Invalid Server Certificates - problems for admins using latest version of 1Password
Hi guys, the latest version of the app with the new https check now refuses to load pages with self-signed SSL certificates. This sounded good when you added it I'm sure but you forgot that a lot of us out here use the 1password built-in browser to manage servers via web interfaces. These interfaces are invariably using self-signed SSL certs. Oh dear. :)
Instead of a refusal to continue could you change the behaviour to warn and give the option to continue as other browsers do? Lastpass recently made a design mistake very similar to this and have now fixed it, please do the same. :)
Other than that great apps, used them for ages and love them. Especially the Dropbox sync. Great job, thanks.
1Password Version: Latest
Extension Version: Not Provided
OS Version: iOS latest
Sync Type: Dropbox
Comments
-
Exact same problem.
Warning was given in previous version but now fails.
Please revert to previous behavior or better yet add security setting that allows mis-matched certs.
0 -
Me too. I connect to SecuritySpy's built in ssl web server. Before, I wanted 1P to save accepted certificates so I don't get the warning every time. Now, instead of addressing that, it has taken a step backwards as I can't even connect. Boo, hiss.
0 -
Same Problem here. I have to connect to a private mail server with a self signed SSL certificate and since the new version I can't connect anymore.
Please fix this :-)Thanks.
0 -
Hi @robcha, @escolar, Nunuv and @bonsaipappel ,
I sincerely apologize for the trouble here. Our developers are currently looking into this issue. It appears to be related to the API that we're using, and we've filed appropriate rdars with Apple. We are also investigating how to fix this on our own end. I've added your comments to the issue in our internal tracker, and we'll do what we can to have this resolved for you soon.
ref: OPI-2914
0 -
Thank you Megan. Appreciate the quick response.
0 -
Thanks for the quick relpy.
0 -
Thanks Megan. :)
0 -
Hi everyone,
Just to follow-up, our current 'workaround' is to access these sites in mobile Safari, where you'll have the ability to trust those certificates and move on. We'll keep you updated if this changes. :)
0 -
@Megan That workaround doesn't work for httpauth logins because httpauth pops up a dialog box to fill in, and the share sheet (1P extension) can't be accessed at that point.
0 -
Hi Nunuv,
Yep -- a fair point. Copying & pasting is probably your best bet for those.
Ben
0 -
Latest update for iOS9 doesn't solve this issue.
Is a fix forthcoming?
0 -
One more reason why I prefer to to use the 1browser instead copy/paste:
Update: XcodeGhost Attacker Can Phish Passwords and Open URLs through Infected Apps
Read and write data in the user’s clipboard, which could be used to read the user’s password if that password is copied from a password management tool.
0 -
@Nunuv Yurbiz: Indeed. I prefer 1Browser myself too, but more from a convenience standpoint in most cases. Hopefully Apple will be able to check for this malware going forward.
But in the mean time keep in mind that 1Password isn't copying any of your data to the clipboard itself. Your password, for example, will only end up there if you explicitly copy it. Now, it's important to note that any app on any OS can access any information you copy to the clipboard if it is running. But with 1Password on iOS, we have a few saving graces:
- Apps do not stay running indefinitely, so for the most part you would need to
1
copy some sensitive data to the clipboard and then2
open a malicious app that wants to collect your data. - In 1Password, you can manage how long these stay in the clipboard. Just go to Settings > Security > Clear Clipboard, and you can set it to 30s, 60s, 90s, 2m, or 3m to ensure that you have a little buffer, but that your password doesn't hang around forever even when you do need to copy it.
- And last but not least, even if you copy a password to the clipboard and then immediately switch to a malicious app that steals it, since 1Password won't copy the rest of your login details (username, and even a website that it belongs to) it will be difficult for anyone to do anything with the password alone.
So while there are definitely risks, there are things that we can do to mitigate them. Cheers! :chuffed:
0 - Apps do not stay running indefinitely, so for the most part you would need to
-
Turning back to this, it continues to irritate me that the 1Browser doesn't give the option to approve a suspect certificate (Safari for iOS does).
But there are a couple of workarounds using http auth: (1) use another browser that stores and fills in http auth requests (such as Atomic, unlike Safari), (2) put the username and password in the URL. (For example, https://username:password@ipaddress). I created a bookmark in Safari using the second option (it is an SSL connection but Safari warns that it could be phishing - since it's my server that's OK). That said, the username and password (with the IP address) are now stored outside 1Password. Since the connection is secure, that seems to incrementally increase the exposure should someone get access to one of my devices. But my devices are secure, so it's a risk I'm OK with, for now.
So now I use Safari, which bypasses (fills in) the http auth request, and other than the phishing warning, it works great.
0 -
Thanks for the update, @Nunuv Yurbiz. If you are comfortable with storing your credentials inside a bookmark, then by all means... but we would not necessarily recommend other customers follow suit. At least not without being fully apprised of the security risks.
Currently neither Safari nor WKWebView (the Apple API we use to make 1Browser..., well, ... a browser) have any hooks to allow filling into HTTP auth requests, which is a separate but equally challenging issue.
We'll continue to effort on this, but our primary focus is with the Safari extension as far as browsing on iOS goes. 1Browser is mostly a holdover from a time prior to extensions on iOS existing, and so I would not expect to see updates there in the immediate future.
Thanks.
Ben
0 -
That said, the username and password (with the IP address) are now stored outside 1Password. Since the connection is secure, that seems to incrementally increase the exposure should someone get access to one of my devices. But my devices are secure, so it's a risk I'm OK with, for now.
@Nunuv Yurbiz: This is a really clever solution, but it terrifies me. I'd forgotten about the old URL username:password argument, but it's important to note that an HTTPS connection does not protect this information; the URL (and your login credentials, as part of it) is sent in the clear over whatever connection you're using.
If you're at home, this is visible to anyone on your local network and "just" your ISP in transit. On any other network, who can see the URL will depend on who controls the network and who else is using it. URLs are always sent in the clear before, during, and apart from a secure connection, since there's no other way to determine which page should be served — with one exception: if you use a VPN tunnel, the sites you visit will only be viewable to the VPN provider. I hope this helps clarify things. Knowing is half the battle. Secure practices are the other half. :sunglasses:
0 -
Oh, I see. Yeah, that's not good. Arrrgh.
0 -
I'm sorry that there isn't currently a more convenient solution here, Nunuv. As Apple continues to improve Safari and WKWebView we'll look for improvements in this area, and if there are changes we can make to make life easier we will certainly look into that.
Ben
0 -
our primary focus is with the Safari extension as far as browsing on iOS goes
Can you do a minor update to make it so tapping on a URL inside 1Password by default opens it up in Safari?
0 -
If you press and hold on the URL you'll be given the option to open it in Safari. :)
Hope that helps.
Ben
0 -
@bwoodruff
Yeah, I know but it's the "and hold [and select the option to open it in Safari]" part I'm hoping to avoid. So it would be great if opening in Safari was the default (i.e.., just tap the URL).0 -
Thanks for the feedback. :)
Ben
0