Heartbleed status: Mitro is not affected

Posted by

On April 7th, an extremely serious security flaw was found in OpenSSL, the library that is widely used to encrypt web traffic. Thankfully, Mitro encrypts all of your data in our browser extension, before it is sent to our web servers. While our web servers were vulnerable to this bug, any information that could have been obtained would have been encrypted. As a result: your data in Mitro was not at risk. However, as an additional layer of protection we updated our web servers immediately on April 7th, and are updating the SSL encryption key used to protect our web traffic. If you have any concerns, please contact us at security@mitro.co.

 

Not Secret App: Share accounts with Mitro Access

Posted by

What happens when you make a Twitter account public, so anyone can use it to tweet, retweet, or follow others? To find out, we shared @notsecretapp using Mitro Access (you should try it). Its been available for a few hours, and already there have been some fun surprises. I like the self-tweet conversations:

notsecretapp_conversation_opt

NotSecretApp is powered by Mitro Access, a new way to give people access to accounts without software. In this case we made the account public, but Mitro Access is really useful to share accounts with specific people for a limited time. For example, you can order lunch as a team on Seamless, let someone submit their own complicated equipment order on Amazon, or let a contractor edit to your web site for a single day. It isn’t quite ready for the public yet, but if you want to try it with your own accounts, sign up for our beta release and we’ll let you know when you can try it.

Mitro for Android

Posted by

Mitro for Android is now available, allowing you to log in to all your accounts while you are on the go. We decided to release this as early as we could because mobile apps are by far our number one feature request since our article in TechCrunch. Maybe this means we are Luddites because we knew mobile was important, but we underestimated how important. iOS is up next. It was our top request, but we already had the Android app mostly finished thanks to Peter Jasko, who wrote most of it during his internship with us this summer.
mitro-android-app
Mitro for Android lets you view and copy passwords, but doesn’t yet let you edit or share them with others. You’ll have to use Mitro on your desktop to create your account and to manage access.

We’ve been busy fixing bugs and making behind the scenes improvements based on user feedback. We’ll have some exciting new features to show you in the next few weeks.

Introducing Keyczar JS: Google Keyczar in Javascript

Posted by

The short story: We are releasing Keyczar JS, an implementation of Google Keyczar in JavaScript. We use this in Mitro’s password manager, and welcome feedback or contributions. We are currently running some benchmarks comparing the performance of a few different Keyczar implementations, and our implementation in a few different browsers. Follow us on Twitter for updates (or subscribe to this blog, if you are one of the few who still does that).

The long storyUsing encryption correctly is not easy. If you configure things incorrectly, it may be completely useless (e.g. XML encryption can be bypassed using a padding oracle attack because they made the MAC optional). As a result, when we designed our secure password manager for groups and enterprises, we wanted a library designed by experts to make it harder for us to screw up. In the end, there are two worth considering: NaCl by Daniel J. Bernstein (aka DJB), or Keyczar by Google. We chose Keyczar for three reasons: First, Google uses it (in the Google Play Store Android app amongst other areas). Second, other people we trust recommend it. Finally, it uses algorithms that have been standardized by NIST and are widely used (AES, RSA, HMAC). While this does not mean that they are more secure than DJB’s algorithms used by NaCl (Curve25519, Salsa20, Poly1305), they are far more widely understood and studied.

Google provides Keyczar for Java, C++, and Python, and there are third-party implementations for Go and C#. Those are great server-side languages, but since Mitro’s user interface is a browser extension, we need it to work in Javascript. The Forge JavaScript crypto library includes the algorithms that Keyczar uses, so we thought it would be straightforward to implement Keyczar JS. However, there were three stumbling blocks that made it more complicated than expected:

  • Forge didn’t support RSA-OAEP, the encryption mode used by Keyczar, so we implemented it (we would love experts to review the implementation).
  • Keyczar keys are a set of JSON files in a directory. For use in JavaScript, we converted the directory to a JSON object, and wrote Java code to read and write this format. Sadly, Java Keyczar doesn’t make it easy to replace the key reading/writing code, so our implementation includes a few gross hacks. We are working on getting some changes upstream to make this easier.
  • Password-protected keys are supported by the C++ implementation, but not others, and the key format was not well documented. We had to reverse-engineer it by reading the source code. We have implemented support in JS and Java, and are working on getting these changes upstream. 

If you are looking for an easy-to-use JavaScript encryption library, we hope you will give Keyczar JS a try. Let us know what you think.