Lastpass not using certificate pinning, wut?

4 points by johnflan ↗ HN
It seems that Lastpass are not using certificate pinning for the webapp or desktop app. Discovered this today kinda by accident, but now realise it leaked my password to my corporate overloads.

This fundamentally undermines all of the security that Lastpass have implemented.

8 comments

[ 4970 ms ] story [ 1476 ms ] thread
I've always been surprised that anyone thinks shared cloud password databases are safe. You'd have to trust that service so completely.

My suggestion is to use KeePass and store your database in a zero-knowledge, self-hosted cloud with end-to-end encryption (and also secure it with an offline private key).

If setting up that cloud storage sounds like too much trouble, SpiderOak is a good centralized, zero-knowledge service.

If i understand correctly, lastpass encrypts the database locally. Their cloud sync is supposed to be all-or-nothing zero-knowledge, so I'm not sure what OP is on about.
Huh. I wonder how they do password sharing, then.
That is a completely separate set of data, encrypted in a different way (I think you generate a Shared Key and then LastPass distributes that plus encrypted data, but I don't really know).
This is all orchestrated over a HTTPS transport, the transport does not use certificate pinning.
Orchestrated how? If the passwords are not going over the wire unencrypted, it doesn't really matter how secure the wire is -- unless the attacker is also actively replacing stuff that does go on the wire and would touch unencrypted passwords at some point, like JS files, but that indeed requires an active attacker.
A very simple case would be logging into lastpass.com, your password is passed to lp.com via a https transport.