Please open source the classic Firefox extension when you inevitably abandon it
The writing on the wall seems pretty clear that 1PasswordX is going to be the only maintained extension going forward. Since it's completely unacceptable, please post the un-minified source code of the classic Firefox extension so that people can maintain it for themselves.
1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided
Comments
-
Hey @CamJN ,
Thanks for bringing this up and sharing your concerns.We have no immediate plans to abandon 1Password Classic. We still have a lot of standalone license users that will require it so I don't think it will be deprecated anytime soon.
One point to consider, in a hypothetical scenario where we do deprecate it, I'd strongly advise against installing anything 1Password related that is not released by us - your most important and sensitive data is stored in 1Password and you shouldn't rely on other 3rd parties to handle that data with security and privacy in mind. If someone releases a malicious version of it, that would be devastating to any user.
0 -
Frankly, I do not believe you that there are not plans to abandon the classic extensions. Just like standalone licensing it's clearly something AgileBits is pushing people away from, and doesn't want them using. Your actions speak louder than your words.
As for the security issues of trusting a third party: firstly I would maintain the extension myself; and secondly it's pretty rich given that you're putting people's entire vaults into browser memory with 1PasswordX, that's not the kind of thing you do if you care about security at all.
0 -
Thanks for the followup @CamJN .
We are definitely pushing towards membership accounts due to the fact we built our own home-made cloud service with security and privacy as a top priority, and it works much better and more reliably than other 3rd party syncing services, greatly reducing users issues with 1Password and syncing their devices.
However, standalone license customers can definitely keep using their 1Password in the same manner they have so far, including using the 1Password Classic extension.
As I stated earlier, we have no immediate plans to deprecate anything that relates to standalone licenses. That does not mean we will keep supporting or selling them forever. It just means that currently, you can keep using your software in the same manner and it is still supported officially. If something changes we will surely announce it publicly, but we don't tend to change things that leave users behind in the dust as you may have noticed so far. We always provide options.The newer 1Password in the browser (previously known as 1Password X) does not compromise security for convenience. That's something we never do.
If you're into the security aspect of things, here are some great and interesting reads:- How 1Password in the browser (1Password X) works - security wise: https://support.1password.com/1password-browser-security/
- Our general security methods and protocols: https://support.1password.com/1password-security/
- Our white paper, which covers all of the aspects of our security models: https://1password.com/files/1Password-White-Paper.pdf
I do appreciate your concerns and the points you raise here, so thank you for bringing it up! I hope I was able to clarify and alleviate at least some of these concerns. Let me know if you have further questions.
0 -
1Password runs in a sandboxed background page provided by the WebExtensions API
See, ALL your passwords 1 browser exploit away from being stolen.
0 -
@CamJ WebExtensions API is a very safe, cross browser technology. If at any point such an exploit will exist, it will affect all extensions in the world, not just 1Password, so it doesn't matter which password manager you use. But that is a very theoretical scenario and is unlikely to happen at all. :)
0 -
That's an incredibly ignorant and dangerous position to take. If 1Password were the only password manager that wasn't vulnerable to a particular exploit it wouldn't be ok to become vulnerable to it just because everyone else was doing something stupid.
The WebExtensions API being cross browser is of absolutely no relevance to the discussion.
The WebExtensions API is only as safe as the browser that implements it. If there is a sandbox escape in your browser (see: every pwn2own ever to see that this is not a theoretical scenario and happens all of the time) then everything in your browser's memory is available to the malware. That does include passwords you've previously filled (since the last time you restarted your browser if you are using 1Password classic, but if you are using 1PasswordX, it includes EVERY PASSWORD IN YOUR VAULTS.
That is a huge, unacceptable reduction in defence in depth. And that you either have no idea what you are talking about or do not care is alarming.
0 -
That is why we only officially support very specific browsers. 1Password Classic only works with Chrome, Firefox, Edge and Brave.
1Password X can work on other browsers as well, but any browser that is not officially mentioned on our website is not a recommended browser, and as always, users should remain vigilant to keep their system, browser and data safe. 1Password does make it easier to keep sensitive information safer when it is encrypted, but if the system or the browser are compromised, there's not much we (or any other piece of software) can do.
Thank you for your feedback and input on the matter.
0