Watchtower Questions
I just upgraded to 4.4 and was looking at the Watchtower report. Once of the websites that shows that the password should be changed is Agilebits Customer Center. So two questions came up. 1. Was any part of the Agilebits website vulnerable to Heartbleed, and if so did you let us know about it (I do not recall reading any notice about this). 2. How do I change the Customer Center password? I can login and edit my info but not the password.
Comments
-
I noticed and commented on the same thing a few days ago while Watchtower was still in beta. @MikeT said he would bring the site to the attention of the team to see whether there ever was a problem. But it does continue to appear in my Watchtower list too.
The password for the customer care center that you got in the email after you made your purchase can't be changed, so far as I can tell. I assume that is to make it less likely that dishonest users will change it to something trivial and then share it widely. Luckily, if you put it in 1Password, it will auto fill and submit it for you. :)
0 -
same thing happened to me. posted my question before I saw this post....not great if Agilebits is still vulnerable - or is it?????
0 -
Love the idea and yes, I too saw the Agilebits Forum as a Watchtower candidate. Sure it's surprising, but what is more surprising to me, is that DropBox is even listed at all. I asked them 21 days ago via Twitter if they were affected and they replied:
"@dropbox_support: @JustaSunGod Sorry for the delay! We’ve patched all of our user-facing services, and are continuing to work to make sure your stuff... 1/2"
"@dropbox_support: @JustaSunGod ...is safe. 2/2"This makes me wonder where and how Watchtower gets its data on this from. Either DropBox lied, or there are many false positives here.
On a side note:
Since we're all here for Security-sake, I'd point out that this Forum as well as its Login link (top right) is "not" running over HTTPS.
Here's the login code. Just an href to "/entry/signin" on the same system...aka not secured.
<li><a href="/entry/signin" rel="nofollow" class="SignInPopup">Sign in</a></li>
Lee
0 -
I was really pleased to see the addition of the Heartbleed audit and enabled it straight away. I noted, however, that the passwords I had changed once sites reported the vulnerability had been fixed still showed as needing changed. It would seem that the '[date ] last modified' doesn't feed in to the audit process. Is this deliberate?
0 -
It would be really nice to have a reference to where 1password is getting a vulnerability alert for a particular site.
example.com with vulnerability alert due to heartbleed 4/1/13 example2.com with vulnerability alert due to shared user/pass from prior linkedin password leak. etc, etc...
0 -
I'm curious as to how those websites that are listed as "uncertain" will be dealt with - usually because the website isn't vulnerable but the certificates have never been changed. Watchtower specifically says it has no way to know if such sites were ever vulnerable to HeartBleed. Now, since this category includes site like iCloud, PayPal/eBay, Amazon and others who state in their own blogs or support pages that they were never vulnerable, this must actually be the case in some number of cases.
So how/when do those sites get removed from the database? Because right now they are a bunch of false positives. And enough of those false positives will create a level of "noise" that overwhelms users to the point that they just won't track down the sites that actually need new passwords in the middle of that "noise"...let alone actually change the passwords.
0 -
I can see Watchtower in Prefs, but it is greyed out and I can't turn it on. what's the secret?
0 -
One of the alerts I got was for a site whose password I happened to have changed this afternoon, before I installed Watchtower. (In case it matters, Watchtower said the site was "not vulnerable to Heartbleed, but certificates have not been updated.")
Apparently Watchtower doesn't know I have already changed the password?
David
0 -
Today I changed the password again and Watchtower removed the alert, so I guess it's working the way it is supposed to now. Maybe it just doesn't know if you changed a password before it was installed.
0 -
Hi everyone,
Thanks for the questions.
@skattank, @hawkmoth I'm happy to say that you should now have the option to change your password in our Customer Centre :) Sorry about that!
@LeeT, @tuni12 you are correct, currently the Agilebits forums are not running over SSL (meaning that they are not vulnerable to Heartbleed). That said, they should be using SSL - we are looking into this.
@uisge, 1Password should detect the passwords that you changed. Did you make these changes after updating to version 4.4?
@carotids, thanks for the feedback! We definitely have something like this in the plans :)
@OldCrow, currently we have to account for these sites manually, as you are correct that there is really no other way currently. We are continually looking into possible options!
@NickIceCream, 1Password needs to be unlocked before you can change the Watchtower preferences. If it is locked, these will be greyed out.
@DavidB, I'm sorry to hear that it didn't work at first, but thanks for letting us know that it is working properly now.
0 -
Hi @Meek
Right, the Agilebits Forum is not using SSL nd theefor not affected by Heartbleed but yes, it "did" show up in 1Password (OSX) as a Watchtower candidate. Since the forums' server does not use SSL, it should not have been listed in Watchtower right?
Thanks,
Lee0 -
Meek, is there a way to manually remove a site from the Watchtower list? I have several sites that show up on the list, but I have already manually changed the password since April 18.
0 -
There are several sites on my Watchtower list that are not vulnerable to Heartbleed according to the Agilebits check process. Why are they on the list?
0 -
Hi everyone,
@LeeT, you are right - this forum should not have been on the Watchtower list. We are continuing to improve watchtower - thanks bringing this up!
@AMCarter3, currently there is no way to manually remove a site from the Watchtower list. Thanks for pointing this out and letting us know that this is something you would like to see!
0 -
Thanks Meek, cheers!
0 -
Meek,
According to the Watchtower list in my 1P app, I had 165 sites identified as vulnerable to Heartbleed. However, when I use your Watchtower webpage to verify IF each site actually is vulnerable, I'm seeing a good number of these 165 sites that are labeled as NOT vulnerable. So, I'm confused. Not only can I NOT remove a vulnerable site from the Watchtower list when I've already changed the password, it appears that some of the sites listed simply do not belong on the list. Can you explain why any sites NOT vulnerable to Heartbleed according to your site checker are listed as vulnerable?
0 -
Hi @AMCarter3,
Please let us know an example (or two) of a website where the in-app Watchtower status does not match the website, and we can investigate.
0 -
Your Watchtower test states one or more of these statements regarding the example websites in my Watchtower List:
• "This site is not vulnerable to Heartbleed."
• "This site is not using SSL/TLS and is unaffected by Heartbleed."Examples: 1) cdw.com; 2) barackobama.com; 3) digg.com; 4) hertz.com; 5) landsend.com
0 -
I'm seeing the same sort of thing.
On one particular website
https://www.liveandworkwell.com
the WatchTower deal says,
Vulnerability Alert - Change Password
When you then click on the RED text, it says,
We believe this website was recently vulnerable and has since been fixed. Please update your password right away.
But then when I click on “learn more” it says,
Status
Never Vulnerable - This website was never vulnerable to Heartbleed.
Recommended Action
No special action is required for sites that were never vulnerable. You do not need to change your password if it was unique to www.liveandworkwell.com.
If you reused the same password on www.liveandworkwell.com as you did for other websites then it is still at risk and you should change your password.So there's an example. Your thoughts on what's going on???
thanks
0 -
Hello @AMCarter3 and @diitto,
Thanks for the replies!
Generally speaking, https://watchtower.agilebits.com only checks for a website's current vulnerability status.
If https://watchtower.agilebits.com determines that a website is not vulnerable, then your account may still be at risk. A website's current vulnerability status does not provide any information about its past status. Therefore, the Watchtower integrated into 1Password may still suggest you to change your password, because that particular website may have been vulnerable in the past (although now it is safe).
We are unable to determine whether a particular website was ever vulnerable or not unless concrete evidence from the administrators are provided to us. If we are able to obtain such information, https://watchtower.agilebits.com will display the website as never vulnerable. In these cases, you will not need to change your password.
I'm aware that you may find a few discrepancies between the Watchtower integrated into 1Password and https://watchtower.agilebits.com. The development team will have to look into the situation.
I hope that helped!
0 -
Thanks for the overview on how it works. Sounds like it is a "work in progress" and will continue to be refined.
I also hope you will soon come up with a way for the user to remove sites on the list when the user (me for example) has already manually changed the password. In my case, and I assume this is true of many people, I reacted VERY QUICKLY when I learned about Heartbleed and immediately changed the passwords on my most important websites (financial, etc.). I didn't need you to tell me how important it was to do that.
0 -
Hi @AMCarter3,
I also hope you will soon come up with a way for the user to remove sites on the list when the user (me for example) has already manually changed the password.
Thanks for letting us know you're interested in this! We're considering adding this ability in a future update. :)
I reacted VERY QUICKLY when I learned about Heartbleed and immediately changed the passwords on my most important websites (financial, etc.).
We store the vulnerability dates for each site we have in the database, which is usually based on the new SSL certificate's creation date (assuming the server is already patched). 1Password will then compare that date against your last password change (even if changed before Watchtower was integrated with the app). If the change was made after the vulnerability date, then it will not show up on the list. If it was made before, then it'll stay until you change the password.
If one of your Logins is still marked with the Change Password alert, can you look at its last password change date via Show Previously Used Password in the item details, and then compare it on the website — was it made after or before the SSL certificate change?
If a site is currently vulnerable to Heartbleed, then 1Password will say Avoid on the vulnerability alert and stick the Login item under under the Avoid status in the Watchtower list.
Examples: 1) cdw.com; 2) barackobama.com; 3) digg.com; 4) hertz.com; 5) landsend.com
All of these examples are sites that could've been vulnerable previsouly, but are no longer vulnerable.
www.cdw.com
- Website server is not currently vulnerable to Heartbleed
- Certificates were reissued on April 17, 2014
- If your password has not been changed since April 17, 2014 then you should change it now.
barackobama.com
- Website server is not currently vulnerable to Heartbleed
- Certificates have not yet been reissued
- Because of this, it is recommended that you change your password for this site twice. Change the password now so any old data theft become useless to the attacker. Then wait until this website shows as fully fixed before changing your password a second time.
digg.com
- Website server is not currently vulnerable to Heartbleed
- Certificates were reissued on April 10, 2014
- If your password has not been changed since April 10, 2014 then you should change it now.
hertz.com
- Website server is not currently vulnerable to Heartbleed
- Certificates have not yet been reissued
- Because of this, it is recommended that you change your password for this site twice. Change the password now so any old data theft become useless to the attacker. Then wait until this website shows as fully fixed before changing your password a second time.
www.landsend.com
- Website server is not currently vulnerable to Heartbleed
- Certificates were reissued on April 16, 2014
- If your password has not been changed since April 16, 2014 then you should change it now.
It is important that you update your password after a new SSL certificate has been issued. An attacker could have stolen the private key from the server before Heartbleed was fixed (assuming it was originally susceptible), therefore a new certificate needs to be issued for the site (and the old one revoked) to be considered fully Secure.
Please Note: For some sites (such as barackobama.com and hertz.com), we have no way to know if the site was ever vulnerable to Heartbleed. Some sites never were and won't need to upgrade OpenSSL or create new certificates. Contact them directly or check their blog for more detailed information. It is also possible that a reissued certificate will be incorrectly reported as old in some cases.
I hope that helps! Please let us know if you have any other questions. :)
0 - Website server is not currently vulnerable to Heartbleed
-
Thanks, Jasper & Shen! I'm working my way through this. I do appreciate the help from you guys.
0 -
You're welcome, @AMCarter3! Please do let us know if you have any other questions. We're always here to help! :)
0 -
I seem to have gone to some sites to change my password and found that my old password is not being accepted by the site. Is it a common practice, post Heartbleed, for sites to force customers to create new passwords?
Or maybe the sites in question are so old and not been used for a few years, that my account has just been cancelled.
0 -
Hi @mikebore,
I can't speak for all websites, but I don't think that this would be a common practice. If a website wanted to encourage you to update your password post Heartbleed, I imagine they would send you an email with a 'reset your password' link. Simply locking your account seems like an odd procedure.
0 -
But I'm still sort of hanging on my post above from May 7th above where I pasted the results of one site that said,
"On one particular website
https://www.liveandworkwell.com
the WatchTower deal says,
Vulnerability Alert - Change Password
When you then click on the RED text, it says,
We believe this website was recently vulnerable and has since been fixed. Please update your password right away.
But then when I click on “learn more” it says,
Status Never Vulnerable - This website was never vulnerable to Heartbleed. Recommended Action No special action is required for sites that were never vulnerable. You do not need to change your password if it was unique to www.liveandworkwell.com."
Since the status for this site says it was NEVER vulnerable, that sounds like Watchtower had received some firm information that the site was good and always had been. Yet still, Watchtower painted it red and suggested I change my password.
Is that just a bug in Watchtower or is there something more such as some lack of knowledge of when security certificates were last updated or something??? I have a significant number of alerts I'm working on one at a time as I have time but I'd rather not be changing passwords unless its' really needed. And I have a pretty elaborate process I use for changing and remembering passwords so changing them is not a trivial matter. And speaking of certificates, a lot of information I see seems to be more about possibly outdated certificates than about Heartbleed vulnerabilities. I changed one set of passwords to cover the Heartbleed fix from a vulnerable to a non-vulnerable version of OpenSSL only to then discover that that particular site then updated certificates and I was then told I now needed to change the password again. It's almost a bit much. Sometimes I think it's a losing battle. That there are just more bad guys than good guys out there and in time, all our information is going to be their's... sigh... just tired tonight... bob
0 -
One additional suggestion about managing the Watchtower List... I have one site on my list that involves a username and password that is only used to open a particular software app (Logitech Harmony Remote Software). It is not used to access an online account... except via this software. I suggest there really should be a way for the user to manually remove an item like this that does not belong on this list.
0 -
Hi @ditto
I'm trying to figure out what is going on with www.liveandworkwell.com. For some reason, the database that is downloaded by 1Password seems to have this in it incorrectly. I honestly don't know why that isn't being updated properly. The data used within 1Password is actually generated by people using the website, so there really shouldn't be discrepancies (other than recent changes to the live database). I wish I knew what was going wrong here so that we could fix it.
0 -
You are absolutely correct @AMCarter3!
As we further develop Watchtower, we will definitely be looking at ways for individuals to maintain a "manual override".
0
