this post was submitted on 15 Aug 2024
19 points (88.0% liked)

Proton

4992 readers
197 users here now

Empowering you to choose a better internet where privacy is the default. Protect yourself online with Proton Mail, Proton VPN, Proton Calendar, Proton Drive. Proton Pass and SimpleLogin.

Proton Mail is the world's largest secure email provider. Swiss, end-to-end encrypted, private, and free.

Proton VPN is the world’s only open-source, publicly audited, unlimited and free VPN. Swiss-based, no-ads, and no-logs.

Proton Calendar is the world's first end-to-end encrypted calendar that allows you to keep your life private.

Proton Drive is a free end-to-end encrypted cloud storage that allows you to securely backup and share your files. It's open source, publicly audited, and Swiss-based.

Proton Pass Proton Pass is a free and open-source password manager which brings a higher level of security with rigorous end-to-end encryption of all data (including usernames, URLs, notes, and more) and email alias support.

SimpleLogin lets you send and receive emails anonymously via easily-generated unique email aliases.

founded 1 year ago
MODERATORS
ProtonPrivacy@lemmy.world
alex_herrero@lemmy.world
Nelizea@lemmy.world
19
Serious flaw in critical applications: Plaintext passwords in process memory, is this a problem for proton too? (www.heise.de)
submitted 4 weeks ago by EmperorHenry@infosec.pub to c/protonprivacy@lemmy.world
2 comments fedilink hide all child comments
 

cross-posted from: https://zerobytes.monster/post/2458702

The original post: /r/mullvadvpn by /u/Imaginary_Dot5703 on 2024-08-14 05:20:49.
you are viewing a single comment's thread
view the rest of the comments
[–] Nelizea@lemmy.world 13 points 4 weeks ago

Regarding password managers:

All password managers keep data unencrypted in memory. You can't encrypt the data in memory because then the application cannot use the data while it is running. It's an universal issue for password managers, and not something that can be fixed.

While you can obfuscate the data, this is really security theater, because it is trivial to reverse engineer the obfuscation. In the future, Proton Pass may also obfuscate, but it doesn't actually add any security.

If you enable PIN lock, the data is encrypted locally and cleared from memory when the PIN lock is activated. The security benefit of this in the case of a compromised device is likely marginal, as malware on a device would be able to key log the pin and bypass it in that manner. However, PIN lock can be desirable on a shared device (although somebody with access to the shared device could also install a keylogger...).

In the previous version of Proton Pass, after the PIN lock, it can take up to 30 minutes to clear data from memory, while the new version clears it immediately. It was previously immediate, but a code regression set it back to up to 30 minutes, but this has now been fixed. In general, for the reasons previously explained, we would not advise people to rely upon the PIN to secure against malware or shared devices, and that's why PIN is not enabled by default, as the security benefit is likely marginal.

By the way, to even take advantage of this, somebody would need to have access to the device and the ability to access the device memory, in which case the PIN is not going to be effective because the device is already compromised. Unfortunately protecting against this type of device compromise is beyond the scope of Proton Pass (or any other password manager).

https://www.reddit.com/r/ProtonPass/comments/16mk5dr/proton_pass_login_data_is_stored_unencrypted_in/k1dxdlc/