Existing users, 
Seems to me like an app with some serious problems. Version 4 released, three days later the first patch, 4.0.1, with the download containing version 4.0.2 ??? What's going on? Security Problems? I don't feel I can trust this app.
Some interface flaws too: You can choose an icon for a new group, but thats all, the standard field are the same for all groups. Funny, same field names for all purposes. Or you want create a new document, choose a template but then you change your mind an click cancel. The new document is created anyway. But with what settings??? Where is it saved, what password has it, and so on.
PS: Don't try serials you "find" on the net, SecretBook sends home your user name via Safari.
SecretBook
Encrypted personal information database.
Version: 4.0.5
Security problems?
Feedback Type: Review
Contributed by: xplicit Tuesday, September 16 2008 @ 03:23 AM PDT
Product Platform: MacOSX
Used Product For: Less than a month
Recommend Product: NO
Overall Rating:
Ease of Use:
Support:
Features:
Quality / Stability:
Price:
Comments
Security problems? - information graphics
Some people are never happy. Some comment that there are not enough updates, some complain that there are too many. The recent updates have been due to bugs with the iPhone sync and with the AutoOpen feature, nothing to do with security. The version 4 upgrade was a major update changing almost all parts of the code so there were inevitably some minor issues. There have been no issues at all with data loss or any of the security code.SecretBook is very secure, and the iPhone sync especially so. This adds to the complexity of the application. The bug that was fixed in the iPhone sync was in the remote authentication code, using a protocol called SRP. The way this works is that the two sides of the sync both exchange a series of numbers that prove that both sides know the password, without sending it over the network at all. This also establishes a shared secret key that is used for encrypting the subsequent message flow. I don't know of any other applications that go to this length to protect the sync information, most applications don't even document the protocols they use for network authentication. The bug caused a crash before the session was established, so there was no vulnerability involved.
The second point (fixed set of fields) is just plain wrong. You can have as many fields as you want on any Group or Secret. You can define a default set for each group or you can add you own one at a time. Most other apps don't have this flexibility. All the fields that you define sync with your iPhone too.
And the PS, what a load of rubbish. Many SecretBook users use Little Snitch or other tools to ensure this kind of thing doesn't go on. Unlike some other applications SecretBook doesn't integrate with Safari. This allows you to use the Unix process separation to ensure that your passwords are only in one place. I'd like to know where you got this information from? Or was it just made up?
I do agree though that you shouldn't use stolen serial numbers :-).
By the way, 4.0.3 is out today.
Thursday, September 18 2008 @ 07:35 AM PDT
Security problems? - information graphics
Some people are never happy. Some comment that there are not enough updates, some complain that there are too many. The recent updates have been due to bugs with the iPhone sync and with the AutoOpen feature, nothing to do with security. The version 4 upgrade was a major update changing almost all parts of the code so there were inevitably some minor issues. There have been no issues at all with data loss or any of the security code.SecretBook is very secure, and the iPhone sync especially so. This adds to the complexity of the application. The bug that was fixed in the iPhone sync was in the remote authentication code, using a protocol called SRP. The way this works is that the two sides of the sync both exchange a series of numbers that prove that both sides know the password, without sending it over the network at all. This also establishes a shared secret key that is used for encrypting the subsequent message flow. I don't know of any other applications that go to this length to protect the sync information, most applications don't even document the protocols they use for network authentication. The bug caused a crash before the session was established, so there was no vulnerability involved.
The second point (fixed set of fields) is just plain wrong. You can have as many fields as you want on any Group or Secret. You can define a default set for each group or you can add you own one at a time. Most other apps don't have this flexibility. All the fields that you define sync with your iPhone too.
And the PS, what a load of rubbish. Many SecretBook users use Little Snitch or other tools to ensure this kind of thing doesn't go on. Unlike some other applications SecretBook doesn't integrate with Safari. This allows you to use the Unix process separation to ensure that your passwords are only in one place. I'd like to know where you got this information from? Or was it just made up?
I do agree though that you shouldn't use stolen serial numbers :-).
Reply to This
Thursday, September 18 2008 @ 07:32 AM PDT