Security of 1Password X and other plugins
Are you able to provide a statement regarding the security of 1PasswordX when used with other anti-virus browser plug-ins e.g. Kaspersky etc, that implement a trusted root cert on the system, enabling them to decrypt and scan encrypted traffic to and from your browser session?
1Password Version: X
Extension Version: Not Provided
OS Version: Windows 10
Sync Type: Not Provided
Comments
-
Very good question. 1Password does not depend exclusively on TLS for its security properties. This is true for 1Password X as well: your data is end-to-end encrypted, and your Master Password is never transmitted, so from this point of view your data is safe even in a scenario where you cannot trust your browser extensions, or the certificate chain on your machine.
Having said this, anything that can interfere with your secure communications this way is a risk, and has to be considered such. We implement a defense in depth approach to protect you from malicious entities, but the best solution would be avoiding installing this sort of extensions in the first place. From our 1Password X security page:
Limit your use of other browser extensions. A malicious or badly-made browser extension could interfere with 1Password X or attempt to expose your data. If you need to use untrusted extensions, consider using a separate browser profile just for 1Password X.
The way these extensions work is by implementing something not different from a Man-In-The-Middle (MITM) attack. It is ultimately up to you to decide whether you trust these extensions enough to accept the risk they pose to your 1Password data, despite the preventative measures present in 1Password X.
===
Daniel
1Password Security Team0