Read first: Previous version support information

Windows version 4.6 introduced openSSL 1.0.2c [Will be updating to 1.0.2d soon]

dschaaf
dschaaf
Community Member
edited July 2015 in 1Password 4 for Windows

The release notes for 4.6 which I just installed report it is using openSSL 1.0.2c
According to this recently released vulnerability note, this should be upgraded to 1.0.2d.
Is there a security update planned?

https://www.openssl.org/news/vulnerabilities.html
CVE-2015-1793: 9th July 2015
An error in the implementation of the alternative certificate chain logic could allow an attacker to cause certain checks on untrusted certificates to be bypassed, such as the CA flag, enabling them to use a valid leaf certificate to act as a CA and "issue" an invalid certificate. (original advisory). Reported by Adam Langley and David Benjamin (Google/BoringSSL).
Fixed in OpenSSL 1.0.2d (Affected 1.0.2c, 1.0.2b)
Fixed in OpenSSL 1.0.1p (Affected 1.0.1o, 1.0.1n)

1Password Version: 4.6.0.582
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

Comments

  • AGAlumB
    AGAlumB
    1Password Alumni
    edited July 2015

    @dschaaf: It's definitely on the agenda, but it's important to note that 1Password isn't running a webserver at all, and it also isn't loading webpages for you either; this is your browser's job.

    1Password for Windows does not use OpenSSL for its update checks (really the only thing 1Password needs to connect to the internet for). OpenSSL, by default, blindly trusts any certificate the remote server appears to send to the client. Instead, we will always examine the certificate chain, check for expired certificates, and validate the server name, which...of course we're validating our own servers here and not anyone else's.

    On a side note, it's great to see that OpenSSL is getting the attention it so sorely needs. And while we'll certainly be updating OpenSSL, it isn't the pressing issue for 1Password that it is for browsers and webservers. I hope this helps. Let me know if you have any other questions! :)

  • MikeT
    MikeT

    Just to be clear, we will be updating to the OpenSSL 1.0.2d version very soon. Right now, it is not a vulnerability that impacts 1Password or your data overall as Brenty mentioned.

This discussion has been closed.