zinggi / nokey Goto Github PK

Yeah, please close this issue ;) I just wanted to say that I love this app and seeing there are no updates for 10 months now is heartbreaking. The app works amazingly well.
So far the only issues are:

• The only biggest issue is lack of vault support on android. It looks like you need to manually open app and manually copy password, this is so far the biggest issue. Would be great if I could use it as default vault app (like bitwarden) or another option is accessibility setting which also lets you fill in forms automatically.
• Ok, firefox browser extension sometimes glitches, so you click on the icon, but only tiny square shows up. Usually the issue goes away after a moment or browser restart. And is really rare.
• Ok, sometimes I click request and device I'm holding (android app) is not getting it... looks like some connection issue. The best way is to have app open already and refreshed before you make request. But works GREAT.
• The app is not always intuitive, for example I don't think it's stressed well enough that app works best with at least 3 devices. But again, once you setup it, it works amazingly well.

I'm really sad to not see this app having greater attention. It's really amazing.
I was adding new passwords one by one over long period of time (few months now), currently having around 40 of them, always was working great.

.xyz domain has trackers and is tracking everything that goes to and from your server as it seems.
This is a huge turn of if wanting to spread the app to users who don't have their own server.

Somehow the .apk is missing from the latest release tag. Could you please add it? Thanks in advance!

The web app crashes on Safari.
I don't know why and I don't have a mac to investigate.

Some websites that redirect stop working if nokey is installed.

Maybe body.onload is no longer called if my plugin already listens to window.onload?

I should probably use window.addEventListener("load",yourFunction,false) instead.

Hello,

I'm using Android 6.0.1 without Play services.

I tried to use NoKey 0.4 but it is stuck in the loader and I see this error in logcat:

06-16 14:21:20.413 26329 26329 I chromium: [INFO:CONSOLE(1)] "Uncaught SyntaxError: Unexpected token =>", source: https://nokey.xyz/bundle.js (1)

This might happen because my webview is too old (Chromium 44).

I assume if I lost a device, I would have to re-encrypt the whole key vault with a new key? Because if an adversary was to collect enough of my lost devices, they would be able to derive the key.

I don't see re-encryption mentioned in the README, does NoKey provide an easy way to re-encrypt the vault?

Like apg or master password.

The problem seems to be the content security policy, which doesn't allow inline scripts.

Solutions:

• Lower the CSP, as there shouldn't be any XSS vulnerabilities anyway.
  • Chrome makes this impossible
• Wait until elm 0.19 is released, as that will probably allow synchronous ports (it has to be synchronous, as the copy to clipboard command can only be executed if directly caused by user interaction)
• Give the button an id and check for dom modifications with js to listen for it to appear and attach an onclick handler then?
• custom elements?

https://discourse.elm-lang.org/t/how-to-use-the-synchronous-clipboard-api-without-native-code/878/11

The "Chose login" popup can overlap with other important UI elements, like the suggestions from chromes internal password manager.

Maybe the popup should only open every second click? Or have a close icon that closes the popup and makes it stay closed for a few seconds?
Or move it to some other place?

A newly opend popup stays blank, until we make a right click or resize the popup.

The submit login or submit sign up action isn't always detected.

As a consequence, the user isn't ask if they want to save the password..

It would probably be a good idea to detect a pageload or a pushUrl, as described here:
https://www.chromium.org/developers/design-documents/create-amazing-password-forms

The little icon on the right of an input field that gets displayed when NoKey recognizes an input field currently also appears on some fields that are clearly not a password input.

Hi!
Thanks for sharing this great tool!
I just tried it out. That's what my device list looks like:

As you can see the device "Fairphone" has a "no entry" icon. Does this mean anything? Or is it just randomly chosen? Either way I think it needs clarification.

Tasks (such as unlock 2 to move .. into ..) can become impossible, e.g. if we want to save something in a group of 3, but before it gets saved, we remove one device.
Now we have a task that can't be completed.

Possible solution: When removing, clear impossible tasks + impossible groups!

This also seems to happen on mobile chrome + firefox

Websites where the web extension doesn't work properly will be listed here...

• https://www.reddit.com/
  • The elements are properly detected, but reddit only accepts the username + password if it was entered manually. Related to #2

I wonder is this project is using some dependency that prevents it to compile to API 18 (Android 4.3+). I have an old device that I would love to use as a backup if it ran the android apk.

PS. I ask because I don't know how to check myself... :/

Hello,
Both the Firefox extension and webapp (when opened with Firefox) is not working.

For the extension it just shows a blank popup.

For the webapp it shows the following json:
{
"message": "",
"url": "",
"line": "",
"column": "",
"error": {},
"log": [],
"errors": [],
"nav": "Mozilla/5.0 (X11; FreeBSD amd64; rv:60.0) Gecko/20100101 Firefox/60.0"
}

This both happened in Firefox in Linux (Fedora) and Freebsd. I haven't tested with Firefox in Windows.

This happens in all text inputs in the extension.
This might be caused by https://github.com/elm-lang/virtual-dom/issues/107, but since the extension also communicates with the background worker, the extension seems to be affected more by this.

Only add site/open popup if we actually managed to submit the data.

I have no idea how to actually do this...

If we login to a site but haven't paired any devices yet, the popup still opens. But since we can't save the password yet, it's very annoying.

Pairing a device can fail if for some reason, the websocket is blocked on one device, but not the other.
In that case we can easily get into an inconsistent state.

Solving this problem completely is impossible, but we can do better than now.

All it would take is another round of acknowledgements, as this way the second one can't make it if the websocket of one device doesn't work

To reproduce:

• press unlock on some other device
• a popup opens on the extension
• ignore it and click on the icon
• wait

The popup now sometimes resizes...

Such as Dropbox, Google Drive, etc..
These can work like an additional device and also store a share. This way you can still use this password manager, even if you don't have any of your devices on you.

Problems:

• Dropbox access tokens don't expire. This means that if a device that is logged into Dropbox gets stolen, the thief gets 2 tokens.
• Google drive might be possible: They seem to have a somewhat not documented method that forces users to re enter their password. They also make sure a user can't access the application storage.
• Facebook seems to do it right, but it's not clear if the Facebook Api could be used for this application..
• OneDrive might work, as they provide a logout api. They also have a prompt=login option. However, since the app folder isn't hidden from the user, a clever thief can still get to the secret token if the user is logged in.
• Github secret gist Api might work, as they also allow http basic auth. However, this doesn't completely solve the problem, as a user might still be logged into Github, so a thief could go to gist.github.com and get an additional token. This would only work if the user creates a different account than their normal account and makes sure they are never logged into this account...

Conclusion

The Google Drive Api seems to be the only one that fulfills all requirements:

• Prompt for password even if the user is already logged into Google.
• Revoke access by user request.
• Prevent access to application files outside of the app.

The last requirement isn't necessary, if we can forcefully log out a user.
For this reason both OneDrive and Github might work too.

Alternative

Instead of relying on the security of Dropbox and similar, we could instead handle it ourself.
This way all the above options become reasonable, but they would only be used as an additional storage to sync our data, not to actually store any additional shares.

For this to work, we would have to allow the user to create new shares and encrypt them using a password that has to be remembered.
This of course requires some competence of users, as they have to choose a strong password for these additional shares!

Possible solution:
Try to simulate keypress etc. as done here.

Maybe this is enough?

Since this tool is dealing with very sensitive data, I'd like to see more documentation details on the other security measures apart from the group password.

Eg.

• Where does my private/public key pair come from?
• How do you verify a public key? Is there anything like certificates in action?
• How are passwords propagated and stored?
• What data exactly flows through the server?
• How could I setup and use my own server?