Mac Security

About me

Developer Information
Name Mac Security
User since July 4, 2011
Number of add-ons developed 0 add-ons
Average rating of developer's add-ons Not yet rated

My Reviews

RoboForm Lite Password Manager

Not so secure - Needs Two Factor Authentication! Rated 1 out of 5 stars

All online password managers, including Roboform Everywhere and LastPass uses SSL as the way to connect to their servers to login and sync, but SSL is Not as secure as many people may think. SSL has its flaws and can be compromised by "Man in the Middle Attacks" (MITM Attacks) and by Brute-force attack on the session key, as well as by other forms of attacks such as algorithm rollback attacks, timing attacks, traffic analysis, Bleinchenbacher's attacks - Not to mention there is also a few tools such as FireSheep and WireShark which can compromise a SSL connection. Online Password Manager Shall provide SSH (Secure Shell Access) as a secure way to login and sync to and from their servers. SSH is Rock Solid, it is based on a Public/Private exchange of keys model, and it is even possible to tunnel a SSL connection through SSH to Maximize Security. In addition, all online password mangers Shall provide Two Factor Authentication while login in to their servers - Similar to Gmail's Two Step Verification - which can send you an SMS with a One Time Password (OTP) or Call your Phone to provide your OTP audibly, or generate the OTP tokens locally on your iPhone or Android phone through their Google Authenticator App. I just can't picture an Online Password Manager Not providing Two Factor Authentication and SSH. LastPass Servers were recently attacked by Hackers and their customers data was compromised, and that would not happen if they would incorporate Two Factor Authentication + SSH. Period.

Google Two Step Verification:

http://itunes.apple.com/mx/app/google-authenticator/id388497605?mt=8

This review is for a previous version of the add-on (2.1.0).  This user has a previous review of this add-on.

LastPass Password Manager

Not so secure - Needs Two Factor Authentication! Rated 2 out of 5 stars

All online password managers, including Roboform Everywhere and LastPass uses SSL as the way to connect to their servers to login and sync, but SSL is Not as secure as many people may think. SSL has its flaws and can be compromised by "Man in the Middle Attacks" (MITM Attacks) and by Brute-force attack on the session key, as well as by other forms of attacks such as algorithm rollback attacks, timing attacks, traffic analysis, Bleinchenbacher's attacks - Not to mention there is also a few tools such as FireSheep and WireShark which can compromise a SSL connection. Online Password Manager Shall provide SSH (Secure Shell Access) as a secure way to login and sync to and from their servers. SSH is Rock Solid, it is based on a Public/Private exchange of keys model, and it is even possible to tunnel a SSL connection through SSH to Maximize Security. In addition, all online password mangers Shall provide Two Factor Authentication while login in to their servers - Similar to Gmail's Two Step Verification - which can send you an SMS with a One Time Password (OTP) or Call your Phone to provide your OTP audibly, or generate the OTP tokens locally on your iPhone or Android phone through their Google Authenticator App. I just can't picture an Online Password Manager Not providing Two Factor Authentication and SSH. LastPass Servers were recently attacked by Hackers and their customers data was compromised, and that would not happen if they would incorporate Two Factor Authentication + SSH. Period.

Google Two Step Verification:

http://itunes.apple.com/mx/app/google-authenticator/id388497605?mt=8

This review is for a previous version of the add-on (1.74.0.1-signed).  This user has 3 previous reviews of this add-on.

LastPass Password Manager

Rated 2 out of 5 stars

All online password managers, including Roboform Everywhere and LastPass uses SSL as the way to connect to their servers to login and sync, but SSL is Not as secure as many people may think. SSL has its flaws and can be compromised by "Man in the Middle Attacks" (MITM Attacks) and by Brute-force attack on the session key, as well as by other forms of attacks such as algorithm rollback attacks, timing attacks, traffic analysis, Bleinchenbacher's attacks - Not to mention there is also a few tools such as FireSheep and WireShark which can compromise a SSL connection. Online Password Manager Shall provide SSH (Secure Shell Access) as a secure way to login and sync to and from their servers. SSH is Rock Solid, it is based on a Public/Private exchange of keys model, and it is even possible to tunnel a SSL connection through SSH to Maximize Security. In addition, all online password mangers Shall provide Two Factor Authentication while login in to their servers - Similar to Gmail's Two Step Verification - which can send you an SMS with a One Time Password (OTP) or Call your Phone to provide your OTP audibly, or generate the OTP tokens locally on your iPhone or Android phone through their Google Authenticator App. I just can't picture an Online Password Manager Not providing Two Factor Authentication and SSH. LastPass Servers were recently attacked by Hackers and their customers data was compromised, and that would not happen if they would incorporate Two Factor Authentication + SSH. Period.

This review is for a previous version of the add-on (1.74.0.1-signed).  This user has other reviews of this add-on.

LastPass Password Manager

Rated 3 out of 5 stars

Better than Roboform Everywhere? Yes LastPass is a bit better, but not more secure than Pidder - but since it is a lot cheaper than Pidder, and it offers apps for mobiles, LastPast is the overall winner in the Online Password Managers race. But, that doesn't mean your data is 100% protected, or their servers 100% bullet proof against hackers as it was recently demonstrated.

Besides, a SSL connection is Not as secure as most people thinks, it has its flaws and it had been demonstrated as well it can intercepted and replicated if cookies are placed unencrypted.

I don't know why LastPass, as well as the rest of online password storage service providers, don't offer SSH (Secure Shell Access) as a way to connect to their servers. SSH is Rock Solid and it is even possible to tunnel an SSL through SSH to Maximize Security, then it will be a real nightmare, for sniffers in the wire, to intercept data while storing or syncing data to and from their servers. Think of it as a Carbon Fiber Tube tunneled through a Stainless Steel Tube.

In addition, LastPass should be providing already their own OTP Apps for Mobiles, similar to Google Authenticator App for iPhone and Android phones - This is different from their current apps for mobile which purpose is to sync data between devices but not to offer a second factor of authentication to login to their servers. I know they support Yubikey, but it just make more sense to spend a few bucks to develop their own OTP software app that can be used on mobile phones - since people already have such and not willing to spend and carry a Yubikey. Besides, these days, most people is checking their email accounts from their mobile phones rather than using their laptops or Desktops, and it is simply not possible to use a Yubikey on a Mobile Phone, and using a OTP App on a Mobile phone will be a lot less expensive than using SMS codes as a Second Factor of Authentication.

Finally, OTP Shall be a standard service offered by Online Password Storage Service Providers, otherwise they are playing with fire - with their customers data. OTP shall also be free for both, standard and premium users - I jus can't picture an Online Password Storage Service Provider not offering OTP as a way to login into their service. OTP Apps for mobile phones can actually offer a High grade of security without spending lots of money as in the case of SMS OTP codes.

LastPass is on the good way, but not yet there.

This review is for a previous version of the add-on (1.74.0.1-signed).  This user has other reviews of this add-on.

LastPass Password Manager

Rated 3 out of 5 stars

Better than Roboform Everywhere? Yes LastPass is a bit better, but not more secure than Pidder - but since it is a lot cheaper than Pidder, and it offers apps for mobiles, LastPast is the overall winner in the Online Password Managers race. But, that doesn't mean your data is 100% protected, or their servers 100% bullet proof against hackers as it was recently demonstrated.

Besides, a SSL connection is Not as secure as most people thinks, it has its flaws and it had been demonstrated as well it can intercepted and replicated if cookies are placed unencrypted.

I don't know why LastPass, as well as the rest of online password storage service providers, don't offer SSH (Secure Shell Access) as a way to connect to their servers. SSH is Rock Solid and it is even possible to tunnel an SSL through SSH to Maximize Security, then it will be a real nightmare, for sniffers in the wire, to intercept data while storing or syncing data to and from their servers. Think of it as a Carbon Fiber Tube tunneled through a Stainless Steel Tube.

In addition, LastPass should be providing already their own OTP Apps for Mobiles, similar to Google Authenticator App for iPhone and Android phones - This is different from their current apps for mobile which purpose is to sync data between devices but not to offer a second factor of authentication to login to their servers. I know they support Yubikey, but it just make more sense to spend a few bucks to develop their own OTP software app that can be used on mobile phones - since people already have such and not willing to spend and carry a Yubikey. Besides, these days, most people is checking their email accounts from their mobile phones rather than using their laptops or Desktops, and it is simply not possible to use a Yubikey on a Mobile Phone, and using a OTP App on a Mobile phone will be a lot less expensive than using SMS codes as a Second Factor of Authentication.

Finally, OTP Shall be a standard service offered by Online Password Storage Service Providers, otherwise they are playing with fire - with their customers data. OTP shall also be free for both, standard and premium users - I jus can't picture an Online Password Storage Service Provider not offering OTP as a way to login into their service. OTP Apps for mobile phones can actually offer a High grade of security without spending lots of money as in the case of SMS OTP codes.

LastPass is on the good way, but not yet there.

This review is for a previous version of the add-on (1.74.0.1-signed). 

Xmarks Sync

Rated 1 out of 5 stars

Complete Garbage! and Not Secure!

Besides all their Spyware search functions, your bookmarks are saved unencrypted at their servers and their privacy policy is a joke:

"We will not share your information with Anyone - Expect for our Marketers fiends, their friends and the friends of their friends" You better say we will share your information with X + Y + Z!

Their search assistant functions is nothing more than Spyware and it makes surfing the web slow. No thanks you morons, I don't need other search advisors on top og Google.

I hope that LastPasss, as the new owner of Xmarks, will remove the Spyware search functions from X-Marks. LastPass uses Mobile Applications as their revenue of income, so, I guess by incorporating the same model into XMarks, then there is No reason to leave the Spyware search functions on Xmarks, and they Shall incorporate encryption for bookmarks on rest (stored at their servers)

Finally, how goo could it be XMarks when it fails to offer a reliable syncing service, it is a mess, it erases bookmarks or duplicates data. Just terrible and a nightmare to use.

This review is for a previous version of the add-on (3.9.10.1-signed). 

RoboForm Lite Password Manager

Rated 1 out of 5 stars

WARNING! RoboForm Everywhere is Not Secure!

The point of this review, is Not about how well protected are your passwords by your Master Password, but about how secure are all your passwords - while online -After you enter your Master Password to open your passwords vault containing all your other passwords. The point is; Once you open your password vault and it remains open while you are online, for whatever period of time, you are then susceptible to online interception, being it your ISP, a Hacker, a Government Agency camouflaged as a "secure" VPN service, etc.

I decided to give a try to RoboForm Everywhere, and I am Highly Disappointed with their overall security. I tested how secure RoboForm's Everywhere service, by using a Gmail account protected by Google Authenticator SMS service. I use Roboform to save my login credentials - My user name and password, and after submitting them I was redirected to the Google Authenticator page to enter the OTP (One time password) sent to my mobile phone via SMS. I received the SMS, I enter the OTP code and I was then granted access to my Gmail account. However, after a few minutes I log off from my Gmail account, I received another SMS code from Google Authenticator, so I automatically assume something was Very Wrong because it is Only possible to receive an OTP SMS code from Google Authenticator AFTER you (or someone else) has enter correctly your Gmail User ID and Password, so - Yes of course - it can only be because the F**k*n Roboform Everywhere trash.

I am Fully Convinced, that someone, whatever it was an Employee from Roboform, my ISP, or X-online, managed some how to intercept my login credentials - while Roboform Everywhere service remained active, after entering my Master Password, and it is like that - Once you enter your Master Password, to open the rest of your passwords, then your data is No Longer Secure, and a Lot Less Secure while you remain online - because your data is at risk to be intercepted online while Syncing with the Roboform Everywhere Servers, even if using a SSL connection.

The whole point is a SSL connection is Not as secure as many people may think, and Yes it has been demonstrated that a SSL connection can be intercepted or replicated if a cookie is not placed encrypted. The only way to Maximize the security of Roboform Everywhere service, or any of the other Online Passwords Services, will be to incorporate SSH (Secure Shell Access) as the way to securely connect to their servers to store or sync their users data, and it is even possible to tunnel a SSL connection through SSH to make it Truly impossible for sniffers on the wire to access someone's data. In addition, I consider a Basic service to offer OTP by all online password storage services - Otherwise, they are all playing with fire.

So, I immediately discard Roboform everywhere as a Reliable service and uninstalled all their software. The good thing is that I was just testing RoboForm's Everywhere service with a demo gmail account, so the rest of my logins were not put a risk.

Shame on you Robo-Crap!

Post-data: The only way to Maximize the Security of your Passwords is to use Open Source software - The best password managers are KeePass for Windows and KeePassX for Mac, and they are FREE by the way. Do Not trust online services to store your passwords online, as for the reasons described above, and if possible use a USB to store your passwords database, instead of storing them on your Hard Drive, both KeePass and KeePassx allows you to store your password database on a USB stick, and of course you should be using Firefox topped with a few security add-ons such as: Adlock, BetterPrivacy, Calomel SSL Validation, Certificate Patrol, Ghostery, NoScript, OptimizeGoogle, and HTTPS Everywhere developed by the Electronic Frontier Foundation - This last available at their site eff . org

This review is for a previous version of the add-on (2.1.0).