Give your feedback on Browserpass v3 #331
Comments
|
Great news, thanks! Looking forward to giving it a try. |
|
Huge fan. Do you have a write-up of the changes yet? |
|
I think the best documentation I have is both README files in browserpass-native and browserpass-extension repos, it doesn't list changes per-se, but it explains everything that's now possible. My favorite change is of course how popup looks and behaves now, much fewer keystrokes needed for daily operation. In addition, a lot has changed internally in the communication protocol between extension and the host app, it's richer and more extensible (if you want to dig into it, see PROTOCOL.md). |
|
@maximbaz Thank you very much for your hard work. Some initial feedback after reading the documentation and before installation. I really like the anti-phishing protection. It seems to be really well designed, both its UI and UX. Good job. I've been waiting for v3 for quite some time now as I thought it would help me with all these multi-steps authentications forms (e.g., with otp, or with username in a form and password in another). I'm sad that it seems v3 won't help after all (at least for otp). It's perfectly fine not to implement a feature if you don't want to but I'm not sure about the reason you give. If it's only for security reasons, then I think you should let the user decide what is best for them (it can be through an option protected by a big red warning text). Because I'm more frightened to stay connected on websites and to leave cookies around, I clear cookies as soon as I close a browser tab: using my phone for OTP would be too cumbersome. I'm very surprised that installing the native application requires |
|
Hi, my install of brave (on funtoo) does not react to the host being installed with hosts-brave and policies-brave. It does, however, work with host-chromium and policies-chromium. I like the new UI. However, did you remove support for OTP? Because I could not figure out how to generate tokens, which worked in the 2.x release. |
|
Thanks for the feedback!
Multi-step authentication is still planned #286 (up until now I was trying to at least reach feature parity with v2, so that I can finally focus solely on v3), but yes OTP was intentionally not re-implemented in v3. I simply don't want to have a feature that I don't want people to use, spending time implementing something and then covering it up under settings with big red warnings is a waste of energy. In v2 I was both unhappy with having the feature in the first place, and the way it was implemented (e.g. static digits that were not updating). The reason I put in README is attempting to explain why I won't accept a PR; I think Browserpass should not promote pass-otp.
You need
That's quite weird, could you please investigate some more? I took the target paths from your PR #295, but maybe the paths for Brave browser are not correct? Could you please remove the symlinks created by |
|
Oh, just realized I didn't write it anywhere, don't use |
|
In that case, I'm probably going to stick to v2. I understand where you're coming from with the reason to not include it, but I'm not trying to protect myself from someone getting into my passwordstore. I'm trying to protect myself against someone who pwned some service's password database, and in that case, it doesn't really matter where my OTP is coming from. If I'm at the point where someone has gained control over my computer to the point where they can access pass, I'm fucked either way. |
|
I understand your point too 👍 There's also an option to implemented a dedicated pass-otp browser extension, if someone feels passionate about it 😉 |
|
Maxim Baz <notifications@github.com> writes:
There's also an option to implemented a dedicated pass-otp browser
extension, if someone feels passionate about it 😉
in this case, would you accept a PR adding OTP support to your native
application? This would be less work for the volunteer who would only
have to maintain a browser extension and the end users.
…--
Damien Cassou
http://damiencassou.seasidehosting.st
"Success is the ability to go from one failure to another without
losing enthusiasm." --Winston Churchill
|
|
It worked before, but I now get "Error: Attempt to postMessage on disconnected port" in the popup. |
Native application will require no changes, it is intentionally implemented in such a way that it contains almost no logic, everything is done on javascript side. I will gladly assist the volunteer on how to integrate the existing native app with their extension 👍 In particular, there is a If someone starts the work and has questions, please create a new Github issue for focused discussion.
Sounds like the host json file is either misconfigured or contains incorrect path to the binary, how did you install it and what changed since it worked? |
I found the reason. Because browserpass v3 is not on AMO yet, I installed it as a temporary add-on. This got reverted to v2 when I restarted the browser. I fixed that by re-installing (now 3.0.1). But this is soon getting to be annoying because I regularly restart Firefox. Do you know when AMO will get the new version? |
|
I'll release as soon as I get at least few people to try and confirm in this thread that everything works. Also hoping I get all OS package maintainers to respond in browserpass/browserpass-native#31. Since this is a big breaking release, I want to build at least some amount of confidence that users will be able to upgrade seamlessly, especially because as soon as I publish extension on webstores, users will receive auto-update and will need to go and install new native host right away. So ideally I would synchronize the update with OS package maintainers, and do it on Thursday or Friday, so folks have weekends to sort this out and I'm around to help debugging urgent issues. |
|
Thanks for your extensive reply, @maximbaz. It is clear that you have exhaustively searched for solutions! |
|
@maximbaz, Will the new extension detect when an old native host is installed, and give (a link to) appropriate update instructions? (As opposed to the old "Error: Native host has exited".) |
|
not really, partially because it's a completely different native host, with different ID, the new extension doesn't know anything about the old native host because it must be configured with new json files; but also because theoretically v2 and v3 can run side by side so it doesn't make sense if v3 starts to complain about the presence of v2 app. What will happen though is once browser extension gets installed or upgraded to v3, it will show notification with a link to Github with instructions on how to configure the new host app. |
|
Hi @maximbaz The installation process on Mac seems quite a bit more burdensome in v.3 with additional packages having to be installed etc. After running into issues I tried https://github.com/gopasspw/gopassbridge (which also supports OTP) and the installation process is much smoother. My main point though, now that the backend has been separated from the browser plug-in, wouldn't it make sense to just adapt it to gopass with its json api and native messaging? This would make the installation process easier across all platforms and allow more development effort for improving the browser plug-in as well as potential for synergies with gopass bridge. I have no issues with running both pass and gopass on my system. |
|
Thanks for the feedback 🙂 If by "additional packages" you refer to the fact that you had to install browser extension manually - this is because we are in pre-release mode, but starting from tomorrow the new extensions will hit Web Stores 🎉 But if you refer to the "native host app", just like in v2 we have to have this extra app in order to give browser extension access to files on your local system - however both v2 and v3 have a user-contributed homebrew tap for Browserpass for macOS, so installation should hopefully be smooth. I had similar idea about gopass json api, in fact I did propose at some point to align with gopass api, but this idea didn't get any interest. However, remember that we also want Browserpass to work for people who only use The switch from v2 to v3 is painful, but we learned a lot and I do believe future updates will be much smoother. |
|
@maximbaz, The extension just got updated for me. It gives an error message: "Error: Error: Attempt to postMessage on disconnected port". No update instructions. |
|
Was there no update notification? 😞 Please follow the instructions in this repo, you need to install and configure a new native host app: https://github.com/browserpass/browserpass-native |
|
@maximbaz There was a notification that the extension got updated, but this disappeared after a few seconds and could easily be missed. It would be better if the extension gives a useful error message :) Edit: by the way, I can't find browserpass in community on Arch. |
|
I'm pushing it right now 😉 If you are on Arch, I would highly recommend you uninstall extension from Web Store, and instead install EDIT: packages are available in |
|
The packages you pushed seem to work, thanks! |
|
Package updated to broken state without warning. New package has completely removed OTP functionality. No simple manner to revert to the functioning OTP-aware version of package. |
|
Make sure to read FAQ for what happened to OTP and how to revert to a legacy version. |
Doesn't work on MacOS. Adding a temporary extension every time I use my damn browser isn't happening. You have deliberately broken the extension which was installed in good faith. A breaking change like this should not have been forced on people, rather a new extension should have been made available and a 'nag-screen' added to the existing functional extension. Your FAQ on OTP is, frankly, insulting. otp-pass exists for good reason, bringing otp functionality inside the gpg-encrypted password store. Your extension, amazingly, doesn't even rely on passwordstore any more. |
We have deliberately provided a significant upgrade in good faith. If you don't like it, you are welcome to continue using the legacy version - nobody is stopping you, and we have even provided documentation explaining how to do so. If you have additional constructive questions, please feel free to post them here, and we will address them. This is not a forum for general ranting and ad-hominem however. |
If this isn't working for you on MacOS, could you please open a new issue on this repo explaining the problem, and we'll look into it. Permanent install on MacOS should definitely be possible. |
|
Yes, a popup occurred. On macs, the popup stated that v3 was a major upgrade, and provided a non-clickable link to github. It did not specify that this was a breaking change. The first I knew that a new additional program element was being introduced was this mornings "New major update is out", which appeared after the extension had updated. The first time I was informed that OTP functionality had been removed was when I came to github to find out how to make the extension functional.
If this is the case, why is this not specified in the release notes for this release? Instead there's a lot of, frankly, hectoring notes regarding why using OTP is bad and noone should do it. There's no indication, at all, that OTP support is something which is actively being pursued, just very insulting language about why it isn't.
The popup should have specified, in the lede that autoupdating should be disabled until the user had the opportunity to evaluate the new, and non-functional, extension. Not everyone has the time or the headspace to follow the development cycle of every app, extension and program which they are using. Presuming that people do is not a good look. Moreover, the extension updated itself to a broken state. You can say that you had a popup, but that popup was not informative, and did not provide (at least on macs) anyway of following, or even seeing the full content of, the link. I've attached screenie of the popup for information. The only information I had was the error message
Having had this discussion, and having had things outlined in such a frank and engaged manner, I am perfectly happy to try the new extension. This whole thing should have been handled in this manner from the off. |
Normally major version numbers are only changed on a breaking release. That's the whole point of semantic versioning. However, I freely admit that we're seeing that from a development perspective, and perhaps that wasn't sufficiently obvious to everyone else. Feedback taken on board - we'll try to be clearer about that next time.
It's not in the release notes anywhere because v3 never did anything with OTP in the first place - there was no release of v3 in which OTP changed, it was absent the whole time. Our release notes generally list PRs that have been merged since the previous release. The lack of OTP in v3, and the reasons why, are detailed in the FAQ.
Good point - we overlooked that, so thanks for pointing it out. This information has now been added to the README.
That's really good to know. Our testing did show the whole message, but it looks like something may be a bit different on the Mac side, even though the browser is the same. That the link was truncated on your system is troubling (thanks for the screenshot), and something we need to address.
Sounds good. Let us know if you encounter any issues with it - we've ensured we have round-the-clock eyes on the project during the release (hooray timezones), so if you find anything major, we should be able to address it reasonably quickly. |
|
And i cannot find where to change the password store location any more |
|
In extension options, click on "Add store", fill it in and hit "Save":
|
|
Thats not possible as the error blocks that window from opening. I Should be fixed so that if the directory doesn't exist you can still set those options. |
|
Nice finding @symonds, will fix 👍 |
|
@symonds Fixed in browserpass/browserpass-extension#94. |
The problem seems to be fixed now. |
I feel the transition could have been handled far more eloquently.
Thank you very much for Browserpass, it is absolutely awesome. And I hope the above feedback helps make it even better. |
|
@aral Thanks for your feedback - I feel your pain, it's frustrating! We did try to warn people - we've been displaying a launch popup about this for the last week - but there are aspects of the transition and the warning process that we could improve on for next time something like this comes up.
Releasing an entirely new extension under a different ID every time a breaking change occurs is simply not practical. Ideally, we'd have it check the native app version and delay the upgrade until the native app is upgraded, but sadly the various webstores don't provide us any mechanism for implementing this. If you have a suggestion for how this could practically be achieved, without cluttering up the webstore with multiple extensions, we'd love to hear your ideas.
Normally this will be the case. We couldn't do it in any practical manner for the upgrade from v2 to v3, because the entire protocol for communication with the native app has fundamentally changed. However, we designed the v3 protocol specifically with this issue in mind, because breaking changes are frustrating for everybody involved. Going forward, it should be possible to update the browser extension, and have it continue to function correctly with an older native app. There might be the occasional new feature which doesn't work until the native app is updated (although most new features will not require an update at all), but none of the existing functionality should break. |
Look - I can understand the semantic explanation here. What you're saying is the same as Dennis Hopper on the set of Apocalypse Now arguing that he hasn't forgotten his lines because he never learned them. However:-
That should be in the release notes. It is a major change to the program. It is the removal of essential functionality for many people. Like others, I am tremendously thankful for all that the team has done with browserpass. I don't understand why you've chosen to be this actively hostile to users, and so defensive when users react to being treated like this. |
even though I regret the support for OTP, I don't see any hostility or insult in the maintainers' writings. In my opinion, the maintainers have done quite a good job at explaining their reasoning and at taking into account every feedback they got. |
|
@dg01d OTP functionality now exists. |
Browserpass v3 was written from scratch, and is quite different than the current version. Please give it a try, and let me know your thoughts!
The release date is set for Saturday, April 13
Post feedback directly in this thread, I will triage and create follow-up issues when necessary.
It is not backwards compatible, so you'd have to install a new version of the host app as well.
Native app: How to install
Browser extension: How to install (install manually, don't use
policies-*make targets as v3 is not in Webstore yet!)I recommend you reading the entire README of the
browserpass-extensionproject, it contains description of some new behavioral changes.If you really hate the new Browserpass, don't worry, the current version will not be removed from the Github, so you will always be able to keep using it.
If you use Arch Linux, to get Browserpass v3 you can add my repo or just fetch the compiled package from here.
The text was updated successfully, but these errors were encountered: