New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Comments
How could you possibly want your users to have trust in your application if you don't even open source it? As soon as you start handling sensitive data and encrypting it, your code has to be essentially bulletproof. There is hardly a better way to have your code peer-reviewed and checked for security holes than to open source it.
Please note that I am not implying at all that you can't manage to ensure the safety of your users' credentials. You've already come up with something pretty cool. However, history has shown way too many times that exposing security flaws isn't all too hard of a task, let alone if the code is closed-source (WHMCS & SolusVM to quote only two).
If you decide not to disclose the source code, then your users might just as well give their credentials to anyone, even to a Nigerian prince, and it wouldn't be more or less secure than having them stored in your application. I hope that you get my point - security and its implementation into software is worth nothing if it isn't properly peer-reviewable.
With that being said, if you plan to make a commercial usage out of your app, then make it a true service with paid plans. Believe me - rather than getting a VPS and installing everything by themselves, users will find it much more convenient to pay. They will then be able to rely on your service, and most importantly its backend: the servers, that should hopefully be stable, secure, and supervised by you and/or a team of professional admins.
I have a similar script made to track my vps, but it works via api calls to Google docs/appspot, uptimerobot, solus. After the solus hacks, many stopped access to solus api so some part of it is crippled and never got time to fix them back.
This is much wanted for many, but as a hosted version can't gain trust...
Storing key sign in information for multiple servers in the one place, online using a script from someone with no verifiable history in this kind of thing and no independent validation of the code or how secure it is. WTF, Just no.
General question, would entering your password into such a site put you in breach of a providers T&C's?
Some providers do the same with entering clients data into Harzem's fraudrecord.
Guys, like i have mentioned multiple times in this thread, the passwords are encrypted using your passphrase in the browser itself, and you are more than welcome to verify that the raw passwords dont get sent to the server by whatever method (examine server post data, check the client side source that i havent even minified or encrypted)
That being said, I made this not because I wanted to make profit or something, I made it so that I could give something back to the community, but as I have seen multiple times before (with zpanel, and other things) most of this community likes to rant about how free things suck. This totally makes me think twice about doing anything for the community. I would probably not even have made it public if it werent for some co-workers that wanted it to be public, and im glad they are making the best out of it. I have contributed to a lot of open source projects, but I cannot open source this, some things are just not meant to be open sourced.
Anyways, password is not even the only thing that you can store on the site. Passwords are totally optional, and if you don't trust, you can leave them empty. Think of it as more of a password manager with other functions, not just a plain password manager.
So, TLDR is use it if you trust it (and feel free to ask me for help if you need help verifying that passwords are never actually stored raw), dont use it if you dont. I saw a lot of sign ups overnight and a good percentage of them actually using it, so Im glad it isnt being totally wasted.
I find it hard to believe that people would wanna put their passwords on a web-storing-passwords-website even if its sounds secure.
For you guys who complain about the password issue, you still a good chunk of benefit from the service without giving up your passwords. I use LastPass, and can pair that up with this service for a good combo.
If you're using PHP, you might wanna take a look at http://www.php.net/manual/en/function.password-hash.php
I must say this is cool, would you be able to offer something which can be installed on other servers instead of using your hosted version?
I love the idea. I'm using the same idea on my server.
Made from a free Journal Script. Not that fancy but decent.
i even don't whant to think myself,what will happen if a hacker get's in , good work! but not sure how many will trust store the data on it:), for internal is ok, but for multiple groups:) a hacker get's in, how many things will be hacked:D
Agree with him:) maybe a licensed software which we can use on our own end.
Would you guys be interested in a self hosted version if there was a one time license fee that included installation and support? If there is enough interest, Ill work on modifying things to make that happen. Let me know
Love it, but I got lowend diseases.
Sounds good, as far as you provide ongoing support one time fees wouldn't be a bad option.
not sure people interested with this kind of service, its good idea and nice interface.
but I prefer something that I can fully control by my self, trust & encryption is 2 different things
Sounds like you've made a lot of effort to cover all the bases, and that you know what you're doing. I wouldn't use an external service like this simply because it adds another point of failure into any existing system. You'll have a hard time explaining how it's quite safe RE: your password encryption, as it seems you've already reiterated it a few times in this thread.
Great product. But I'd like to host this locally in my office. Not publicly.
Are you storing the hash of the users client side private key?
yes, originally i was using just plain md5, but after taking suggestions from some let members, i switched it to sha-3 512 and enabled salt as well. it is just used to make sure the client uses the same passphrase everywhere so that one passphrase canbe used to decrypt everything. all the checking is done on client side so the actual passphrase never gets to the server
I'm confident that people definitly will be interested in that but trust remains a problem if you make it check licenses using a masterserver
any kind of data (passwords) could be transmitted to that masterserver if the sourcecode will be encrypted. This wouldn't solve the trust issues people are having.
The problem with not using a masterserver to check licenses is that people will leak the code. So that is going to be another problem.
I hate being the guy that point these things out but someone has to do it.
Ontop of that, I can understand that you do not want to make this opensource,
You probably invested money into the design and alot of time getting things working. But your script is going to be handling sensitive data which require a high level of trust, I think that there isn't much of a choice here.
EDIT: Fixed grammar
i totally understand your point. for that reason, i am planning on licensing it out with a one time fee, and have no licensing check mechanism or anything like that. there will be legal bindings however that will prevent the purchaser from re-distributing it. might not work but with an application that requires high level of security, not all things work perfectly. i recently worked on a enterprise level application which would store some crucial client information, and even though it was all encrypted and secure, they still wanted it to be deployed privately on their own infrastructure instead of a public cloud (amazon ec2 was our first choice), so people not wanting their information on someone else's server totally makes sense.
@ksubedi
Are you available to work on other projects too, or do you only work for Nexim?
Got a project in the works that needs a talented developer
I am currently working for Nexim and another web development company (full time), but I am available for freelance work. Feel free to send me a nda or details about the project to kaushal [at] wireshock.com
Decryption is client side as well? Or are you using the SHA server side?
yeap, decryption is client side as well, it uses the cryptojs library for encryption decryption. basically the server will only handle the storage, rest is done on client side.
Yay do it like mount gox and after a while lots of hacked boxes added to bot networks and larger ddos for everyone.
that doesnt make sense, or at least i dont get it :P
Let explain me this: When you put much secure data on one server, more bad guys are interested in it. So basically its a bad idea, and worse when someone found a security hole to stole everything. So its better to keep everything at home and splitted.