Encryption / Ferdium Lock

[eshate]

Your issue

Firstly: I'm really sorry if there is an answer for my question somewhere. I was really looking everywhere, even in Ferdi/Franz documentation and I couldn't find exact answer. Even if there is an answer somewhere - it's really hard to find it, though. So maybe this topic is needed. Also, please note that I'm not a technical person, so if the anwer is inside the code - It's not easy for me to find it.

Security / Encryption / Ferdium Lock

I need an information about what data is stored on the computer and how it can be retreived by someone else, having my computer opened. We have these options:

1. I am using Ferdium login and storing everything in the cloud. Can you retreive messages, and access to my services if I'm logged out?
2. How really works Ferdium Lock? Is it encrypted somehow? What can be retreived from Ferdium if I am logged in - but locked Ferdium by this Lock Feature? Is it really safe or it's just a front-end feature and everything is actually visible from data stored on the computer?
3. Do you think to use encryption in the future?

I really like Ferdium, because I can use some messengers in one place. It really would be a great thing if this "Ferdium Lock" feature really could give a decent security. I know that Ferdium is not build for security, but maybe there are chances to improve it?

Thank you for your answers.

PS. Please label it as a question, I couldn't find how to do it

[SpecialAro]

Hello 👋

I'll try to answer some of your questions:

1. We don't have ANY access to your data inside each service. The only thing we store per service is the cookies - which helps you to login automatically, like any other browser, by using a authToken that basically authorizes you to access a certain page with your credentials (without never having actual acesso to them).
   If a malicious user gets a hand on your computer, unless you revoke those cookies, Ferdium would still have access to those credentials (maybe @vraravam or @kris7t can help clarify this).

2. As I said previously, we don't store any access data related to the inside of each services. The only data we store is you Ferdium Account data (your name, login email and password), which Services you have inside your account and which Workspaces you have.
   You can log in to https://api.ferdium.org/user/login with your Ferdium credentials and access https://api.ferdium.org/user/data to see all this that I described (all your data).

The Ferdium Lock feature, as far as I know, is only a front end feature to lock all app if you're away from your computer. This is useful if you leave your computer and want to lock Ferdium so that you prevent anyone from getting a hand on the app.

The Ferdium Lock password is encrypted and only stored locally (I'm currently on mobile so I can't confirm this right away, but I'm 95% sure of this given that I've taken a look at this portion of code before, when trying to solve a related issue). Nevertheless, if someone tries to access Ferdium, they can try to mess with your local Ferdium config files to change the password, but I'm not really sure they can change it and get access to the app itself.

3. I'm not entirely sure about this being useful at all, rather than to protect your "account" information and your "cookies". So, maybe it might be overkill to try to encrypt all the data at the user-end config file... But I'm not a cyber security expert, so maybe I'm wrong about this.

Generally, I think that your concern is more like a global concern of overall computer security, and not totally related to Ferdium - I think that if anyone gets access to your computer, all your data (Ferdium and not Ferdium related) can be compromised... So I would recommend you to try to secure your computer first (with passwords, security keys, auth systems), which will for sure be a strong barrier for someone trying to get into your computer.

[kris7t]

I second what @SpecialAro said. We don't have access to any of your user data (besides the list of services you have added, which is synchronized across you machines if you use the online synchronization feature of Ferdium).

In general, locking an application while your computer is not locked is a tricky thing: https://textslashplain.com/2020/09/28/local-data-encryption-in-chromium/ In theory, Chromium (on which Electron and Ferdium are built) support encrypting cookies on some platforms. However, the encryption key is easily extractable on Windows, so this leaves MacOS. Unfortunately, even there, Electron doesn't support what would be required for a secure "password lock" feature: electron/electron#32407

In the light of this, Ferdium doesn't use cookie encryption and the password lock is only there to deter casual attackers (who aren't able to or don't have an opportunity to extract the cookie storage files). You should rely on full disk-encryption of your OS for protecting your data (including Ferdium cookies) at rest, the security practices of your OS to protect your data from remote attackers, and the OS lock screen (and things like the IOMMU in the case of more exotic attacks) for protecting your data from local attackers.

In the future, if Chromium and Electron improve encryption supports, it might be possible to create a password lock with real strength (in the meantime, I was actually arguing for the removal of the password lock feature to avoid giving a false sense of security, but I digress). However, the chances for this are slim, because the kinds of threats models that would be addressed by a password lock feature are much easier to address on the OS level.

The single scenario that would be addressed by a (current nonexisting) secure Ferdium lock, but not the OS itself, would be when you give physical access to someone to your computer, but you don't want them to have access to your Ferdium accounts. However, please keep in mind that

1. The very same accounts are probably also logged in in your browser, where no such password lock feature exists (a master password for a password manager is similar, but inadequate, because it doesn't cover already available cookies).
2. A much more secure way to do this (i.e., if you need to lend a computer to someone) is to only let them access an unprivileged guest account, and rely on OS access controls and/or home directory encryption to keep them from your personal data.

[eshate]

Okay, first thing - of course - thanks for fast and solid answers!

Now I can see that I've been misundestood - or rather I wrote it wrong (english is not my native and sometimes I fail). I used "YOU" in my examples, but what I had in mind was "SOMEONE" - so I was not thinking about "YOU" having access to messages (because I know it already from FAQ that you don't have) - but "SOMEONE" who can have short access to my computer. This concernes was addressed by @kris7t in his post, so I am pleased actually, but I have an idea to wrap it up and then close this Issue (or give it few days for others to comment as you feel).

So If I understand well - there is no encryption addon for electron projects, and it never would be more secure than Chromium. Now I will provide my point of view, like "what would be great in my model" to clarify my needs - just for better undestanding. Oh, and please let's not go into "your model is not what most of people do" kind of thing - just let it be, I know this.

The very same accounts are probably also logged in in your browser, where no such password lock feature exists (a master password for a password manager is similar, but inadequate, because it doesn't cover already available cookies).

Let's begin from here. Actually that's not true in my case - and that's why am asking about this in the first place. My browsing model is about to clear all of the cookies (whitelisting some minor sites) and using password-manager to log-in everytime. And from what I know - it's not a totally nerdy behaviour - a lot of people do this and it's not considered as "spy-stuff".
And I am using Ferdium mostly for "messenger-all-in-one-app", because it's easier than installing five native apps. And the option to have "one fast password" for them - oh, even better.

I think that I got an answer already, but let's clarify with these simple questions-examples:

1. Case one: I'm using Ferdium with account. I am NOT LOGGED into Ferdium app, and app is not running. Someone's have the minute to copy my Ferdium data folders. When he go deep into that folders - can he retrieve passwords/messages etc?
2. Case two: I'm using Ferdium with account. I AM LOGGED IN, but locked my account with Lock feature. And the same - if someone magically could copy data-folders - what could he retrieve?

• For these two cases let's assume that all apps have been auto-logging with cookies.

So what I see here? A realistic enhancement, maybe:

• Possibility to have some integration with password managers, and that's actually a possibility to have some crucial Chrome-Extensions working - but that's another topic I guess.
• I was thinking about sort of encrypted container - but you already explained me that electron is not supporting this kind of ideas.
• Built-in password manager, where master-pass is actually retreiving all cookies?

So yes, it's all about making Ferdium a handy app also for people who doesn't like to be always logged in. And if I decide to not clear my cookies - maybe there's another way to protect them.
My answer for the case is simple, if I want to protect my stuff while I can't have full-disk encryption (or need my computer to be on) - and that's installing Ferdium in VeraCrypt encrypted container.

About rest, to be clear:
IF YOU WANT TO BE SAFE, ENCRYPT YOUR MACHINE AND THEN THINK ABOUT SOFTWARE ISSUES.

Big thanks for your time, again! 💙

PS. Before you decide to close this issue - please add also a 'security' label to the first post, I think it could be handy.

[kris7t]

Case one: I'm using Ferdium with account. I am NOT LOGGED into Ferdium app, and app is not running. Someone's have the minute to copy my Ferdium data folders. When he go deep into that folders - can he retrieve passwords/messages etc?

Yes, they will be able to access your session cookies. Passwords are probably not stored directly (depends on the web application, but it sound like an outrageously bad idea, so I doubt any serious application would do that), but some messages may be cached locally (again, by the web application), too.

Case two: I'm using Ferdium with account. I AM LOGGED IN, but locked my account with Lock feature. And the same - if someone magically could copy data-folders - what could he retrieve?

Same as the above.

Possibility to have some integration with password managers, and that's actually a possibility to have some crucial Chrome-Extensions working - but that's another topic I guess.

This is a good idea, but a bit hard to do in practice. Ferdium isolates each service as a Chromium "partition", and each partition can have its own WebExtensions. So it would not only require adding extension support to Ferdium, but we'd also have to make sure that each "copy" of the extension in each partition plays nice with each other.

I was thinking about sort of encrypted container - but you already explained me that electron is not supporting this kind of ideas.

If you want this kind of functionality, maybe a transparent, filesystem-level encryption of the data directory of Ferdium (e.g., eCryptfs or CryFS would work. However, you'd need to unlock and lock the encrypted contained manually before/after running Ferdium, since, for obvious reasons, it wouldn't be able to start and unlock its own files while they are still encrypted.

Built-in password manager, where master-pass is actually retreiving all cookies?

If this was possible (i.e., control how Chromium retrieves the cookies), making the password lock actually secure would be easy. However, at the moment, Electron or Chromium offer us no API to do this. (Okay, actually, we had a bug a few months ago where we broke Chromium's cookie storage, and no cookies were saved or loaded at all. Nevertheless, there's no way to deliberately control this.)

[eshate]

Yup, it's all clear for me now. In a way that my own quote...

if I want to protect my stuff while I can't have full-disk encryption (or need my computer to be on) - and that's installing Ferdium in VeraCrypt encrypted container.

... it's kinda facepalming. I forgot that there's AppData folder also, so installing software in a container like this would give me just nothing (just to be said - I cannot encrypt full-disk, because I cannot make a backup for it now - so I'm not ready to take that risk)

[eshate]

... but there is Ferdium portable version available, and this is a moment when I realise that everything was told in this topic. Closing it, if you don't mind. Thanks again and long live the project!