You are viewing a single comment's thread from:
RE: A brief rant on password security [Edit: Not so brief after all]
You missed ond problem more. Dashline's website is not SSL from the beginning. So if there is a man in the middle attack attempt, they can intercept the html and convert https urls with http urls. The SSL tunnel connects the attacker to dashlane and there is no SSL tunel between you and the attacker. The new password for Dashlane would be sent in the clear to the attacker. So Dashline gets four facepalms in my opinion.
Hmm, I'm not sure what you're seeing, but requesting any page from Dashlane's website over HTTP returns a 301 redirect to the HTTPS version, and they have HSTS enabled so your browser will not trust content from that domain over HTTP again. That's pretty much best practice all around.
They don't have HPKP, but I don't blame them: that makes you unable to adapt if your CA goes rogue or goes under. HPKP is generally too risky unless you run your own CA.
I am using chrome and it shows https crossed out. Navigate to https://dashlane.com/ in chrome (no www) and see what I mean. Actually its a cert problem. I stand corrected.
Ahh, yes. That's a misconfiguration on their part; looks like the raw domain, without the www, is configured to point to their mailserver, so [email protected] will work correctly (poorly done, should've had the A record point to the website and the MX record point to the mailserver), so if you manually type https://dashlane.com, it breaks.
That is badly insecure, because it means they don't have HSTS on dashlane.com, only on www.dashlane.com, meaning I could sslstrip them as you described, and the address bar would read dashlane.com instead of www.dashlane.com.