To protect your privacy: email us with billing or account questions instead of posting here.

Open source 1Password

TheQuestioner
TheQuestioner
Community Member

In the last years we see a lot of attacks on commercial IT-Services. These attacks come from black-hat hackers but also from goverments (on the way of law or with cyber attacks from intelligence services). This is worrying.

The NSA has (proven by the Snowden documents) tried to manipulate encryption and algorithms several times with the Bullrun project.
In the past, various intelligence agencies have also used legal and technical means to persuade companies and service providers to deliberately build vulnerabilities into their products. This development continues and has gained even more importance with the Pegasus spyware.

I believe that privacy and security is a human right, and should be respected by governments as well. But apparently we have to resort to our own means to avert this danger to our rights.

A very good way to prevent manipulation by governments and other powerful actors is open source software.

I believe that 1Password is a very important and also necessary tool for all internet users.
But currently, we have to trust 1Password. Although there is an extremely interesting blog article about this, trust is still necessary to some extent. Trust is good, math and transparency is better. That's why I strongly believe that 1Password must become open source.

Yes, of course, not all threats are averted by open source. But it will be harder for governments and other powerful actors to build a backdoor into 1Password.
Also, I believe that a move to open source , will not lead to economic losses. (See Bitwarden)
Because the big advantage of 1Password is that it is stored in the cloud and the cloud infrastructure is only accessible with a subscription.


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Referrer: forum-search:open source 1password like bitwarden

Comments

  • Ben
    Ben
    edited January 2022

    Hi @TheQuestioner

    Our Chief Defender Against the Dark Arts, Jeff Goldberg, wrote on this point here. It is a bit of an older post, so some things have evolved since then. For example, we now have a bug bounty program, and also do independent security audits. You can read about those initiatives here. There are some small components of 1Password that we have released the source for, such as our Electron hardener, Secure Password Generator (spg), and SRP implementation. Those are available on our public GitHub.

    We have had some conversations about releasing the source for other chunks of the system, and hopefully we'll be able to consider that in the future, but I don't know that the entirety of 1Password would ever be open source. Even if it were, I'm not sure how you'd verify the binaries the server is running match the source code you could review. As such I don't believe open source (at least alone) would solve the issue. What may help is the knowledge that we have many sets of eyes on our code between development and QA, including people living under different governments.

    I hope that helps!

    Ben

This discussion has been closed.