nanog mailing list archives
Re: Google uploading your plain text passwords
From: Tom Beecher <beecher () beecher cc>
Date: Sun, 13 Jun 2021 13:12:27 -0400
There's a problem with your theory. The browser I viewed the passwords from Google in wasn't Chrome. And it didn't have a local copy of any Google passwords or keys. The only place they could have come from was Google's server.
Yes. The *encrypted* blob of login/password data was retrieved from Google's servers over a TLS protected session. When you click on any password to view it, the Javascript that it also downloaded presents you with another password challenge, which when successful, the JS will then to decrypt and display the data. - Nothing is ever transmitted in the clear. - The decryption as far I can see is only ever done locally. ( Using the OS hooks if in Chrome, or Javascript via passwords.google.com. ) On Sat, Jun 12, 2021 at 10:36 PM William Herrin <bill () herrin us> wrote:
On Sat, Jun 12, 2021 at 3:55 PM K. Scott Helms <kscott.helms () gmail com> wrote:I don't think you're lying, but you are mistaken. "I'm not lying. Google's server at passwords.google.com composed an html web page containing my plaintext passwords and sent it to me. Not decrypted by my browser after combining it with a locally stored key. " So, you're not describing all of the possible ways to decrypt data.What's happening is that the keys to decrypt the passwords are handed to your client (with some checks like a local admin password or pin) when you attempt to decrypt a given password. The passwords _are_ decrypted on your device and you did not get a HTML page with your passwords. Please, go look at the source yourself. What you got was a page that's almost entirely javascript and that includes the functions that handle the decryption.Don't take my word for it, "When you log in to a website while signed into Chrome, Chrome encrypts your username and password with a secret key known only to your device. Then it sends an obscured copy of your data to Google. Because the encryption happens before Google’s servers get the information, nobody, including Google, learns your username or password." There's a problem with your theory. The browser I viewed the passwords from Google in wasn't Chrome. And it didn't have a local copy of any Google passwords or keys. The only place they could have come from was Google's server. Regards, Bill Herrin -- William Herrin bill () herrin us https://bill.herrin.us/
Current thread:
- Re: Google uploading your plain text passwords, (continued)
- Re: Google uploading your plain text passwords Jim (Jun 12)
- Re: Google uploading your plain text passwords Christopher Morrow (Jun 12)
- Re: Google uploading your plain text passwords Max Harmony via NANOG (Jun 12)
- Re: Google uploading your plain text passwords William Herrin (Jun 12)
- Re: Google uploading your plain text passwords K. Scott Helms (Jun 12)
- Re: Google uploading your plain text passwords William Herrin (Jun 12)
- Re: Google uploading your plain text passwords K. Scott Helms (Jun 12)
- Re: Google uploading your plain text passwords Tom Beecher (Jun 12)
- Re: Google uploading your plain text passwords William Herrin (Jun 12)
- Re: Google uploading your plain text passwords K. Scott Helms (Jun 13)
- Re: Google uploading your plain text passwords Tom Beecher (Jun 13)
- Re: Google uploading your plain text passwords nanog08 (Jun 13)