Google uploading your plain text passwords

• Previous message (by thread): Google uploading your plain text passwords
• Next message (by thread): Google uploading your plain text passwords
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Bill,

It's not a theory and it doesn't have to be Chrome to work.  Javascript
does the work to decrypt the data and it's not browser specific.

Read the PDF I supplied that details_excatly_ how the key exchange and
encryption works.

Scott Helms



On Sat, Jun 12, 2021 at 10:35 PM William Herrin <bill at herrin.us> wrote:

> On Sat, Jun 12, 2021 at 3:55 PM K. Scott Helms <kscott.helms at gmail.com>
> wrote:
> > I don't think you're lying, but you are mistaken.
> >
> > "I'm not lying. Google's server at passwords.google.com
> > composed an html web page containing my plaintext passwords and sent
> > it to me. Not decrypted by my browser after combining it with a
> > locally stored key. "
> >
> > So, you're not describing all of the possible ways to decrypt data.
> What's happening is that the keys to decrypt the passwords are handed to
> your client (with some checks like a local admin password or pin) when you
> attempt to decrypt a given password.  The passwords _are_ decrypted on your
> device and you did not get a HTML page with your passwords.  Please, go
> look at the source yourself.  What you got was a page that's almost
> entirely javascript and that includes the functions that handle the
> decryption.
> >
> > Don't take my word for it, "When you log in to a website while signed in
> to Chrome, Chrome encrypts your username and password with a secret key
> known only to your device. Then it sends an obscured copy of your data to
> Google. Because the encryption happens before Google’s servers get the
> information, nobody, including Google, learns your username or password."
>
> There's a problem with your theory. The browser I viewed the passwords
> from Google in wasn't Chrome. And it didn't have a local copy of any
> Google passwords or keys. The only place they could have come from was
> Google's server.
>
> Regards,
> Bill Herrin
>
>
>
> --
> William Herrin
> bill at herrin.us
> https://bill.herrin.us/
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20210613/f2e2bec1/attachment.html>

• Previous message (by thread): Google uploading your plain text passwords
• Next message (by thread): Google uploading your plain text passwords
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]