’s all very flexible so you can use the system in whatever way you need to use.

As you are saving and editing new cards, it pulls up informational dialogues that are very clear at every step about what it is doing, so it will tell you it’s encrypting the card locally (on your machine) and then transmitting the encrypted text back to clipperz.com. Throughout the whole site they are very clear about every step of the process and try to be very open about exactly what it is they are and are not doing. I found it very reassuring.

They also have what they call “direct logins,” so you can set up a card, say the NYTimes one and configure it so that you can log into clipperz.com and then simply click on the NYTimes direct login link and be logged into the paper’s site without having to type in your username and password. This can be very handy for keeping track of all your different sites that you need to login to - especially ones that you don’t log into very frequently, you can store the name and password in Clipperz and then very easily access them.

The difficulty with direct logins, though, is that it’s a little bit of a pain to set them up. The easiest way is to first install a bookmarklet - it’s easy and they show you how to do it. Then, to keep with my example, you’d go to nytimes.com and find a login screen. Then click your bookmarklet which pops up a window with a bunch of text in a field already highlighted, you need to copy that to your clipboard and then go to clipperz.com and create a new card. In that process there’s a place for you to paste the text you copied. Finally you type in your name and password into the provided fields in the card you created and a new direct login button appears in your Clipperz account (it even conveniently adds the websites favicon/logo to the direct login link). It’s not all that difficult, or even time consuming, but it does take a couple times to get used to doing it, however once it is set up it’s super easy to use, just click on the direct login button and you are logged into the site.

Another very cool feature of this site is that you can download a readonly copy of your account to your computer. Then you can access all your data exactly as you would on their website, but it’s local so you don’t even need to be connected to the net to view your data. This is reassuring on many levels, it proves how the process works completely locally, it also means you don’t need to worry about their going out of business or shutting down or otherwise trying to hold your data hostage - at the very worst, you’ll have a local copy of all your data encrypted and accessible and you can have nothing more to do with their site if that’s what you want. It’s a great backup and a really nice touch on their part. Building their app so that it can work on your desktop w/out a backend server is remarkable.

I’m quite impressed with this service. They have a dedication to the technology, giving you access to all their javascript libraries (where they implement things like AES, which is the encryption algorithm). They make it easy to download and read, they tell you all the various other libraries they use and are just in general very transparent about pretty much all facets of their operation. While they haven’t gone and put a free software license on their code, at least they make their code available so that many eyes can review their security procedures.

The website itself looks good, the design is fairly clean and it’s quite easy to use once you get used to the basic concepts of the card and direct logins. I’m a little freaked out by the black and white photo of the baby they have in their logo, but that probably doesn’t have an effect on their security. I will admit that I still have a fear of completely trusting javascript - a fear which is based on absolutely nothing, but still ingers in my mind. I will probably be using this to maintain my login information for the variety of sites that require registration and move that out of my offline password database program (which I will also continue to use because it syncs to my treo). Because of my javascript paranoia, I wouldn’t store super sensitive information like my server passwords in Clipperz.

If you’re like me and have a ton of passwords you need to keep track of I’d definitely recommend investigating Clipperz to see if it looks like it’ll work for you. It’s a nice site and the security seems quite strong.

← newer Google and Content  ↑  Breakfast Links: Bunny Edition older →

TwitterCounter for @nybble73
Apr 9th, 2007 · Comments RSS · · · · · Tags: security · web app