Don't go to Electron unless you can promise 100% security
If you use the Electron platform how can you ensure that there aren't exploits that will expose my passwords?
You don't have access to the code base in Electron so instead of trusting you folks I will have to trust Electron as well.
Given that Electron like apps are far harder to secure, in my opinion, than a stand alone Mac app I don't see how I can trust that you folks, despite your great dedication, can ensure that my data will continue to be safe.
I've been using 1Password since it came out and I'd hate to change but this Electron concept is probably going to cause me to look for another product.
1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Comments
-
Thank you for your trust in us, @trinko!
I wanted to say that we did a few things to make sure the new app is more secure than 1Password 7:
- we started performing an external security review of the 1Password 8 codebase from the beginning.
- so far we had several security reviews and plan to continue them as the project develops.
- we designed a logging system to make sure none of the user information is leaked by accident.
- we designed the app architecture to separate the user interface layer from the core where the most critical operations happen. For example, the item detail view process does not even have the value of the password (it only has '*****' asterisks) until you click the Reveal button and at that moment the core send the real value of the password to the view.
- 1Password 8 for Mac is codesigned, sandboxed, and notarized.
@mitch went though some of the work we did to make it more secure in his presentation at NorthSec conference:
https://www.youtube.com/watch?v=_P6qI4ahBVk&t=5110sObviously, we are never happy with the current state and we will be looking for more way to make the app more secure.
0 -
Is tagging the wrong Mitch Cohen a security issue? :-)
(This Mitch Cohen is not a fan of the switch to Electron. I do not anticipate making the move to v8.)
0 -
Meh. I'm sure you guys are trying but I'm with Pat on this one.
0 -
There's both truth and FUD here. Any modern app uses third party libraries and are exposed to supply chain attacks. Those attack surfaces vary depending on the particular framework. Unless you're going to write low-level direct API code, there's always an intermediate code base that's at risk.
The question is how much risk, and that's worth having the conversation about.
0 -
@roustem Sorry but I don't see how your response addresses my concern.
By definition for 1Password to do its job passwords have to be communicated to the platform on which 1Password is running which means that they will be accessible to Electron. Every time I go to a web site if someone has hacked Electron they will see not only my passwords but the web sites those passwords are associated with.
In addition since the only interface between 1Password and the user is Electron vulnerabilities in Electron which would enable a virus/bot to input commands to the 1Password core which would allow finding out passwords--people don't care about your World of Warcraft password so they'd simply fake a request for the password to the sites they do care about, like say the major bank web pages, and the 1Password core would return the info they wanted. It's easy to imagine a simple bot that, given an Electron hack, would cycle through all the major financial web sites looking for a hit.
External testing is fine but without access to the source code you have no way of knowing there are no ZDEs.
The whole point is that by outsourcing the interface between the core and the OS/Apps Agilebits is making it impossible to ensure that the data will stay secure. It's as though you're passing unencrypted data over a network you don't control.
If UI is the issue I'd be much happier if you just froze the v7 UI and kept it forever on the Mac app.
0 -
Every time I go to a web site if someone has hacked Electron they will see not only my passwords but the web sites those passwords are associated with.
I think there might be a bit of a misunderstanding about how 1Password 8 works. It is not loading any resources from a website at any time. It is a fully packaged, self-contained, sandboxed application.
0 -
Don't go to Electron unless you can promise 100% security
Anyone who "promises 100% security" is selling snake oil. Security is a moving target. I would suggest how companies prevent, plan for, disclose, and resolve any security issues is more important than making grandiose promises about never having any sort of security related issue.
Nobody can guarantee 100% security in consumer applications, except perhaps nocode:
https://github.com/kelseyhightower/nocode
We have a proven track record of having independent audits, running a bug bounty program, as well as disclosing and fixing security issues when they occur.
I wish anyone, especially ourselves, were able to make such a promise. It just isn't a reasonable target I'm afraid. What we can promise is that we take security seriously and will do the things a responsible company should do to prove that.
Ben
0 -
What we can promise is that we take security seriously
I feel like you believe what you're saying, but if that were really true you wouldn't be dropping support for standalone vaults in version 8 or switching to a framework that has a poor security record and a history of enabling RCEs.
0 -
Anyone who "promises 100% security" is selling snake oil. Security is a moving target.
He's not wrong guys, anyone who says they can do anything 100% of the time is a dirty liar. ESPECIALLY in security/IT/software. That being said electron apps have been exploited before and it's code now they can't control. ¯_(ツ)_/¯ we will see.
0 -
How do you quote a comment in a reply? I don't see how to do that but folks are doing it so it must be possible.
Thanks for any info.
0 -
@roustem I wasn't being clear. Sorry. When I access a website and have 1Password fill in the password will that password pass through functionality provided by Electron?
Perhaps I misunderstand how you're using Electron. Isn't it providing your interface to other Apps like Safari? Also when I reveal the password so I can look at it won't the password be passing through Electron?
If so then a hack in Electron will provide access to all my passwords.
0 -
Hi @trinko,
How do you quote a comment in a reply? I don't see how to do that but folks are doing it so it must be possible.
I usually do that by starting the quoted text with
>
character. It is the one of the features provided by the Markdown formatting.When I access a website and have 1Password fill in the password will that password pass through functionality provided by Electron?
That would be done by the browser extension using the API that provided by the browser. Apple provides documentation for Safari. 1Password browser extension runs within the browser itself and they do not use Electron.
I hope that helps!
0 -
We have a proven track record of having independent audits, running a bug bounty program, as well as disclosing and fixing security issues when they occur.
You also had a proven track record of building kickass Mac UIs, which you are completely jeopardizing right now :(
0 -
When I access a website and have 1Password fill in the password will that password pass through functionality provided by Electron?
That would be done by the browser extension using the API that provided by the browser. Apple provides documentation for Safari. 1Password browser extension runs within the browser itself and they do not use Electron.Now I'm really confused. If Electron is your UI how can it not have access to the data? If I look at a password won't that mean that Electron sees it?
Further if I can hack Electron can't I get it to display passwords even when the user doesn't ask for them to be displayed?
0 -
Hey, @trinko. Electron packages up the UI for 1Password 8 for Mac. So when you're 1Password to fill forms in your browser, Electron is not involved. When you view a password in 1Password 8 for Mac, though, yes, Electron "sees" it, similar to the way that Safari or your browser of choice "sees" your password when you fill it in a website. As @dougl said above,
Any modern app uses third party libraries and are exposed to supply chain attacks. Those attack surfaces vary depending on the particular framework. Unless you're going to write low-level direct API code, there's always an intermediate code base that's at risk.
The question is how much risk, and that's worth having the conversation about.
There is a lot of other third-party code we use that has the opportunity to "see" passwords and other secrets. This is the nature of software engineering, and all third party code has to be vetted carefully.
If you haven't watched Mitch's talk, I think it would really help answer some of your questions. Unfortunately, even though Roustem linked to the correct start time for Mitch's part, it didn't show up that way for me when the forum software here embedded it, so if you want to watch it, click through to YouTube itself and go to about 1:25:10, or copy and paste this link:
https://www.youtube.com/watch?v=_P6qI4ahBVk&t=5110s
.0 -
@rob what 3rd party libraries not produced by an OS vendor does 1 Password 7 for Mac use? Do those libraries access the unencrypted passwords?
You're making me doubt the security of any version of 1Password if it uses non-OS vendor random 3rd party libraries which you can't verify are secure.
While I haven't used Electron a quick search found lots of articles about its vulnerabilities.
0 -
Following this.
0