mitro-co / mitro Goto Github PK

• Could you add Button to manual Create New Secret?
• Could you add Button to form password input on any web site as CommonKey?

• Please make persistence save of Advanced Options. I need default 20 chars password.
• Please add Button to header of float dialog for Copy to Clipboard new generated password.

The extensions already have a "hidden preference" for this. The iOS and Android apps need an option, and it needs to be visible to users in some way. This will make it far easier to run your own server.

The migration menu on the Firefox extension says that it can import from 1Password, but the extension UI itself doesn't have an option for 1Password in the dropdown.

the server-side icon map should be integrated into the browser extension.

Please add support to the Android app for adding and editing passwords

Cheers

Justin

Could you make app with Offline First Design?

Service Worker

• https://jakearchibald.github.io/isserviceworkerready/
• https://www.youtube.com/watch?v=4uQMl7mFB6g
• http://jakearchibald.com/2014/service-worker-first-draft/

Other

https://developer.chrome.com/apps/offline_apps

Could you open Android App and place source code on GitHub?

...the style guide is indeed publicly available. Please see the following webpage: https://google-styleguide.googlecode.com/svn/trunk/javaguide.html

Currently, mitro uploads the private key in order to share it with clients using the same account. This obviously creates some convenience, but also some security "issues":

1. The private key is known to anyone with access to mitro's data storage. Though protected by a password, it is possible to "steal" the key file and bruteforce it without anyone noticing.
2. If an account's password is compromised, so is the key - and all the clients at once. Two-Factor Authentication somewhat alleviates this issue.
3. Currently, I have no control over where my secrets go, e.g. I do not want certain secrets available on my phone, while others certainly should be there.

With a new option to not upload the private key, but instead having a key pair on each client, these concerns would be gone and the sole attack vector remaining would be the client (and the hosting machine itself). Additionally, I could control which secrets are available where (see 3)).

I'm more then happy for feedback on whether or not this actually a good idea.

Deletion of Multiple secrets

Current Process:
Load Mitro.co website,
for each secret;
load "manage secret" page
click delete secret

Proposed Process:
Load Mitro.co website
select each secret required for deletion
click delete button

On https://sandbox.authorize.net/ using Chrome 36.0.1985.143 on OSX, I can manually log in but Mitro will fail to ask me to remember the password.

I then added a new secret for this site, but when I go there Mitro fails to show the login bar.

If I select the secret from the Mitro extension and tell it to log in, a new tab opens to the site but no credentials are entered in the form.

Currently all secrets are stored in a single list.

Please add support for categorisation/folders.

As you type a really strong password, the strength indicator goes up to "strong" and then bounces back down to "weak" again.

Seems like it should either stick at "strong", or bounce back to "super strong", "insanely strong", etc.

When hovering over "backlinks" on the website 4chan with both 4chan X and Mitro extensions installed in Chrome, the page very often freezes for several seconds.

I simple fix would be to have a blacklist over sites, which Mitro shouldn't load on.

Needs a preference to turn off the automatic and incessant asking in the UI to save the password you just used. It is convenient for a while, but sometimes, you just want it off.

Upon installing the addon for the first time and clicking on the toolbar icon, I got this console error:

console.error: mitro-login-manager: 
  Message: TypeError: document.getElementById(...) is null
  Stack:
    updateLoginState/</</</<@resource://gre/modules/addons/XPIProvider.jsm -> jar:file:///home/yan/.mozilla/firefox/PROFILE/extensions/[email protected]!/bootstrap.js -> resource://gre/modules/commonjs/toolkit/loader.js -> resource://gre/modules/commonjs/sdk/loader/sandbox.js -> resource://mitro-login-manager-at-jetpack/mitro-login-manager/data/js/popup.js:4:307
Client.prototype.setMethod/this[a]</<@resource://gre/modules/addons/XPIProvider.jsm -> jar:file:///home/yan/.mozilla/firefox/PROFILE/extensions/[email protected]!/bootstrap.js -> resource://gre/modules/commonjs/toolkit/loader.js -> resource://gre/modules/commonjs/sdk/loader/sandbox.js -> resource://mitro-login-manager-at-jetpack/mitro-login-manager/data/js/client.js:13:299
Client/this.processIncoming@resource://gre/modules/addons/XPIProvider.jsm -> jar:file:///home/yan/.mozilla/firefox/PROFILE/extensions/[email protected]!/bootstrap.js -> resource://gre/modules/commonjs/toolkit/loader.js -> resource://gre/modules/commonjs/sdk/loader/sandbox.js -> resource://mitro-login-manager-at-jetpack/mitro-login-manager/data/js/client.js:2:226
ExtensionHelper/this.bindClient/<@resource://gre/modules/addons/XPIProvider.jsm -> jar:file:///home/yan/.mozilla/firefox/PROFILE/extensions/[email protected]!/bootstrap.js -> resource://gre/modules/commonjs/toolkit/loader.js -> resource://gre/modules/commonjs/sdk/loader/sandbox.js -> resource://mitro-login-manager-at-jetpack/mitro-login-manager/data/js/helpers.js:7:411
onEvent@resource://gre/modules/addons/XPIProvider.jsm -> jar:file:///home/yan/.mozilla/firefox/PROFILE/extensions/[email protected]!/bootstrap.js -> resource://gre/modules/commonjs/toolkit/loader.js -> resource://gre/modules/commonjs/sdk/loader/sandbox.js -> resource://gre/modules/commonjs/sdk/content/content-worker.js:45:9
onChromeEvent@resource://gre/modules/addons/XPIProvider.jsm -> jar:file:///home/yan/.mozilla/firefox/PROFILE/extensions/[email protected]!/bootstrap.js -> resource://gre/modules/commonjs/toolkit/loader.js -> resource://gre/modules/commonjs/sdk/loader/sandbox.js -> resource://gre/modules/commonjs/sdk/content/content-worker.js:96:9

This is used to send emails to verify email addresses, and is currently in an old private repository.

> yan@snowbunny:~/Documents/efforg/mitro/browser-ext/login$ make
kzjs_srouces = ../api/build/node/lib/node_modules/keyczarjs/*.js
forge_srouces = ../api/build/node/lib/node_modules/keyczarjs/node_modules/node-forge/js/*.js
make: *** No rule to make target '/home/yan/Documents/efforg/mitro/browser-ext/login/build/chrome/release/', needed by '/home/yan/Documents/efforg/mitro/browser-ext/login/build/chrome/release/utils.js'.  Stop.

Using Debian.

It works on Firefox 31, but we get some sort of exception on Firefox 32 and 33.

I have this strange error in the Firefox extension. First of all the font is wrong, it seems that the extension content is not loaded and I can't see my secrets inside it.

I have Linux Mint 17 "Qiana" - Xfce (64-bit) and Firefox 31

I know it seems counter intuitive, but I would like to be able to have some sites as filling the form only, and not logging in as well.

For some of my super-sensitive passwords I don't store them in a Password Manager, just the username and/or other details. In these cases, when Mitro fills the forms I get an error that the password must be filled in as well. It would be much better to not log in, and just fill in what's available (in some situations).

Mitro stopped working (hangs on login) with FireFox v32 on OSX. Can anybody confirm this?

(Chrome Extension)
Default is 8 characters. If I bump it up to 16 or change any advanced settings, it will forget those settings every time I go back to generate more passwords. Gets annoying to have to go through so many menus to generate a strong password every single time, I ended up having to install a separate generator extension just to avoid the aggravation.

I have a ton of passwords saved in my FF profile.
It would be nice if there was a way to import them.

Edit: the google saves
https://addons.mozilla.org/en-US/firefox/addon/password-exporter/
https://gist.github.com/ajstein/7810078

1. local file under dropbox

2. cloud support dropbox / google drive

3. p2p sync

NSJSONSerialization first appeared in iOS5 and can be used to work with JSON. It's always better to have less code.
I can make a pull request if this change is acceptable.

@evanj @vijayp

Hello everyone. I have managed to build and run mitro-core on Scientific Linux 6.2 (yes that is old...but any newer release should work also), and access it from a separate machine on my internal network. This has some overlap with #53 but I thought I should file it separately. Here are my notes on the process:

For Scientific Linux (or CentOs or any Redhat Enterprise Linux derivative)

git clone https://github.com/mitro-co/mitro

sudo yum install nodejs.x86_64; yum install postgresql.x86_64; yum install postgresql-server; yum install postgresql-contrib

Install java sdk from website as described in mitro-core/README.md
use the jdk-7u67-linux-x64.rpm

sudo rpm -Uvh jdk-7u67-linux-x64.rpm
sudo yum install npm.noarch

Remember to
export NODE_PATH=/<path-to-mitro>/mitro/browser-ext/api/build/node/lib/node_modules
in your .bashrc or .profile

Run sysctl commands as per mitro-core/README, if you want to run multiple postgres instances
Run build.sh as per mitro-core/README and then the other commands to set up a postgresql db.

If you get an error with:
psql -c 'create database mitro;'
like >>> FATAL: database "<user_name> does not exist'
then run
createdb <user_name> -U <user_name> followed by psql -c 'create database mitro;' again
Once that is finished, then build the db:
postgres -d build/postgres
(you may want an & after that to make it run in the background as this process won't return)

And the run the server:
ant server
in the mitro-core directory. Things should be ready to go (you might also want an & here to run in the background)

If you have a problem with 'ant server' indicating 'invalid source release' then you need to install java-1.7.0-openjdk.x86_64 and java-1.7.0-openjdk-devel.x86_64 via yum because the rpm didn't install properly earlier

Test
Connect to: https://localhost:8443/mitro-core/api/BuildMetadata with a browser and you should see

"commit: ... some commit hash
describe: fatal: No names found, cannot describe anything.
build time: ... some date"

Now build the extension and run tests:
cd browser-ext/api
./build.sh

cd js/cli
./runtests.sh FAST && echo "SUCCESS"

To test out the extension in a browser:

Build the 'safari/firefox/chrome'-debug extension in browser-ext/login with 'make safari-debug' (or firefox/chrome)

If you run into problems with 'nopt' not being found then you need to
npm install -g nopt

If that still doesn't work then you can run
npm install nopt
in the browser-ext/third_party/hogan.js/bin directory

Install the extension into the browser (I chose safari...for a chrome install, see the browser-ext/README)

If you don't have a safari extension developer certificate then you will need to sign up for one

Turn on Safari Developer Tools under 'Safari->Preferences'
Under 'Develop' in the tool bar you choose 'Show Extension Builder'
Click on the little '+' to add the safari-debug extension
Navigate to browser-ext/login/build/safari/ and choose the debug.safariextension directory
Click 'install' and the extension should be ready to use
Follow the regular "Sign Up" workflow to add a new user to the postgres db

NOTE: You won't get an email sent to your login email account because emailer2.py is still missing from ansible

NOTE: if you want to use a different machine on your network to test the extension, rather than the mitro server machine, then edit the browser-ext/login/common/config/cofig.debug.js file and change the two 'localhost' entries to an ip address like '192.168.1.66', or wherever the server is running

This application is vulnerable to clipboard hijacking when using clipboard for copying http://fc13.ifca.ai/proc/4-2.pdf

The README in mitro-core states:

Generally follow the Java coding guidelines (since Google's Java style guide is not publicly available)

Google's Java style guide is available here: http://google-styleguide.googlecode.com/svn/trunk/javaguide.html

We could add a feature which shows a notification/message that suggest the user to change the password. Example: it can happen after one year.

hi

i have followed installation instruction on: https://github.com/mitro-co/mitro/tree/master/mitro-core
everything seems fine until i wanted to connect via browser to https://:8443/mitro-core/
i am getting a 404:
[21/Aug/2014:07:36:47 +0000] "GET /mitro-core/ HTTP/1.1" 404 - "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:31.0) Gecko/20100101 Firefox/31.0

Error Page says:
HTTP ERROR: 404

Problem accessing /mitro-core/. Reason:

Not Found

Powered by Jetty://

i am not sure how to investigate this.

hope you can help me out.

thx, argonius

It would be nice if the browser extensions have a few more option around auto-logout. Things I would fine useful are:

• Log out when the browser is completely closed.
• Option to log out after X minutes of inactivity.

I also feel the sign-out option shouldn't be hidden in the settings pane. An icon right next to the settings icon would be nice.

Hi Guys,

Not sure if the Mitro Firefox extension was ever supposed to work with Firefox for Android but when I attempt to install it from your site i get the below error

As the Mitro Android client is read-only would be awesome if the full extension worked on Firefox for Android!

Cheers

Justin

The licence file should be called LICENSE, not LICENCE

When a user has many secrets it becomes hard to manage them in the extension (limited viewing area). It would be nice if we could group secrets into teams with a similar drop down fashion like the details are shown for secrets.

With Mitro enabled, utilizing WordPress's menu editing system becomes nigh impossible.

When dragging menu items to order them, the entire browser tab freezes for several seconds.
Recording this behavior with Chrome's Timeline profiler revealed the pause was due to something in this file: https://github.com/mitro-co/mitro/blob/master/browser-ext/login/common/content.js
Chrome said it's line 22, but this is in the minifed JS, not the above development file.

I'm not sure what's causing this, but I assume it has something to do with WordPress's menu editor being a drag-drop UI within a form that constantly CREDs form elements. Maybe it causes Mitro to scan the form in a way that causes the freeeze?

https://github.com/mitro-co/mitro/blob/master/browser-ext/login/chrome/helpers.js#L27
Uncaught TypeError: Cannot read property '2' of null
With user agent emulation: "Mozilla/5.0 (iPhone; CPU iPhone OS 7_0 like Mac OS X; en-us) AppleWebKit/537.51.1 (KHTML, like Gecko) Version/7.0 Mobile/11A465 Safari/9537.53"

./build.sh in mitro/browser-ext/api fails with the following: gyp: Call to 'node -e "require('nan')"' returned exit status 1. while trying to load binding.gyp
ubuntu 14.04 LTS, all the latest stuff. any hints are greatly appreciated.

 [exec] Result: 128

[propertyfile] Updating property file: /home/jordan/smallscripts/mitro/mitro-core/build/java/src/build.properties
[exec] /home/jordan/smallscripts/mitro/mitro-core/java/server/lib/commons-codec-1.8.jar
[exec] /tmp/tmpIib5AU
[exec] Traceback (most recent call last):
[exec] File "tools/jarpackager.py", line 108, in
[exec] main()
[exec] File "tools/jarpackager.py", line 91, in main
[exec] unpack_jar(path, tempdir)
[exec] File "tools/jarpackager.py", line 29, in unpack_jar
[exec] process = subprocess.Popen(args)
[exec] File "/usr/lib/python2.7/subprocess.py", line 679, in init
[exec] errread, errwrite)
[exec] File "/usr/lib/python2.7/subprocess.py", line 1259, in _execute_child
[exec] raise child_exception
[exec] OSError: [Errno 2] No such file or directory
[exec] Result: 1
[echo] Built build/mitrocore.jar

server:
[java] Error: Unable to access jarfile /home/jordan/smallscripts/mitro/mitro-core/build/mitrocore.jar
[java] Java Result: 1

Something is up with the compile.

I tried to import my KeePass 2.0 XML exported database, and there was some error halfway through that caused every entry to have a duplicate, so now I'm stuck with a few hundred entries that I want to mass delete. It takes 3 clicks per entry to remove an entry, and you can only do one at a time. No way am I going to click over and over just to reset my Mitro database.

I just discovered what looks like a missing '$' or something like this in your mail system. The error is seems only visible when you view the mail in a text only mail client like mutt. I got the following mail:

From: Mitro [email protected]
To: XXXXXXXXX
Date: Thu, 31 Jul 2014 17:26:25 +0000
Subject: Congratulations on saving your first secret!

Hi {firstname},

Congratulations on adding your first secret to Mitro!

Did you know you can even access it on your phone?
Get our free mobile app today:

Android: https://play.google.com/store/apps/details?id=co.mitro.mitro

iPhone: https://itunes.apple.com/ms/app/mitro-password-manager/id726427383

-The Mitro team

Mitro is the easiest way to share access to your accounts securely.

https://www.mitro.co

Tweet us at @MitroCo

I found that the extension in Firefox on Windows does look completely wrong. It shows the "Detail" page instead of the "PopUp" Page for the Plugin.

I saw this first as I was using Mitro on my Firefox in Bootcamp and got this confirmed by a windows user.

Hey thought it is not so nice but did not perceive it as error until I asked him to install it in Google Chrome. After experiencing how it works in Google Chrome it was clear to him that there is a bug with the Firefox Extension in Firefox 31 on Windows 7 (at least).

Could you add Team Select to Toolbar?

Hello and 1st off: Thank you for releasing this code under GPL :-)

I'd very much like to try it out in a similar way than old Mozilla Sync engine. There is a seamlessly working (albeit incomplete) ownCloud app for that. Please consider offering such a way to easily self-host the Mitro server.

It would be nice to be able to lock the mobile app with a short PIN / Schema / Whatever.

This could be done securely by encrypting the saved password with that PIN. A number of failed tries would wipe that saved password, and the user would have to enter the main password again.

My company currently use Yubikey with Lastpass for all access and it have been working great!

It would be very nice if this could be added to Mitro as well.

i've followed the installation instruction on actual ubuntu 14.04 server, but when running the test
i've got the Error:
Unable to access jarfile build/mitrocore.jar
and i can not find this file anywhere?

here is the complete test process:
http://pastebin.com/BbFeq2Kc

friendly regards,
argonius