Chrome Plugin not recognizing sites that are different HTTP type (SSL or not SSL)

(Hope the title wasn't too confusing.)

Since upgrading to 4.x, the Chrome plugin doesn't recognize sites if I come to it with a different security than what I saved it with. Example:

  1. Saved the password for https://www.aa.com
  2. Visited http://www.aa.com
  3. 1Password doesn't recognize that it has a saved password for this site.

http
https

If I go and edit the saved password to have both http and https URLs, then it works as expected.

This is pretty annoying because there's a lot of sites that use both modes. I'm pretty sure the older version didn't behave like this. I definitely would have noticed it.

Comments

  • RichardPayne
    RichardPayne
    Community Member

    This is by design. It is still stop you from mistakenly filling your credentials in a malicious site preventing to be the real one.
    Why would you want to login to an HTTP site when there is an HTTPS version available?

  • svondutch
    svondutch
    1Password Alumni
    edited October 2014

    @eliot When you log into a HTTP site, then your credentials fly over the wire unencrypted. This is a dangerous situation when you're on a public Wi-Fi network, where anyone with a Pineapple can snoop on you. This is why we won't match your HTTPS login items with a HTTP site.

    ref: OPW-196

  • eliot
    eliot
    Community Member

    (Sorry I didn't reply earlier... I did not get any email notification of new messages.)

    @svondutch Ok, that sounds fair... But is this new? Because now I am left with a ton of bookmarks that need to be edited. It's a huge pain and really frustrating.

  • svondutch
    svondutch
    1Password Alumni

    But is this new?

    Yes. We introduced this after this August 21 Usenix Security Symposium paper: https://www.usenix.org/conference/usenixsecurity14/technical-sessions/presentation/silver

    This security measure protects you from the SSLStrip man-in-the-middle attack.

  • eliot
    eliot
    Community Member

    @svondutch Thanks for the info.

    I have installed HTTPS Everywhere to help save me a step and a little irritation. https://www.eff.org/https-everywhere

  • DBrown
    DBrown
    1Password Alumni

    That’s great news, @eliot—thanks for letting us know!

This discussion has been closed.