How secure is 1P build with Electron?
Hello 1Password team,
On the Bleeping Computer article Microsoft Teams stores auth tokens as cleartext in Windows, Linux, Macs (https://www.bleepingcomputer.com/news/security/microsoft-teams-stores-auth-tokens-as-cleartext-in-windows-linux-macs) I read the following:
“Electron does not support encryption or protected file locations by default, so while the software framework is versatile and easy to use, it is not considered secure enough for developing mission-critical products unless extensive customization and additional work is applied.”
Since 1Password 8 is build with Electron, how much “extensive customization“ has been made to make it absolutely secure? How can I as customer be convinced of this before I switch over to this version?
Regards, Dennis
Comments
-
Hi @dvmierlo
Thanks for taking the time to write with this concern. We'd be happy to talk about our use of Electron, and how we've made sure 1Password continues to be a secure offering. There are a number of factors that have gone into this. First and foremost, it is worth noting that we're essentially only using Electron for the UI for our desktop apps. The business logic is handled in a common core built in Rust. One of our founders, Dave, wrote about this structure, here:
Behind the scenes of 1Password for Linux | by Dave Teare | Medium
(while this post was written before 1Password 8 for Mac or 1Password 8 for Windows — the same concepts apply to all of our desktop apps)
Second, to help with the bits that we do rely on Electron for, we've created a runtime hardener tool. We've published that tool as an open source project:
electron-hardener/README.md at main · 1Password/electron-hardener · GitHub
If you're interested in reading more of the details about the 1Password security model, we've published a fairly extensive white paper, which can be found here:
1Password Security Design
I hope that helps! If you have further questions please let us know.
Ben
0 -
Hi Ben,
Thank you for your reply. I will have reading to do :-) It is very good to hear 1Password is open about this.
Lot’s of greetings,
Dennis
0 -
Happy to help. 😀 If we can be of further assistance, please don't hesitate to contact us.
Ben
0