Greetings,
For reasons of my own, I'm looking to replace KeePass. I was recommended Buttercup and after some testing with junk data I decided a proper test would be to import my YEARS worth of history from KeePass and give Buttercup a try for a while as my primary.
I instantly regretted it. To my horror, icons started to appear associated with URL domains. Which means my password application IS TALKING TO THE INTERNET WITHOUT MY EXPLICIT PERMISSION! WTF else is it talking to on the network that it isn't telling me about???
Even WORSE I have sites that I no longer associate with, but still have accounts listed in my KeePass. Please please PLEASE tell me that the icons came from some general icon website and that Buttercup did not just query the sites directly. Please tell me that this app didn't just query websites that I no longer wish to be associated with from my home IP WITHOUT MY EXPRESS PERMISSION!
A password vault is supposed to keep my information safe. Not blab freely on the internet!
How do I disable the auto-loading of icons (and/or disabling of any other kind of internet access without my explicit permission)?
Thanks.
Hi @cstackpole,
First of all, Buttercup only makes network connections (currently) for the following items:
No personal information is sent with any request. We do look for icons at the domains that you've stored, yes.
I'm sorry if this functionality makes you feel less secure - we wouldn't have implemented it if we felt there was a risk of exposure - but this way has been terribly effective in producing icons without needing loads of infrastructure behind us to support such a small feature.
Having a dedicated server to query for icons _does_ sound appealing, and is probably something we'll look into in the coming weeks.
EDIT: Configuration & Settings per user is also something we've had planned, but just not the bandwidth to complete. This could be disabled there as well, if it were integrated.
@perry-mitchell A proxy for downloading the icons doesn't sound so bad. It certainly makes things easier. We should also look into settings... we can add a setting item for enabling/disabling it, so when we add the settings UI, the user can turn it off perhaps?
Greetings,
Thank you for the responses.
I saw nothing in the documentation that says anything about network communication. Talking on the network without my permission is not at all what I expect my password manager to do. In my case, it's just embarrassing that I now have my IP associated with old issues. If I had experienced the misfortune of opening it on my company network, I could have been dealing with HR or legal. Having done work with the tor project and people in countries where privacy is an absolute or death - this password manager would have just outted them. There are a plethora of reasons why people might have accounts on a site that they don't want to be associated with and a warning should really be required for anything the might jeopardize my privacy by an application that supposed to help my keep things private!
A fancy icon is not at all worth the cost for my privacy. Doesn't even come close. This should be an opt-in by default; not an opt-out after the damage is done.
Thanks.
I agree and believe that your expectations are reasonable @cstackpole - I've created buttercup/roadmap#2 in light of this discussion. Thanks.
Depends on #140
@perry-mitchell We can understand that you are beginner in security and privacy, and maybe you only intend this app for personal use but if you would like your app to be used by businesses and enterprises it would be worth considering placing this functionality behind a setting. This isn't a chat app going to gravatar -- it's a password manager unexpectedly reaching out to banking websites, health insurance websites, internal company resources, etc.
I've already verified basic auth credentials are not used when adding a URL like http://username:[email protected]/ (no requests are made) however the app does make requests with query string params included. If you start up a local server with python -m http.server you can see this happen.
127.0.0.1 - - [30/Nov/2018 14:25:15] code 404, message File not found
127.0.0.1 - - [30/Nov/2018 14:25:15] "GET /users/1/lock?api_token=d41d8cd98f00b204e9800998ecf8427e HTTP/1.1" 404 -
127.0.0.1 - - [30/Nov/2018 14:25:15] code 404, message File not found
127.0.0.1 - - [30/Nov/2018 14:25:15] "GET /users/1/lock?api_token=d41d8cd98f00b204e9800998ecf8427e HTTP/1.1" 404 -
127.0.0.1 - - [30/Nov/2018 14:25:15] code 404, message File not found
127.0.0.1 - - [30/Nov/2018 14:25:15] "GET /favicon.ico HTTP/1.1" 404 -
Icons are a nice, expected feature but it looks like you should get some outside help on this.
A more simple way could be to just ask every time...
Do you want to download the icon for this url? YES | NO
We can understand that you are beginner in security and privacy
Not a beginner, no.
maybe you only intend this app for personal use
No, we intend it to be used in businesses as well.
This isn't a chat app going to gravatar -- it's a password manager unexpectedly reaching out to banking websites, health insurance websites, internal company resources, etc.
We're aware of this and the security implications. We have stated several times that we're going to change this. We don't have time to address every single issue immediately. We'll definitely clean this up when we can - all contributions are appreciated and we'd hope that others might lend a hand with such items.
EDIT: Maybe in the mean time we could start by requesting icons only from the root domain. Next (better) step would be to use some kind of lookup without making requests from the users machine to the service.
Do you want to download the icon for this url? YES | NO
@jenstornell I understand the thought behind this, but it might be troublesome if you have many 10s or hundreds of entries.
I've added a small checkbox to my preferences PR. That was the quickest solution I could find.
@ph1p I think that checkbox can be removed... We have changed the way icons work in the latest PR #744
@ph1p I think that checkbox can be removed... We have changed the way icons work in the latest PR #744
Alrighty
@perry-mitchell @ph1p thank for the latest updated. How does this new icon management works? I did not find much info in PR #744.
is there any way that we can request the icon of an entry manually? Something like an "Get Icon" button or something else?
@Ricain The new icon library is a transitional upgrade.. so there's a collection of some more popular sites' icons stored locally, and that's it. No requests, so security implications. We'll upgrade it later to provide a more flexible system of icon management - one that will most likely request them from our servers (no logs kept).
@julianpoemp Currently no, but that's a great idea!
Having so many entries now - all with the same "none" icon - is very annoying I have to say.
So the option to manually GET the icon from the referring URL would be absolutely winning.
@nickbe We have an icon fetcher which was used for this in the past. It could be added again and mentioned in the options so that it could be enabled so that icons are fetched. I for one would also enjoy this functionality.
Yes please! Just add a little "get Icon from site" button. So it stays optional but is only one click away from doing its thing.
(I wonder: Why would I store a passwort from a site I don't trust enough to fetch a favicon from when I have to actually open the site and do something for which I need a password manager in the first place. May it's just me asking stupid questions - but this sounds a lot like tinfoil hat people to me)
@nickbe
There are all kinds of reasons for why I don't want my IP associated with a site. I personally still have the login/pass to many sites that I no longer am involved in. I don't want to dump them in case I need them, but at the same time some of those sites have gone....astray....and I would rather not have my ip show up in any ones log file simply because I opened my password manager.
As I mentioned earlier, once upon a time I did work with the tor project (for clarity sake, no longer associated in any way except as a financial supporter and occasional user at this point). If the password manager starts blabbing on a monitored network to a site in a restricted country, that could have extremely negative (and potentially deadly) consequences. Any of the highly publicized whistle-blowers could have been in deep trouble for a network leak like that. One last example of personal experience, I was heavily involved in a cyber-security team at a past job...I REALLY don't want to be associated with some of those sites if I'm not connected through tor and under some greater entity's legal protection! For the record, I did keep a separate password vault for that job - as I do for all my jobs - and I long ago ditched those accounts because I don't want to be associated with those sites. But it could have been bad news if my home IP randomly connects to one of those sites simply because I opened my password manager.
My point, for which I am very grateful that it was addressed by the developers, was that my password manager shouldn't connect to sites unless I explicitly allow it to do so. I think having a button to "get Icon from site" would be good since it would be user controlled and initiated. But at no time do I want it reaching out to sites without telling me.
My opinion anyway. :-)
Sounds reasonable of course. Didn't think of country specific restrictions or suchlike.
Thanks for clearing this :)
instead of a button that consumes space on the GUI there could be two menu items: 1) "Refresh all icons" and "Refresh icon from selected". These menu entries could be in the context menu, too.
For people who want to refresh the icons automatically there could be an option in the settings, named "automatically refresh icons" or something like that.
That are just suggestions, I'm fine with an easy "get icon" button, too :)
Maybe we can add a new tab or something else to the "Preferences window" (https://github.com/buttercup/buttercup-desktop/pull/882) with an editable domain black list and a checkbox that is disabled by default to turn the icon feature on and off.
The easier the better. For me a context menu item on the icon would be good enough.
Let's keep this going in #886 - This issue is long-dead.
As mentioned in #886 - the fetching of icons will be controllable via the options dialog which is soon to land. Default for this feature will probably be on.
Most helpful comment
I agree and believe that your expectations are reasonable @cstackpole - I've created buttercup/roadmap#2 in light of this discussion. Thanks.