Warning user when incoming form is sent insecurely (clarification)

casein2006
casein2006
Community Member
edited June 2014 in Lounge

I was instructed by the 1Password twitter account that it'd be best to continue the conversation being had on here for further clarification.

Steve Gibson on this week's Security Now podcast (http://twit.tv/show/security-now/461) talked about how a webpage could be downloaded securely over HTTPS, but a form (i.e to enter credit card info) could be sent over HTTP and therefore could have been tampered with. He mentions a feature of Last Pass where it will detect the incoming form and whether or not it is being downloaded over HTTPS and if not will warn the user. There seemed to be some confusion in the Twitter conversation. It was stated that 1Password doesn't autofill anything when a page downloads until a user invokes it via an action with 1Password to enter in account info etc.

What i was asking about with 1Password possibly doing this is (and what Steve argues) is that yes 1Password will not send your info in an insecure form without the user specifically choosing to, but if the form has been insecurely sent to the user than all they might see is the padlock up by the URL they are currently on on their browser and assume that everything they are seeing is being sent securely. Not knowing however that the sensitive information they are entering into the form and submitting is not secure and could have been tampered with therefore sending it all to an attacker etc.

All Last Pass simply does is check the form being downloaded to see if it has been sent over HTTPS and if not let's the user know. Correct me if i'm wrong in my understanding, but i feel like i generally understand. It would be awesome if 1Password would be able to do this. When the feature was mentioned, i immediately wanted it in 1Password.

I was instructed to post this here since it applies to multiple platforms and that a admin could move it if necessary. Oh and by the way, Steve starts talking about this in the above SN episode at 1:30:04

Thanks!

Comments

  • casein2006
    casein2006
    Community Member

    bump?

  • khad
    khad
    1Password Alumni

    Sorry for the delay, @casein2006‌. I should have replied sooner to let you know that I pinged our Chief Defender Against the Dark Arts, but he has been pretty busy lately. I can't promise a time frame, but we'll get you more info as soon as possible. :)

  • jpgoldberg
    jpgoldberg
    1Password Alumni
    edited April 2015

    Hi @casein2006‌!

    Sorry for taking so long to get back to you.

    You are absolutely right. Going from HTTPS to HTTP is an extreme example of what is called a "downgrade attack." 1Password, should, indeed, work to prevent these. We have already done so in 1Password for Windows 4.0.0.492, but haven't yet brought this to the Mac and iOS.

    ref: OPM-1992

This discussion has been closed.