Credential / Data Security of SafeOnline - how does this work?

Yes it is - could you try configuring a new password to be protected from under an Admin account? It is possible that this is just a permissions issue rather than an issue detecting the keystrokes.

If that doesn't fix it, it might be worth uninstalling and reinstalling fresh to reset it as we've made a number of fixes behind-the-scenes which could correct the protection of pre-configured stored credentials.

 

This is a very valid point and we've been planning to add this functionality as well It is a bit more intricate to add than it would seem, but we're hoping to have it in one of the next builds.

The clipboard protection's goal is to prevent any untrusted outside program from reading clipboard data which could possibly contain secured information. This will be triggered when a secured website is opened, but it won't yet be started if the clipboard text matches a configured password text (we haven't done this yet primarily for performance reasons, but we've now optimized our protection in such a way that it would be possible).

Thank you for the suggestion! I've bumped it up in priority on our roadmap as I do think it is quite a valuable feature to have in place.

 

Hi PrevxHelp, thanks for your reply.

I have previously tried creating the password protection under the Admin account and no protection was provided whether logged on as admin or user. Have also tried configuring as a different user and still no protection.

Have also un-installed and re-installed, as updating over the top of the existing installation wasn't working for me. Have again un-installed and this time used the Prevx Removal Tool, followed by a re-boot and fresh installation (licence key was required). I then re-entered credentials as admin, but still no credential protection.

I love Prevx but why does PSO credential protection hate me?

 

Hi Zorak

Once you have entered a piece of data to be protected, you need to close your browser and re-open it again before the protection is enabled.

If this doesn't work, I would try keeping your browser closed and entering the data from settings/SafeOnline on the main PrevX GUI instead.

Then open a browser and try it. Go to google and type your protected data into the search engine, PrevX should give you a warning when you hit the last character.

 

I don't understand this. Surely its precisely when the clipboard text matches a "configured" password text that the protection is needed most . It is also important that all data is protected against clipboard reads; not just data a user has explicitly protected against phishing.

At the moment clipboard protection is only turned on when a site is visited that has this protection enabled (don't know if it also needs to be an HTTPS site). The protection then stays on until the browser closes, so could be on for most of the session with the browser. It would be better if the clip board protection was simply turned on as soon as the browser was opened. This would protect if a user copy/pastes his/her password into the wrong site without first visiting a protected site.

 

Hi pling_man, thanks for the suggestions.

Sorry, but I had already been doing this.

Just gave this a try, but still no cigar.

 

Joe,
Could you possibly comment on my post #23 in this thread. I am not sure if I am not entering my credentials correctly or whether this is a known problem but I need to use the same e-mail address with different passwords to log in to nearly all the secure/shopping sites I use on the net. If I cannot do this then Credential Protection is next to useless for me.

Sorry not to have drawn attention to this post perhaps being missed before but a nice kind person decided to remove a mile or so of my phone/internet cable early last week and I have only now got my connection back

 

Could you let me know what language your keyboard is in? Some non-English languages have some issues with protecting through Credential Protection, but we're working on a more generic workaround for this.

Thanks!

 

You should be able to do this without a problem - the protection would take place over the passwords themselves, not the email address.

If you enter the password into the "Value to Protect" area, that should allow you to protect each password individually without a problem.

In the "Data Caption", you could enter "eBay password", your email address, or any other piece of information which would help you remember what that particular password is.

Let me know if that clarifies the feature!

 

The clipboard protection is a bit different than I think you're interpreting it as. When the user has a secured website open, or if a secured website has opened at all within the browser session, Prevx instantiates a filter on the clipboard itself - any untrusted program cannot snoop on filter contents, creating a discrete tunnel between the clipboard and the destination program, regardless of what data is in the clipboard.

However, we currently don't analyze what data is in the clipboard to compare it against the protected credentials. The feature we'll add is to analyze the data that is about to be pasted to prevent the user from accidentally pasting their password into an insecure website.

Let me know your thoughts!

 

Hi PrevxHelp.

I'm using English(Australian). Maybe that's the problem, Aussies and English have always been rivals

Will try some changes to my language settings and see what happens. Thanks.

 

I think we're talking about two different things. There are two things clipboard protection could do (should do?):

(1) Copy protect. Protect data copied to the clipboard against malicious programs trying to steal it. This should protect all data copied, not just data that happens to be protected on the Advanced tab of a website. This way if a user does not enter confidential data on the Advanced tab, his/her passwords etc would still be protected against a malicous program's attempts to snoop on the clipboard.

(2) Paste protect. Provide an additional check against "phishing" by analysing the pasted text and checking that the website "owns the data" and is authorised to recieve it. Pasting would be denied or trigger an alert if (i) the data is protected on one or more of the user's websites and (ii) the current website is not one of those websites. In all other cases, pasting would be allowed (i.e. its not protected data, or its one of the correct websites). It will be important to implement this properly so a user can protect the same data on more than one website if he/she wishes.

I think (1) is what SafeOnline does now, and (2) is not implemented yet. My concern was that you imply above that (1) will be changed to protect clipboard snooping only when the data on the clipboard is confidential data, which would weaken the protection IMHO.

Happy to here your views PrevXHelp and views of others.

 

Changed keyboard language to English(US) and English(UK) but still didn't make any difference

 

Joe,
Am I correct in understanding that you are saying that I only need to protect my Password and not the login which is my e-mail address?
If so that makes sense and I think I was mislead by the references to first setting up protection for the login and then setting up protection for the password. In this case can I then follow the setting up of the protected password by protecting my credit card details even though those details would be the same on all protected sites.
ie: How would I protect both the passwords and credit card details per site when the card details are the same each time or is that not possible (or even necessary)

 

Normally, you would protect the password, not the login. However there can be exceptions. If you have a look at post #16, you will see that, in my case, protecting my online banking password is not an option so I opted to protect the login instead, which is unique to that site.

If you want to protect your credit card details across shared websites, I believe that this is possible. What you would need to do is to enter the details against one of the websites as the primary website holding the credentials. The first time you visit each of the other websites that you want to use the credit card with, SafeOnline will temporarily block access and display a security alert with an option to continue and allow access. By allowing access, SafeOnline will then create an exception for that website. In this way, shared access for your credit card details across a number of websites can be built up.

At least that's how I understand it.

 

Many thanks for reply. I have just had a look at your post #16 and also Prevx Helps post above it, so yes, it does seem that I could add credit card details that way. It would also seem to be a way to allow two Passwords for the same site, ie: Amazon, for both myself and my son.
Perhaps Joe will confirm this when he drops in next.

 

Yes, you definitely can - you can have a virtually unlimited number of credentials protected on each website. If needed, you can always remove them with the little red "-" button that appears when selecting an entry within the credential configuration dialog.

 

We definitely aren't trying to play favorites, but it looks like we don't fully have the Australian support in place We'll get this added as soon as possible - the issue will be more low-level than just being able to change the language.

Thanks for the information

 

You're exactly correct in that #1 is what we currently do. However, we're not planning to dilute #1 at all - the current clipboard protection will remain exactly as it is today, but we're going to add in #2 on top of #1.

I hope that clarifies it! Let me know your thoughts!

 

I understand, thanks. Any idea when (2) might be implemented?

 

Thanks PrevxHelp (do I know you well enough now to call you Joe? ). Your willingness to help solve issues which many other vendors would consider trivial is legendary. Whatever Prevx is paying you they should double it!

Cheers

 

You definitely can call me Joe! Glad I could be of assistance! We should have these (and pling_man's "#2") updates in place within the next version of Prevx, due out in the next 1-2 weeks.

I'll keep you all posted as to if we release a beta version first with a preliminary version of the changes prepared.

Thanks again for the help!