Security of built in web browser

drbrady717

how secure is the web browser built into 1password? By this I mean can my web browsing history be tracked or uncovered?

Ben

Hi @drbrady717,

This is an excellent question. Thanks for taking the time to write it up. Can I ask a clarifying question? What sort of attack vector are you concerned about? Are you thinking of someone getting their hands on your device being able to see what pages you've been to, or a malicious website tracking you?

Please let me know. I've asked our security guru @jpgoldberg to take a look at this for you.

Ben

jpgoldberg

Hi @drbrady717!

As Ben mentioned, the answer depends on what sort of attacks you are considering. Very roughly speaking, 1Browser is a lot like Mobile Safari in its privacy behavior. 1Browser is not specifically built for anonymity.

So someone monitoring your network traffic will be able to see what sites you visit (unless you use a VPN or similar), and the 1Browser does accept some sorts of HTTP cookies. You can clear cookies by going to Settings > 1Browser and tapping "Clear Web Data"

Would you like to see a browser built for anonymity within 1Password? It isn't part of our design goals, but if people are interested in such a thing, it would be useful for us to get a better understanding what it is that people need and want.

drbrady717

Actually, I thought I was using a "private" browser. That would be very important to me. For instance if I were reviewing a financial website such as Wells Fargo I would like two things: 1) Assurance that someone monitoring my network traffic would not be able to see what site I visited and 2) The keystrokes I press would be not recorded. Also, is there a way to provide anonymity with your browser to stop a website from identifying me as well if I were to view say LinkedIn, but wouldn't want the site to know my identity?

littlebobbytables

Hi @drbrady717,

When you say

stop a website from identifying me

Do you mean by IP address?

As for the monitoring of network traffic, it sounds like you'd be best served by a VPN connection which would be a device-wide setting. Now I'm not an iOS dev but I believe what we could do in this area would be limited due to the locked down nature of iOS. I suppose everything could be piped through a proxy using https but these don't seem popular at all in contrast to VPN servers where your options are far greater. As for recording keypresses, again due to how locked down iOS is the only way I can see that being possible is if you use a third party keyboard in iOS but another app couldn't. By default 3rd party keyboards are disabled in 1Password for iOS for this reason (but can be enabled by the user).

I would surmise that a combination of using a VPN service and sticking only to Apple's keyboard would cover most of what you're looking for? Now I may be misunderstanding aspects of your request of course, that's one purpose of the dialogue, to properly understand each other :smile:

drbrady717

I've narrowed it down to this request- When I use the built in to 1Password browser, I want to be assured that no hacker could ever monitor what websites I visit and that the information conveyed to and from the website is confidential/secure. This is most important to me in the financial world where I go from one institution to the next checking balances, making transfers etc... even logging in to paypal. In other words, my motivation to use your browser over Safari or IE would be that you have achieved a higher security to prevent anyone from monitoring my activity. Otherwise, why wouldn't I just use standard browsers? I wouldn't want to set up a VPN myself but rather have 1Password make it secure on its own or set up a temp VPN automatically.

Also, by third party keyboards, I use a physical keyboard attached through blue-tooth. Is this a 3rd party keyboard or do you mean something like a swipe keyboard app purchase?

Ben

I've narrowed it down to this request- When I use the built in to 1Password browser, I want to be assured that no hacker could ever monitor what websites I visit and that the information conveyed to and from the website is confidential/secure.

Using a VPN and from there an SSL connection (HTTPS) to the end-point is a good start. This prevents anyone on your WiFi network from sniffing your connection and also prevents anyone between the VPN server and the website you are connecting to's servers from sniffing the traffic.

In most cases simply using SSL is good enough if you are on a trusted (e.x. your home) network.

Otherwise, why wouldn't I just use standard browsers?

Because standard browsers on iOS can't fill your 1Password credit card and identity data. With the 1Password extension for Safari on iOS it can fill your credentials, which is a great first step, but there are still some functions that can only happen in 1Browser.

I wouldn't want to set up a VPN myself but rather have 1Password make it secure on its own or set up a temp VPN automatically.

Thanks for the feedback. We're not currently in the VPN business (there are lots of other companies that already do this well, such as Cloak ), but perhaps it is something we can consider for the future.

Also, by third party keyboards, I use a physical keyboard attached through blue-tooth. Is this a 3rd party keyboard or do you mean something like a swipe keyboard app purchase?

That depends. Is it an Apple keyboard? If not, it is a 3rd party keyboard. But the kind primarily being referenced were software keyboards running on iOS.

jpgoldberg

Thanks for your update, @drbrady717:

I want to be assured that no hacker could ever monitor what websites I visit

As Ben pointed out, the usual solution to this is to use some sort of VPN proxy. With this, all of your network traffic goes encrypted from your device to the VPN server. And then connection to the destination websites goes from the VPN servers. I personally use Cloak (Mac and iOS only) when I am on a local network that I do not trust (such as hotel or airport wifi).

In a configuration like that the operators of the VPN have the capacity to see what sites you visit. And so if the VPN operators are evil, compromised, or compelled to be evil (through a subpoena, for example) then which sites you visit and when can be exposed. So you need to think about what resources your opponents might have. If you are trying to defend against a government or other similarly resourced adversary, then a service like that won't help.

So if you are trying to maintain privacy of your action against "ordinary" criminals, then something like using Cloak should be fine. But if you are trying to defend against more serious attackers, then you should be using a TOR supporting browser (1Password's 1Browser is not such a browser.) Please take a look the TOR (The Onion Routing) project for more details.

I should point out that in addition to using good anonymizing software, there is a great deal of operational security that is required to remain anonymous against a powerful adversary. Even though Ross Ulbricht used tor and the best cryptography and tools when operation as the Dread Pirate Roberts (DPR), he was identified and convicted largely through operation errors. One piece of evidence used at his trail is that Ulbricht and DPR used the same, uncommon, password for some sites.

One thing that I recommend for those using TOR is that they create a separate 1Password vault for when using Tor and make absolutely sure that every password in the Tor vault unique and no username is shared between the tor and non-tor Logins. But while 1Password can assist people manage different identities with different vaults, it is not designed to be an anonymizing tool.

and that the information conveyed to and from the website is confidential/secure.

This simply depends on the kinds of security the website uses. If you visit website that does not use HTTPS, then the browser cannot really do much to help. So look for the lock icon in the location bar to let you know that you have an encrypted and authenticated connection.

drbrady717

For me the Cloak VPN is what I was looking for at public places based upon your response. I do see why you cannot simply integrate that service in to 1Password. However, a suggestion could be for 1password Browser to "alert" me that my connection is insecure and I should consider a VPN or otherwise. Set up a list of trusted networks such as Home or at a relatives home or work where you are confident in the network. Then when 1Browser detects you are not on one of those networks (such as Starbucks) it alerts you to turn on Cloak.

Another security question. I trust my home network against ordinary hackers, but can I trust AT+T cellular? Should I be using Cloak for internet traffic while on my iphone6?

drbrady717

In response to littlebobbytables regarding 3rd party keyboards. I do use the iPad case keyboard with 1Password and I have never manually overridden the default "off" for 3rd party keyboards. Would this imply that it is safe since I'm referring to an actual hardware keyboard?

ag_kevin

Hi @drbrady717 ,

To comment on 3rd party keyboards - that setting is regarding software keyboards such as TextExpander, Swiftkey, etc. A keyboard case is an actual keyboard. The app has no visibility on hardware bluetooth keyboards as it is handled entirely by the OS. Though they're relatively secure, there can be some issues such as this one: https://discussions.apple.com/thread/6808705

jpgoldberg

This is a really interesting question:

I trust my home network against ordinary hackers, but can I trust AT+T cellular? Should I be using Cloak for internet traffic while on my iphone6?

Your mobile cellular communication is protected against "ordinary hackers".

Of course, AT&T (just as the ISP you use from home) is in a position to do a lot of mischief. Both will routinely hand over what data they normally have to law enforcement. They can also specifically "tap" your line for more information. HTTPS and other end-to-end encryption means that they should not be able to see the content of the traffic, but they will be able to where traffic is going to and from.

There is a way for a step above "ordinary" hackers to get location information on cell phones. This is to use "fake" cell phone towers to gather phone ID information. Law enforcement appears to be using these to help track specific suspects but these collect the movements of anyone within range of that "tower". We really don't know how they are used because law enforcement agencies are reluctant to explain their use. See https://www.aclu.org/maps/stingray-tracking-devices-whos-got-them for a bit more information.

I do not know specifically of any evidence of non-LE entities using those devices, but I'm not aware of any technological barriers that would prevent them from doing so.