Clipperz Security Analysis - Sikurezza Mailing List

On March 12, 2008, Francesco “ascii” Ongaro participated in a lively technical discussion on the Italian sikurezza.org mailing list, archived by ml.sikurezza.narkive.com, regarding the security of the Clipperz password manager. Ongaro critically analyzed the application’s client-side architecture, emphasizing how XSS vulnerabilities or vulnerable plugins could compromise the security of encrypted data even in a “zero knowledge” model. He illustrated concrete attack scenarios and criticized the idea of using the browser as a secure tool for managing sensitive credentials. The intervention received a direct response from Clipperz CTO Giulio Cesare Solaroli, who defended the platform’s architectural choices and implemented security mechanisms.