tag:blogger.com,1999:blog-3604425971259502766.post1714665892060792237..comments2009-10-26T19:18:51.496+01:00Damonhttp://www.blogger.com/profile/17362087152286203901noreply@blogger.comBlogger2125tag:blogger.com,1999:blog-3604425971259502766.post-70436961298800239912009-10-26T19:18:51.496+01:002009-10-26T19:18:51.496+01:00@Will The plain-text password is a known issue. I just haven&#39;t found a way to fix it that I like yet. As for verifying that the content of hushnote hasn&#39;t changed, I gave it some thought. I don&#39;t think it&#39;s possible to do that without having out-of-band monitoring or checking of the content. A browser extension would be ideal. In the mean time, I can offer you <a href="http://code.google.com/p/hushnote/source/browse/hushnote_hash.py" rel="nofollow">this script</a>. Also, I use Oplop to generate my hushnote password. If a baddie did change the source of the page, he could send himself anything he wanted (passwords, labels, notes, etc.).Damonhttp://www.blogger.com/profile/17362087152286203901noreply@blogger.comtag:blogger.com,1999:blog-3604425971259502766.post-86651175277175379932009-10-26T16:00:21.045+01:002009-10-26T16:00:21.045+01:00Sweet! It would be nice if it didn&#39;t show my passwords in plain text as I type, though. (Happens in Chrome 4.0.220.1 on Linux and Chrome 3.0.195.27 on Windows at least).<br /><br />And another question from the paranoid peanut gallery: it seems that unless we want to audit the Javascript *every time* we use hushnote, we&#39;re basically relying on you staying honest/secure. (SSL just tells us that we&#39;re really connected to hushnote.appspot.com; it doesn&#39;t assure us that what&#39;s hosted there is what we want).<br /><br />In other words, it seems like info stored on hushnote is only as secure (for all users) as Damon&#39;s personal Google Account password. When Evil Hacker {Wom,M}an hacks your google acct, they can then upload different code to hushnote that has an identical UI but that sends (say) my oplop master password and my hushnote label straight to the baddie.<br /><br />If not, then it seems like the right thing is to use a different oplop master password for hushnote than for everything else, and to only store things like oplop labels in my hushnote file.<br /><br />Am I missing something?<br /><br />Thanks for writing this. If I can satisfy my paranoia, it will noticeably improve my life. :)Will Robinsonhttp://www.blogger.com/profile/04869187254019491304noreply@blogger.com