Eric Capuano
Ok, I was tired of rumors speculating about which #LastPass fields appear to be encrypted client-side before being sent to LastPass, so I ran some tests of my own.
For a basic "Password" item, here is what I can tell so far.
When saving the item, the following primary fields are transmitted encrypted:
However, I also observed the following fields having a cleartext (hex) version in the payload as well:
So in other words, there is more than just the URL being transmitted to LastPass in the clear, which makes sense because LastPass' Admin console reveals login activity for all users which includes Name, Username, and URL of the login event; so naturally, these things must be transmitted and kept server-side outside of the vault. However, this once again does go against their "zero-knowledge of anything in your vault" marketing...
Screenshots of this test below. I have omitted the encrypted data to prevent revealing enough for a "Known Plaintext Attack" to derive a key, but the relevant pieces are visible.
If I am missing anything here, do let me know.
GNU social JP is a social network, courtesy of GNU social JP管理人. It runs on GNU social, version 2.0.2-dev, available under the GNU Affero General Public License.
All GNU social JP content and data are available under the Creative Commons Attribution 3.0 license.
