Mar 1, 2011

Content Security Policy (CSP) implemented on LastPass.com -- the beginning of the end of bookmarklets?

If you're using Firefox 4, you now gain the additional protection afforded by CSP (Content Security Policy) on LastPass.com.

This is a big step forward in terms of protection from any Cross Site Scripting attack - and potentially other browser based attacks - ensuring that even if one occurred, each page could control exactly what pages it can talk to so that there is no possibility of data leakage resulting from the attack.

This has been eye-opening as we've implemented it. It has a reporting infrastructure built in so you can see exactly what requests are being blocked. We've already seen over a dozen unique bookmarklets caught in our CSP blocking net.

Does this mean the end of bookmarklets? Any site with sensitive data will ultimately implement CSP, making even our own bookmarlet for logging in obsolete. Now is the time to start requesting browsers support overrides to the CSP to keep your favorite bookmarklets working everywhere.

Today, CSP is only deployed on Firefox 4, but the LastPass extension should support it on a number of other browsers in our next release.

We haven't fully locked down our CSP yet; today we're allowing every page from LastPass.com to talk to LastPass.com, but soon we'll lock this down further so that https://LastPass.com/?securitychallenge=1 can ONLY talk to https://LastPass.com/?securitychallenge=1, which will be another big step forward.

13 comments:

  1. I'm interested to know more about how this is implemented by LastPass.

    ReplyDelete
  2. If you have access to the headers you can see it.

    On our homepage it looks like this right now:

    X-Content-Security-Policy: allow 'self'; img-src 'self' data: http://www.google-analytics.com https://ssl.google-analytics.com https://www.google-analytics.com; object-src 'self' http://*.youtube.com http://*.ytimg.com http://www.google.com; options inline-script eval-script; report-uri /csp_report.php

    which we're still locking down and reducing.

    ReplyDelete
  3. I won't miss bookmarklets if they are made obsolete. Especially if it means a more secure product.

    ReplyDelete
  4. Hey Joe,

    Is there anything we need to do to update our LastPass vault or extensions? Or is this pushed out to all users by LastPass? Thanks.

    ReplyDelete
  5. There's nothing you need to update as an end user, this is all server-side.

    ReplyDelete
  6. Hi Joe,

    Can you reply the following assertion made by Mike.

    "Of course, the holy grail would be fetching the list of sites along with their usernames and passwords. I didn't achieve this, but I'm convinced it can be done." "Even if you don't have the plugin installed, your browser somehow manages to decrypt and display them to you."

    I disabled the plugin, restarted Firefox. Went to https://lastpass.com/, signed in, clicked edit on a website.

    When I clicked "edit", the HTML which was fetched contained the encrypted versions of my username, and password.

    Some JavaScript, then decrypted the username before displaying it to me. When I clicked "Show" next to the password, that was also decrypted and shown in plain text.

    Given the fact that this data was decrypted by my client side JavaScript, without the plugin installed, I stand by my comment that I am "convinced"

    It LastPass do decide to address this XSS publicly, I'd suggest people ask them about the possibility of XSS attacks being used to steal credentials.

    ReplyDelete
  7. WOW, my comment regarding mike disappeared

    ReplyDelete
  8. @Anonymous (and anyone) If you comment immediately disappears it's because blogger (our host) has marked it as spam -- you can email support@lastpass.com and we'll restore it like we've restored yours.

    To answer the assertion the XSS and the decryption key have to be in the same place at the same time. So if you take Mike's example -- if you did an XSS, and then on that XSS page you entered your username and password you would then have all the elements you would need to take this further.

    Is that practical? No. Getting someone to type their LastPass master password into an iframe'd version of LastPass.com when they weren't going to LastPass to begin with, the domain name at the top is wrong and they ended up there because they were visiting nefarious site would set off just about anyone's alarm bells many times over.

    The username and password are required because your encryption key is not with your session -- we at LastPass don't have it. Your session just gets you access to the data Mike got.

    We've feared a 'persistent' XSS more than any other threat -- a persistent XSS means it sticks around in our database and is a far more dangerous attack. It's more dangerous because it could potentially be on a page that has your encryption key. It'd also be a lot harder to pull off: It'd require something like what Mike found, and on top of that something even harder -- a persistent XSS request that we would play back to the user at the right time.

    So while I'd say that nearly any XSS would be of limited impact, there is that outside chance and that's why we've dropped everything to focus on CSP for Firefox 4, and adding something like it to all our browser extensions. This renders even the very low potential threat of a persistent XSS useless: any data that was gathered can't leave the page.

    ReplyDelete
  9. I'm a paying customer and love your product, but I'll ask what many people have already asked in forums at great length - how about an independent security audit?

    ReplyDelete
  10. > "I'm a paying customer and love your product, but I'll ask what many people have already asked in forums at great length - how about an independent security audit?"

    +1 from another paying customer.

    ReplyDelete
  11. There is one underway right now.

    ReplyDelete
  12. I'm a big fan of bookmarklets because they are cross-platform, then when you want them and not there consuming precious resources when you don't. Then again, security is more important.

    ReplyDelete