Differences between native apps, 1Password in the browser, and web client

nettle
nettle
Community Member

I’m planning to subscribe to 1Password Families (after thinking about it for a long time), but I’m still wary of the somewhat increased security risk of the web client (as discussed in the "Crypto over HTTPS/Beware of the Leopard" part of the 1Password Security Design White Paper and elsewhere such as https://1password.community/discussion/100052/about-the-new-security-audit ).

At the end of that discussion thread it says "Over time we're supporting more features that were once available only through he web interface in the native apps as well, and we'll continue to make more progress.” With that in mind, please could I check which features are still only available through the web client?

Am I right that payment management, creating and sharing vaults, adding and removing family members, and changing the master password and/or secret key all still need to be done through the web client? Can the rest of the day-to-day tasks (including moving items into and out of shared vaults that you’ve already set up) be done in the native clients?

I’ve also seen references to "1Password in the browser” being code-signed (in contrast to the web client). Is that referring to the browser extensions made available in the Firefox Browser Add-Ons, Chrome Web Store, and Edge Add-Ons being signed? And does that code signing give "1Password in the browser" the same security against the risk of a malicious version as with the native Mac application?

I noticed that the page at https://support.1password.com/getting-started-browser/ treats Safari differently, linking to https://support.1password.com/safari/ . Does that mean that the Safari extension is different, and is it still signed?

If I’m still worried about the web client, is my best bet to use the native apps or "1Password in the browser” as much as possible, and minimise my use of the web client? Would any other measures like turning on 2FA help?


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: macOS 11.4
Sync Type: Not Provided

Comments

  • ag_ana
    ag_ana
    1Password Alumni

    Hi @nettle!

    I just wanted to say that I have sent your questions directly to our security team. We will post back here as soon as possible :+1:

  • nettle
    nettle
    Community Member

    Thanks, @ag_ana, I look forward to hearing more!

  • Lars
    Lars
    1Password Alumni

    Hey @nettle - Lars from the Security team here.

    Am I right that payment management, creating and sharing vaults, adding and removing family members, and changing the master password and/or secret key all still need to be done through the web client?

    Almost, but not quite. :) Creating and sharing vaults can be done in 1Password 7 for Mac, as can changing your Master Password (click 1Password > Preferences, then click the Accounts tab, and Change Master Password) and moving and copying items. Currently, payment management, "people management" (adding, removing and managing access of family members), and regeneration of your Secret Key are web-only.

    I’ve also seen references to "1Password in the browser” being code-signed (in contrast to the web client). Is that referring to the browser extensions made available in the Firefox Browser Add-Ons, Chrome Web Store, and Edge Add-Ons being signed?

    Yes. It's not possible to code-sign a web app/client that's delivered via the browser window, since it is by definition remote code. Extensions in a browser (Chrome, Firefox, etc) are small native applications that browser developers allow to be added into their respective browsers, and they (the browser developers) are responsible for verifying the authenticity of the extension -- though of course you are ultimately responsible for what you install onto your own devices. Only install browser extensions (including ours) from their respective developer sources (Chrome Web Store, Mac App Store, etc).

    And does that code signing give "1Password in the browser" the same security against the risk of a malicious version as with the native Mac application?

    More or less, though the potential attack vectors vary somewhat. With 1Password in the Browser, we utilize an entirely separate, sandboxed DOM, meaning it would be very difficult for a malicious extension in the same browser to read data entered into (or revealed within) 1Password. However, as with most things, the best security is a result of consistent security practices by the user themselves. This means consistent application of good security judgment, such as not installing unknown applications (including browser extensions), not clicking on links or attachments in emails or webpages unless you've verified their provenance and trustworthiness, keeping all security-related apps and software up-to-date with latest patches (including not just 1Password but also your browser(s) and OS), etc.

    If I’m still worried about the web client, is my best bet to use the native apps or "1Password in the browser” as much as possible, and minimise my use of the web client?

    From a strictly security standpoint, in general, yes. Fortunately, it is also vastly easier and more convenient to use native applications than the web client, owing to the limitations on what can be delivered in the browser window (selecting multiple items in a vault, for example, is impossible in the web client, but easy as a few clicks in the native apps). Quoting the 1Password Security white paper on the security aspect:

    1Password offers a web client which provides the same end-to-end (e2e) encryption as when using the native clients. The web client is fetched from our servers as a set of JavaScript files (compiled from TypeScript source) that is run and executed locally in the user’s browser on their own machine.

    [...]

    1. Use (codesigned) native clients as much as possible.
    2. Keep browser software up to date
    3. Create a specific browser profile for using the web-client
    4. Pay close attention to browser security warnings
    5. Use on trusted network
    6. Manually check certificates

    With all of that said, for perspective I want to make sure to stress to you and anyone else reading this thread that it is neither harmful nor unusually dangerous to use the 1Password web client for those few account-related tasks which still require it. We would not risk our reputation nor (especially) your data if it were. But there are indeed additional risks introduced from using the web client that cannot be entirely avoided (though they can be mitigated via the above steps). If you've read the white paper already, you're more curious and security-conscious than many users of 1Password, and that speaks well of both your willingness and your ability to take proper precautions.

  • nettle
    nettle
    Community Member

    Hi @Lars, thank you very much for this comprehensive and clear reply! That's reassuring.

    As you wrote that changing the Master Password can be done in 1Password 7 for Mac, does that mean if I were really worried I could even choose to change my Master Password in this way after using the web client for any people/payment management tasks or after changing the Secret Key?

    I realise that might well be being over-cautious (and I'm not saying I'd actually do it! :chuffed: ), but would it in theory reduce risk? Although, I suppose that in the theoretical case that there is a malicious web client it could immediately exfiltrate the contents of the vaults before I change the Master Password, so it would only help for any future additions/changes to the vaults.

  • The risk associated with frequent Master Password changes (possibly forgetting the password, losing muscle memory) would likely outweigh any perceived benefit in that. You could do so though, if desired.

    Ben

  • nettle
    nettle
    Community Member

    Thank you very much @Ben. Yes, I see your point about that! OK, I'll go ahead and set up my membership

    Out of interest, do I understand correctly that the various companies that use 1Password (like IBM, GitLab, etc. listed on 1password.com) are also using the same system, including the web client? If they're comfortable with it, I suppose I should be :chuffed:

  • @nettle

    Any and all of our clients use the same products.

This discussion has been closed.