2

This morning I booted my work laptop as usual and logged in to Windows, then my password manager (Dashlane, if it makes a difference) as usual.

Opening up Chrome and browsing to a site with HTTPS however gave me a certificate authority not trusted warning.

Group policy changes overnight had installed a company wide certificate. Is my Dashlane password compromised?

Anders
  • 64,406
  • 24
  • 178
  • 215
aliask
  • 23
  • 3
  • 5
    You should consider it compromised already at the moment you typed it on a machine that someone else administers. – techraf May 25 '16 at 00:03
  • I'm not certain, but [from this](https://www.dashlane.com/security) I think that Dashlane never transmits your master password, so the cert doesn't make a difference. That said, the wording seems a bit weird to me, so I'm not certain that is the case. As @techraf points out, you either trust your company or you don't. If you trust them, then you're fine. If you don't, then they could steal your password without the CA (eg: a key logger), so you're hosed. – Neil Smithline May 25 '16 at 02:09
  • Related: [Security analysis of Dashlane](https://security.stackexchange.com/q/74656/11825). – kenorb Oct 10 '17 at 20:35

1 Answers1

1

The important question here is wheater you trust your company or not.

  • If your company isn't trustworthy they could easily steal your password without a certificate (e.g. by using a key-logger).
  • If your company is trustworthy the fact that they have installed a certificate on your system doesn't matter, since you trust them anyway.

Should the fact that they installed the certificate make you rethink how much you trust them? Probably not - companies doing this is quite common, and there are legitimate reasons besides spying on employees.

Would the certificate help them if they wanted to get your Dashlane password? It doesn't seem that way, but I am not 100% sure. They claim to "never store even a derivative of your Master Password" on their servers. Instead, they decrypt the data locally:

You use your Master Password to only decrypt your own data locally on your computer, and your data is successfully decrypted only if you provided the right one.

So I see no reason why they should send it over the internet, and if it is not sent over the internet the certificate would not help your company to steal the master password.

The passwords the master password protects, however, will be visible to your company if you use them to login to websites, since the certificate will enable them to read your HTTPS traffic. But again - back to the basic question - do you trust your company?

Anders
  • 64,406
  • 24
  • 178
  • 215
  • Thanks for the response. I agree from the Dashlane website it appears that it's not transferred. It appears that they're only doing cert swapping on non-whitelisted domains, so most of the logins are actually OK. Not concerned with keyloggers at this stage either so I think I'm safe. Thanks again. – aliask Jun 01 '16 at 12:27