Google uploading your plain text passwords
K. Scott Helms
kscott.helms at gmail.com
Sun Jun 13 13:59:43 UTC 2021
Bill,
It's not a theory and it doesn't have to be Chrome to work. Javascript
does the work to decrypt the data and it's not browser specific.
Read the PDF I supplied that details_excatly_ how the key exchange and
encryption works.
Scott Helms
On Sat, Jun 12, 2021 at 10:35 PM William Herrin <bill at herrin.us> wrote:
> On Sat, Jun 12, 2021 at 3:55 PM K. Scott Helms <kscott.helms at gmail.com>
> wrote:
> > I don't think you're lying, but you are mistaken.
> >
> > "I'm not lying. Google's server at passwords.google.com
> > composed an html web page containing my plaintext passwords and sent
> > it to me. Not decrypted by my browser after combining it with a
> > locally stored key. "
> >
> > So, you're not describing all of the possible ways to decrypt data.
> What's happening is that the keys to decrypt the passwords are handed to
> your client (with some checks like a local admin password or pin) when you
> attempt to decrypt a given password. The passwords _are_ decrypted on your
> device and you did not get a HTML page with your passwords. Please, go
> look at the source yourself. What you got was a page that's almost
> entirely javascript and that includes the functions that handle the
> decryption.
> >
> > Don't take my word for it, "When you log in to a website while signed in
> to Chrome, Chrome encrypts your username and password with a secret key
> known only to your device. Then it sends an obscured copy of your data to
> Google. Because the encryption happens before Google’s servers get the
> information, nobody, including Google, learns your username or password."
>
> There's a problem with your theory. The browser I viewed the passwords
> from Google in wasn't Chrome. And it didn't have a local copy of any
> Google passwords or keys. The only place they could have come from was
> Google's server.
>
> Regards,
> Bill Herrin
>
>
>
> --
> William Herrin
> bill at herrin.us
> https://bill.herrin.us/
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20210613/f2e2bec1/attachment.html>
More information about the NANOG
mailing list