I don’t necessarily believe it fully meets PG’s standard but (A) I was pointed here[0] and (B) my personal requirements are a bit different and would like some feedback before going in on it.
The tool is maintained by the same organization as SQLCipher which is open-source and highly respected software. Underneath the GUI portion all secrets are stored in SQLCipher.
Not only are you blindly trusting a third-party to conduct themselves with integrity - i.e. no illicit data mining - but you are trusting their dev team to be impeccable with cybersecurity
This is a nonstarter for most folks (myself included). No implied accusation of impropriety towards this developer, but my threat model is as close to zero-trust as I can get it, and this setup requires a lot of trust. There’s a crowded field of strong PW manager options available without these limitations
From what I can tell, the encryption engine (SQLCipher) is open source though and you can verify the encryption since the files are stored and processed locally. I get the concern but it doesn’t seem like you are forced to “blindly trust” them, especially if you don’t use the sync feature.
I agree with you though, its probably still a non-starter for most here. Although I question if its that much worse then 1Password which is reccomended.
That’s where I ended up. 1Password I’d rather avoid, but this seems similar in terms of competency. On the other hand, security is not my profession and my understanding only goes so far. Which is why I appreciate the discussion here.
Concur on the encryption algorithm’s open source status.
That could be an interesting discussion: the data itself is verifiably encrypted with an open source algorithm, but the surrounding app is closed-source & unaudited. What’s the potential scope & impact? For what threat models does that still pose a risk?
There could, in theory, be insecure code within the app container & we wouldnt know. But if you run this within a trusted VM environment (a la Qubes), is it effectively secure & private?
For myself, I would be running on macOS from the App Store. So there should be some additional guarantees there - such as a hardened runtime.
Insecure code does worry me. But if they can build SQLCipher they should be competent enough to build a UI on top of it. Nobody is perfect but something I’ve taken into consideration.
I hit up CS a few days ago. They have no interest in open sourcing the UI clients. They confirmed no audits have been completed and pointed to the the number of eyeballs that have been on SQLCipher.
To be clear, I’m not advocating to add Codebook as a recommendation. These are just personal considerations I’ve gone through. If I hadn’t had to fight with Keepass so much this wouldn’t even be in my radar.
Its a good question and beyond my expertise but my initial thought is that once its installed you could just block the app from the internet. Although at that point you have to question whether a self-hosted option wouldn’t be a more effective solution.
I do think this is an interesting point. If the closed source app is made by a development team of a trusted open source project does that somehow make it a bit better?
I would think the really important parts is everything related to SQLCipher. The password manager functionality is “just” a thin layer atop that. Read/write to the DB. Generate passwords. Etc.
The various clients are all non-Electron / actually native. With all the Shai-Halud stuff going around on npm I think that’s a good thing. JavaScript and its ecosystem is seriously busted imo but that’s a whole other topic.
At the 2012 Blackhat conference, Codebook (then STRIP), came out on top in a password manager comparison [0]. That’s many years ago now and much has changed since then. But I think it does speak to the talent of Zetetic as an organization.
Syncing requires a randomly generated key provided to you (similar to 1Password) and is not based on your password.
Their first-party sync behaves similarly to third-party. It’s an entirely separate set of credentials from your sync information.
I don’t want to go down a rabbit hole because it’s been discussed and argued over on these forums but this is more open-source than 1Password. They’re not VC funded and are straight-shooters (ie. not ripping local vaults away from people).
Going back to why I started this. Other than the whole trust around open-source, etc. Very few people seem to talk about Codebook online. This leads me to wonder if something is hugely wrong with it that I’m not seeing or if being the next big super-funded software project just isn’t what they’re into. Selling SQLCipher B2B probably generates a ton of revenue.