Corporate MITM proxy

jms1
jms1
Community Member

Our beloved corporate overlords are forcing everybody to use an outbound proxy which requires the machines to "trust" a proxy certificate, allowing them to perform what they call "SSL Inspection", where every outbound SSL connection is terminated by their proxy server and then re-sent outbound (aka a MITM, or "Man In The Middle". attack). This means they are able to see everything sent or received over any SSL connection.

Some applications (such as Keybase) take it a step further and encrypt the traffic within the SSL session, so that even if somebody is able to inspect the HTTP traffic within the SSL connections, they cannot see any actual content.

Does 1Password do this, does it encrypt the HTTP payloads separately from the SSL encryption done by the HTTPS protocol?

If not, then I suspect I just give the corporate overlords the ability to read all of my passwords off the wire, even the items in my "Personal" vault, when 1Password on their laptop sync'ed with their team account (and with my family account).

Comments

  • Tertius3
    Tertius3
    Community Member

    Don't think too hard about it. Your company decided to break the tls encryption. If it breaks, it owns the pieces. Their fault, not your fault. It might even be necessary by law for your company to do this: to enforce data leak prevention. This is to prevent malware or economic spies to send corporate data to the outside. It's a security dilemma, because tls also secures data leak transmissions.
    If it comes to your personal account: you're probably not supposed to used personal data on a corporate laptop by company policy. And if you're allowed, you're subject to the company security policy, which includes a broken tls.

    Ok, I now understand why you're asking.

    However, the answer to your question is "yes". While the requests and responses may be visible in a broken tls stream, the password data itself is decrypted only locally with your private key and your master password. That's on top of the TLS connection. Even if you're using the web application (and no local desktop app), the passwords are decrypted locally within your browser's sandbox and transferred encrypted only.

  • @jms1 Hello! That's an excellent question!

    @Tertius3 is correct in their reply. The ability to inspect the decrypted TLS stream alone is insufficient to be able to read your 1Password data.

    Does 1Password do this, does it encrypt the HTTP payloads separately from the SSL encryption done by the HTTPS protocol?

    Apart from the SSL encryption done by the HTTPS protocol, your 1Password data is encrypted with a combination of your Secret Key (which is stored on your logged-in devices, and on your Emergency Kit), and your account password. Neither of these things are ever sent to the 1Password service (if they were, then reading the decrypted TLS stream would be enough to read your 1Password data).

    If you're interested, our Security Whitepaper describes this in more detail. It can be found at the bottom of this page. Of particular relevance are "Account Password and Secret Key" (pg. 10), "How Vault Items Are Secured" (pg. 18), and "Transport Security" (pg 61).

This discussion has been closed.