OpenSSL Heartbleed Bug
Is the new OpenSSL "Hearbleed Bug" a Security Thread for 1 Password User?
Regards
Andreas
Comments
-
Good question, @lemonstre.
1Password does not depend on SSL/TLS thus is not directly affected. However, there is more to the story as @jpgoldberg outlines in our blog post from earlier today:
Imagine no SSL encryption, it’s scary if you try
1Password’s encryption remains safe, but there are implications for a vast number of sites you likely visit. Please read the full article and let us know if you have any specific follow up questions. We are always here to help!
0 -
Hmmm. Big 1Password sale ended on 4/4; news on Heartbleed broke 4/7. I suppose you will claim that this was merely a coincidence.
0 -
If it was anything more we probably would have timed it better than that. ;)
0 -
I'm wondering what kinds of promotions we will see in the coming days from Agile and other vendors. If I am understanding the situation correctly, computer users are about to be hit with an unprecedented barrage of password change requests.
0 -
If I am understanding the situation correctly, computer users are about to be hit with an unprecedented barrage of password change requests.
We are hoping that is the case. Ideally, once an affected site has (1) updated to the patched version of OpenSSL and (2) updated their certificate they will force a password reset just like they would in response to a run-of-the-mill* password breach.
I'm wondering what kinds of promotions we will see in the coming days from Agile and other vendors.
We don’t normally pre-announce future sales, but we do announce them on Twitter, Facebook, and our blog.
* It's sad that I can use that phrase to accurately describe password breaches in recent times.
0 -
The blog post about this vulnerability says that 1Password Master Passwords should be safe, with the exception of 1PasswordAnywhere if a malicious HTML file could have been inserted. One other possibility occurs to me:
What if you've logged into 1Password through screen sharing, such as Back to My Mac, or encrypted VNC, or screen sharing over SSH tunneling. I'm not sure fun the encryption schemes used by these services are compromised, but if they were then your password could have be sniffed from the keyboard traffic to the machine whose screen was being shared. Wouldn't this be correct? I've certainly typed my master password when using Back to My Mac from one machine to another, so I will be changing my master password.
0 -
Ah, That is a good point. One feature of 1Password is that you are only ever using it "locally" so that your Master Password never travels over the network in any form.
But if you are using some sort of remote form of "desktop" access then your Master Password is traveling over the network. I do not believe that Back to My Mac would be affected, as it almost certainly doesn't use the OpenSSL libraries. The same is true with SSH tunnels: It's not built on OpenSSL.
0 -
I see in my email this morning a message from MacWorld touting a 60% discount on RoboForm. The timing might have nothing to do with Heartbleed, but somehow I think I will be seeing more of this sort of thing over the next few days.
BTW, the ad’s headline: “One Password That Works Everywhere.”
Hmmmmmm.
0 -
LastPass just offered a validation tool that checks the website's certificate and the last time you changed your password. If your password is older than the certificate update, it tells you to change.
http://blog.lastpass.com/2014/04/lastpass-now-checks-if-your-sites-are.html
Will you be offering something similar in a client update?
0 -
Does the Heartbleed bug impact my 1P passwords?
0 -
I agree with user radioactive, having a LastPass-style security audit of potential risk log ons would be really useful.
0 -
Yes, have just seen the Lastpass tool and it looks very useful. Something similar for 1Password customers would be great, or a web-page on your site which does the same thing (and which could be used for reference) would also be good.
0 -
Will you be offering something similar [a validation tool that checks the website's certificate] in a client update?
I agree … having a … security audit of potential risk log ons would be really useful.
…a web-page on your site which does the same thing (and which could be used for reference) would also be good.
Thank you for letting us know you are interested in this. We’re certainly looking into it. :)
Does the Heartbleed bug impact my 1P passwords?
1Password does not depend on SSL/TLS thus is not directly affected. However, there is more to the story as @jpgoldberg outlines in our blog post from earlier today:
Imagine no SSL encryption, it’s scary if you try
1Password’s encryption remains safe, but there are implications for a vast number of sites you likely visit. Please read the full article and let us know if you have any specific follow up questions. We are always here to help!
0 -
I have 1Password 3 on my two Macs and on several iDevices. they are all auto synced via Dropbox. I read that 1PasswordAnyhere via Dropbox could be an issue. Other than the websites that themselves may be insecure, do I have to worry about my 1Password sync via Dropbox or are the two 1Password systems different and the auto sync is not an issue?
0 -
Also, now that Dropbox is supposedly fixed, should I change my Dropbox password and do I have to reset anything on my devices' 1Password apps?
0 -
Dropbox syncing is fine. The issue described in the blog post and above only applies to 1PasswordAnywhere.
Also, now that Dropbox is supposedly fixed, should I change my Dropbox password and do I have to reset anything on my devices' 1Password apps?
AFAIK, Dropbox has not yet updated their certificate, so now is not the time to change your password there.
0 -
Dropbox are being a major disappointment on this issue. Kind of disappointed it's the only cross platform sync method for 1Password right now.
--Adam
0 -
Thanks, khad. When Dropbox is fixed, after I change its pw, do I have to do anything with 1Password on any of my devices for the new pw or will it work as before w/no changes needed?
0 -
In light of this (and because I have been thinking about this feature request for a while):
Would it be possible, for commonly used websites, to create a script that automatically changes my passwords periodically when logged into 1Password? I don't know these passwords anyway, (besides Command-), so it would be great if they could be periodically rotating 30-character strings managed entirely by 1Password.It would also be awesome if there could be an open structure for a password change page like example.com/1Pchange that other web developers could implement, which would just have forms for current username, current password, and new password, and would allow one to change a password without going through the whole login, go to change password page, reset password process.
Obviously, there are a few passwords (dropbox and recovery email) which I do need to know so I wouldn't want this to be default, but it would be an awesome option to protect us even better from known or unknown password dumps.
0 -
Yes, a Heartbleed checker tool for my 1Password vaults would be very welcome. As it is, I'm considering exporting my data from 1Password and importing to LastPass, solely to use the checker they have developed...
0 -
And a lot of sites are getting their certs replaced using the original start dates, so you can't necessarily tell how old the cert is from just the dates. From the comments on that LastPass page:
We're combining methods of checking, and are looking to fix the issue of false positives for the old dates being reissued.
0 -
What a mess! The biggest problem that I am running into is setting up a workflow to get all of my passwords changed, all 235 of them. Some sites are on the ball and others seem to be dragging their heals. I am working down my lists by first checking to see is the patch has been applied (http://filippo.io/Heartbleed/). Then I move to changing the password. What I have done to press on is to include a tag that I have either completed the process, or tag it for later, so I can go back to the site later if they do no pass the heart bleed test. Love those tags!
0 -
This content has been removed.
-
Khad -- What is the difference between "dropbox syncing" which you say is safe, and 1PasswordAnywhere? Also, please tell me specifically how stop syncing 1Password to Dropbox. There is no stop sync command that I can see in 1Password preferences, and I don't want to just delete agilebits keychaing from Dropbox without understanding the consequences.
0 -
Thanks for all the feedback and comments, guys!
When Dropbox is fixed, after I change its pw, do I have to do anything with 1Password on any of my devices for the new pw or will it work as before w/no changes needed?
1Password should still sync like normal after a Dropbox password change. Our authorization token will remain valid.
What is the difference between "dropbox syncing" which you say is safe, and 1PasswordAnywhere?
Dropbox syncing is still safe. 1PasswordAnywhere is an HTML file that can be accessed in your web browser to view your passwords from any computer. Only the use of 1PasswordAnywhere in a web browser was temporarily not recommended. But, it now appears that Dropbox has applied the patch for the OpenSSL bug and got a reissued SSL certificate, which means that after a password change it is safe to use 1PasswordAnywhere again anyway.
0 -
So if I've used 1PasswordAnywhere on DropBox, should I change my master password for 1Password?
0 -
Hi @nopenotme,
We do not believe that any attacks on 1PasswordAnywhere took place, but because we can't rule it out, you may wish to change your Master Password. Definitely change your Dropbox password though.
0 -
I find it hard to believe that AgileBits would overlook this, but I'm not finding anything to answer this question: what's the Heartbleed status of the host server for these forums? Running "agilebits.com" and "discussions.agilebits.com" through both the LastPass checker and the filippo.io checker return different results between the primary domain and the subdomain. (I found this out because I was copying domains out of my 1Password vault, and the only AgileBits login I have is for these forums.)
"Agilebits.com" returns as fixed on filippo.io, and with a cert date of 2014-04-10 on LastPass.com. "Discussions.agilebits.com", however returns very different information—LastPass.com reports an nginx server that may or may not be using a vulnerable version of OpenSSL, with a cert date of 2014-03-10, and filippo.io returns this error: "x509: certificate is valid for *.vanillaforums.com, vanillaforums.com, not discussions.agilebits.com". (Presumably vanillaforums.com is the actual host for your forums.)
So, can anyone at AgileBits tell me if discussions.agilebits.com is vulnerable, was vulnerable but is now fixed, is waiting for a new cert, or what? Does the forum even use SSL for its login?
0 -
Hi @Quantumpanda,
Our website (agilebits.com) has been fixed with the patched version of OpenSSL, and is using a newly issued SSL certificate.
The forum (discussions.agilebits.com) does not use SSL (as you can see by looking at the URL, it's http), thus is not affected. With that said, we should be using SSL on the forum as well, and we're looking into it.
0 -
What about 1Password Chrome Extension? Is that the same as 1PasswordAnywhere, and you would therefore change the dropbox password either, or is the Chrome Extension - as the 1Password App - not affected by the Heartbleed Bug?
Thanx AgileBits for the open and transparent communication regarding this issue ! Much better than other providers!0