When will 1Password offer a VPN service?

rjborley
rjborley
Community Member
edited January 2023 in Lounge

I am really confused as to why the inclusion of a VPN solution with 1Password isn't part of the road map. Recently a victim of online fraud, I have signed up to ExpressVPN, to help protect myself online. I noticed they have a password management service bundled with the VPN software. I am seriously considering transferring my password management data to ExpressVPN Keys. This would allow me to replace one or the other with a single annual subscription and provider. Currently the only option for me doesn't include 1Password.

A VPN is becoming much more important these days for users managing or sharing financial information online, performing online financial transactions and online banking. Pretty much everyone these days??

I really like 1Password and would prefer to stay with it, but I also need a VPN and so I may leave 1Password at the end of this subscription period.

1Password has a good reputation, a great password manager and lots of subscribers. It seems to make sense as they already have a large customer base of security conscious, paying subscribers.

I would definitely trust 1Password as a VPN provider. I would prefer to stay a 1Password customer and cancel my ExpressVPN service.

I will be merging my VPN and password management subscription with a business that offers both services along with a family plan ASAP.

Currently that is neither 1Password (no VPN service) nor ExpressVPN (VPN & password, but no family option).

I know I am only one customer, but I’m sure I’m not the only customer asking for VPN and password management under one roof.


1Password Version: 8
Extension Version: Not Provided
OS Version: MacOS, Windows 11, iOS, iPadOS
Browser:_ Chrome and Safari
Referrer: forum-search:VPN

Comments

  • Hi @rjborley

    We don't have any plans to build a VPN service, and I'd like to take a moment to outline why.

    The vast majority of data breaches or other cybersecurity incidents are because of weak and/or reused passwords. 1Password guards against this by showing you weak and reused passwords in Watchtower so that you can do your own security audit and strengthen them. Similarly, if two-factor authentication is available for a Login item and isn't being used, Watchtower will prompt you to add it.

    VPNs offer little to no additional protection to your internet security. Almost all websites now use TLS (indicated by the 🔒 padlock icon in the address bar). In fact, your browser will typically warn you when you connect to a website that doesn't support TLS. Think back to the last time that happened, and you'll see how widespread TLS is. This means that only you and the website can see what's going on anyway. No one else on the network (or the wider internet) can see what traffic is being exchanged after the first handshake is completed. Think of it like this: an attacker may know what phone number you've dialled and could hear you say "Hello", but can't eavesdrop on the call itself beyond that point. You would need to be fairly certain that you're being individually targeted to be affected by this. As I said above, most breaches are opportunistic. Attackers will take credentials that work on one website and "stuff" them onto others to see if they work. Unless you're being specifically targeted by a malicious actor or a government agency, this won't give you anywhere near as much of a boost in security as a strong unique password for each website, and two-factor authentication where available.

    They represent a single point of failure. You need to trust your VPN provider completely. Any traffic that you send through it is associated with you personally (because you sign into the VPN with a username and password). Some VPN providers will log your traffic for a certain amount of time, and some don't. Some providers are located in countries where local law enforcement or government agencies could easily be given access to those logs. And this doesn't address the other concern, which is: what if your VPN provider gets hacked, and all your traffic logs are leaked? That's potentially devastating from a privacy aspect. Whereas without a VPN your traffic might go through your employer's network, your home internet service provider, the local coffee shop's Wi-Fi network, or your phone's data plan, using a VPN would consolidate all of your traffic, in all contexts, through one channel. That's a responsibility that we would rather not have. As it is, we cannot decrypt your 1Password vaults or see any of their contents. We prefer it that way – your stuff is yours (and secret!) and we only hold an encrypted version of it. You keep the keys. We don't have, or want, any way into your 1Password data. If law enforcement or government agencies asked us to decrypt your data or otherwise supply it, we simply wouldn't be able to. It protects you and us that way. And if 1Password were ever to be hacked (which hasn't happened), the only thing that attackers would get would be the encrypted version of your account vaults. They wouldn't be able to decrypt them any more than we are. Without the keys, they're scrambled garbage.

    We believe that your privacy extends even to between you and us. We don't know what's in your 1Password vaults, and we don't want to. If we did offer a VPN, it would be pretty trivial to use traffic logs to work out what items you have, and that doesn't sit right with us.

    Most people don't need a VPN day to day. Almost all their internet traffic is encrypted anyway between them and the website.

    If you need to access something behind your company's firewall, fair enough. If you want to watch Netflix from another country, that's understandable, although a lot of streaming services are getting wise to this and blocking access from VPNs completely, just in case.

    I'd be happy to hear your motivations for using a VPN to see if that's something we can help with. Please also let me know if you have any questions. :)

    — Grey

  • rjborley
    rjborley
    Community Member

    I’m cancelling my VPN

  • @rjborley

    Thanks for your reply, and I'm glad you're going to stay with us! I hope that my (not very short!) summary of what a VPN does and doesn't do gave you some insight into why it's not a plan for us right now. If you have any questions about what you can do to help with your own personal online security, please let me know and I, or one of my teammates, will be happy to help out.

  • rjborley
    rjborley
    Community Member

    Your summary was/is invaluable. Thank you so much for taking the time.

    Since becoming a victim of identity theft (admittedly via an SMS phishing scam rather than internet traffic or online data breach), I felt vulnerable. I looked to VPN providers for some additional security, believing their rhetoric. I researched what you wrote. It seems I "fell for the sell" from VPN providers. They are likely leveraging consumer fear for growth as VPNs for general consumers become less useful (E.G. duping streaming services).

    I have to say I find myself turning my VPN on and off far too frequently as I go about my daily business online. Businesses and services across the internet engage in an irritating game of cat and mouse with VPN users, as they attempt to hoover lucrative data from everyone. I find using a VPN impractical but believed it could be worth the extra effort in the name of online security. You have saved me a world of pain. Thank you!

    Then there is the revelation that using a VPN could be LESS secure! This was quite a shock but something that makes perfect sense.

    Thanks for the offer of further assistance. I don't think I need help improving my online security, in terms of online accounts, password management, 2-factor authentication etc. I am pretty diligent. But what about using public/guest WiFi? Should I consider using a VPN at those times? You know, to evade snoopers who try to steal your activity by sitting on the same LAN and running malicious software?

    I would also like advice about improving online privacy. I understand 1Password is about improving security rather than privacy, but I suppose that was the second string in my desire for a decent VPN service. I haven't managed to find a VPN that adequately protects privacy either, as so many online services try their best to hamper any attempt for user/customer privacy (with a few exceptions of course; 1Password, Apple etc.). This includes hampering the use of VPNs, which becomes more hassle than its worth.

    Thank you once again for your advice.

    PS. I love the new 1Password 8. Didn't at first because it was a significant change, but now I'm used to it, it's a significant improvement and SUPER fast.

  • rjborley
    rjborley
    Community Member

    @GreyM1P

    You would need to be fairly certain that you're being individually targeted to be affected by this. As I said above, most breaches are opportunistic. Attackers will take credentials that work on one website and "stuff" them onto others to see if they work. Unless you're being specifically targeted by a malicious actor or a government agency, this won't give you anywhere near as much of a boost in security as a strong unique password for each website, and two-factor authentication where available.

    But this is a concern when using public/guest WiFi, isn't it? A friend of my father-in-law had money stolen from an account and their bank said it was most likely someone targeting him at his local pub having analysed IP addresses.

    Shouldn't I consider using a VPN at those times? You know, to evade snoopers who try to steal your activity by sitting on the same LAN and running malicious software?

  • @rjborley

    Your summary was/is invaluable. Thank you so much for taking the time.

    Thank you, and you're very welcome! I think any of my team could tell you that I do get a bit of a bee in my bonnet about how some VPNs are, shall we say, "oversold" to consumers, so when I got going writing that reply, it turned into something more like a mini-blog post. I hope that because it's in a public place, maybe others will come across it and get some use from it.

    As far as monitoring on a public network goes, much of my original response still applies. With very few exceptions, your connections to websites are encrypted meaning that none of the traffic can be seen by anyone except you and the website. That metaphor about an attacker seeing the number you dialled and hearing you say "hello" but no more is still accurate.

    Let's say you're doing some online banking in a local coffee shop, and I'm sitting on the same Wi-Fi network intent on ruining your day. (Bit of a stretch, that part – I'm not that mean! 😄) You set up a connection from your browser on your device to your bank's website. Even if I was actively watching just your device on the network, all I would see is (essentially) this conversation:

    Your device: Hello Acme Bank.
    Acme Bank: Hello browser.
    Your device: Let's use encryption. Here are the encryption standards I support.
    Acme Bank: And here are the encryption standards I support. I like this one, which is the latest one we both support.
    Your device: Me too. Let's exchange keys.

    [The key exchange takes place, but that bit's pretty heavy on the maths, so I'll skip it.]

    From that point on, the most information I could deduce is that you're doing something with Acme Bank, but I'd have no idea what. It's pretty much just noise.

    All of this also assumes that I was actively watching your connection at the time – it's not something I could see after you'd connected, unless I was logging all of the "passing" traffic on that network.

    A friend of my father-in-law had money stolen from an account and their bank said it was most likely someone targeting him at his local pub having analysed IP addresses.

    I'm not 100% sure I fully agree with that analysis from the bank, for the reasons above, but I also don't know any more details, so I couldn't make any official comment on it.

    Shouldn't I consider using a VPN at those times? You know, to evade snoopers who try to steal your activity by sitting on the same LAN and running malicious software?

    On a well-managed public network, this shouldn't even matter – each device connecting to the network should be segregated from all the others, meaning that each device can only see the router and nothing else locally. But even if that's not the case, the only thing you would be "exposing" to other devices on the network is the little conversation above. If you're OK with that, then there's no need to take any other precautions like a VPN.

    How much additional protection you use is a matter of balance – how much you trust the network you're on vs how much you trust your VPN provider. At home, for example, it's borderline impossible for any unauthorised devices to be on your network. In a public setting, however, you don't know any of the other devices on that network. It's unusual to have to think about your own personal "threat model", but the important thing is to identify what you want to protect, then establish if it's already protected through standards, or if something extra like a VPN might be necessary. If you're not sure about the situation, a VPN probably wouldn't hurt, even if that's just to get you "out of" the local network and on to the public internet.

    I'd love to see more of an educational effort made in the industry to help customers understand the pros and cons of security products, and not just VPNs. Understanding what an antivirus app, for example, can and can't protect against is just as important.

    If you (or anyone else reading!) would like to ask any questions about how to stay safe online, please do ask here, or email us directly at support@1password.com and we'll be happy to help where we can. :)

  • rjborley
    rjborley
    Community Member

    Thank you so much, all this is very useful. It is at odds with anecdotal advice I see, hear and read from time to time, but sometimes that's from bloggers/YouTubers etc. being paid to promote various VPN services. Local TV news channels sometimes have guests purporting to be experts in keeping safe online, when they aren't. I've even seen TV News mock-up scenarios where someone is running malicious software from a laptop connected to the same WiFi in a cafe and they steal passwords from a user when logging into websites. Usually extolling the virtues of 2FA and OTP etc.

    Privacy concerns, particularly with large tech companies are still an issue, and something I was hoping a VPN could help with, but that's another much more complex topic. The tech companies seem hell-bent on ensuring that VPNs become a hindrance.

  • rjborley
    rjborley
    Community Member

    To clarify, I think such TV News articles/scenarios were where a WiFi network was a spoofed SSID and the LAN was therefore illegitimate.

  • GreyM1P
    edited October 2022

    @rjborley

    Under what I'm going to politely refer to as "laboratory conditions", it's possible to create all sorts of edge cases and point to it and say "See? I told you so". This kind of experimentation certainly has its place in the field of security research, and sometimes, hypothetical attacks only stay that way because of lack of computing power – power which will be available eventually. A good example of this is very early encryption standards which are fairly trivial to crack these days because of the many thousands or millions time more power available to brute-force them. Take a look at the Data Encryption Standard (DES), which was created in 1975 using only a 40-bit key. Even 20 years ago, a home computer could crack this in a matter of days. Today, I can imagine that being within the realms of hours or minutes.

    Clearly, a live demonstration makes for good television, but it can, if not done with the utmost of care, lead people to worry about a particular topic when there's no need. The mantra I adopt for security is "don't panic, but do pay attention". Taking a minute to think about the risks of doing something, what the effect might be, and what safeguards to adopt will generally reduce your chance of anything seriously bad happening.

  • Nige
    Nige
    Community Member

    @GreyM1P
    I found your points very useful as I have wondered about the true benefits of using VPNs even on public networks if accessing trusted HTTPS websites.
    Interested in your thoughts on the following article in particular "Https will encrypt that entire pipe, but only if everything is set up correctly. " - could they be referring to some malicious software on the network intercepting the request to the intended HTTPS end point (e.g. banking website) and then impersonating it? I suspect such publishers also receive payments for promoting VPNs.

    https://www.zdnet.com/article/reader-question-answered-if-i-have-https-do-i-need-a-vpn/

    Also what are your thoughts on using mobile apps on such public wifi networks as unlike when using the browser, you can't see the lock to signify a secure connection? Reputable apps such as those provided by Banks (& 1password :-) ), you would expect are using HTTPS with their respective back ends but I'm sure there are plenty of other providers who aren't as security conscious - possibly more risky for Android as understand less quality enforcement than iOS (at least at a previous point in time).

  • HDAI
    HDAI
    Community Member

    Question: I do need a VPN to be able to use streaming Dutch or German TV on my Icelandic TV. Currently using Express VPN, but as a Protonmail subscriber thinking of switching over to Proton VPN. Is there in your opinion (as an expert with more knowledge then I have as a layman) a big difference between Express VPN and Proton VPN from a security and privacy standpoint?

This discussion has been closed.