Lastpass not using certificate pinning, wut?
It seems that Lastpass are not using certificate pinning for the webapp or desktop app. Discovered this today kinda by accident, but now realise it leaked my password to my corporate overloads.
This fundamentally undermines all of the security that Lastpass have implemented.
8 comments
[ 4970 ms ] story [ 1476 ms ] threadMy suggestion is to use KeePass and store your database in a zero-knowledge, self-hosted cloud with end-to-end encryption (and also secure it with an offline private key).
If setting up that cloud storage sounds like too much trouble, SpiderOak is a good centralized, zero-knowledge service.