Chrome Plugin not recognizing sites that are different HTTP type (SSL or not SSL)
(Hope the title wasn't too confusing.)
Since upgrading to 4.x, the Chrome plugin doesn't recognize sites if I come to it with a different security than what I saved it with. Example:
- Saved the password for https://www.aa.com
- Visited http://www.aa.com
- 1Password doesn't recognize that it has a saved password for this site.
If I go and edit the saved password to have both http and https URLs, then it works as expected.
This is pretty annoying because there's a lot of sites that use both modes. I'm pretty sure the older version didn't behave like this. I definitely would have noticed it.
Comments
-
This is by design. It is still stop you from mistakenly filling your credentials in a malicious site preventing to be the real one.
Why would you want to login to an HTTP site when there is an HTTPS version available?0 -
@eliot When you log into a HTTP site, then your credentials fly over the wire unencrypted. This is a dangerous situation when you're on a public Wi-Fi network, where anyone with a Pineapple can snoop on you. This is why we won't match your HTTPS login items with a HTTP site.
ref: OPW-196
0 -
(Sorry I didn't reply earlier... I did not get any email notification of new messages.)
@svondutch Ok, that sounds fair... But is this new? Because now I am left with a ton of bookmarks that need to be edited. It's a huge pain and really frustrating.
0 -
But is this new?
Yes. We introduced this after this August 21 Usenix Security Symposium paper: https://www.usenix.org/conference/usenixsecurity14/technical-sessions/presentation/silver
This security measure protects you from the SSLStrip man-in-the-middle attack.
0 -
@svondutch Thanks for the info.
I have installed HTTPS Everywhere to help save me a step and a little irritation. https://www.eff.org/https-everywhere
0 -
That’s great news, @eliot—thanks for letting us know!
0
