Online vault browser and cache security
With the outrageous incompetence of LastPass storing user data in plaintext (so glad to be here!) it made me question how the online vault viewer works.
I understand SRP secures the login. Once my vault is unlocked, does the server have access to unencrypted data to transmit to my browser for viewing? I’d also imagine usual response caching and indexing for the search box— how are those data stored? And when does it get wiped?
Last question: previously saved vault item data only appears online; is that stored in the vault or elsewhere?
1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Browser:_ Not Provided
Comments
-
Hi there @pistachiomatt
Once my vault is unlocked, does the server have access to unencrypted data to transmit to my browser for viewing?
No. All decryption is done locally. Your browser fetches your 1Password data in encrypted form, which is then decrypted on your device.
I’d also imagine usual response caching and indexing for the search box— how are those data stored?
They're not stored. All searching is done on the local data too, just like decryption. When you close the tab, it's gone.
Last question: previously saved vault item data only appears online; is that stored in the vault or elsewhere?
We save all previous versions of an item within the structure of the item itself, a bit like how modern word processors can save a revision history of a document, and you can go back to those previous versions.
I hope that answers everything, but if you have any follow-up questions or would like any more detail, do let me know. :)
— Grey
0