Had to disable code signature to make 1Password work in Chrome

This discussion was created from comments split from: Extension not working in Chrome.

Comments

  • Julien4
    Julien4
    Community Member

    I've disabled the 'verify web browser code signature' as Dbrown has advised above and after reinstalling the browser extension, it now works.

    Is there any security issue with leaving this disabled?

  • MikeT
    edited October 2015

    Hi @Julien4,

    I've split your post from the other threads as there could be different reasons for this to work.

    Yes, there can be security risks by leaving it disabled. Basically, if you download an infected copy of your browser, 1Password extension in that browser could be attacked from within. You can find more information here: https://support.1password.com/disable-browser-validation/win.html

    Can you tell me what anti-malware solution you have? We've provided guides for some anti-malware solutions to adjust it to allow 1Password to work with its code signature turned on: https://support.1password.com/extension-troubleshooting/

  • Julien4
    Julien4
    Community Member

    I have the brand new version of Bitdefender Total Security 2016

  • MikeT
    edited October 2015

    Hi @Julien4,

    We haven't tested the new 2016 version, we'll take a look and see what you need to do to let 1Password work with it.

  • Hi @Julien4,

    I have good news and bad news:
    We've tested Bitdefender Total Security 2016 and found no issues with 1Password at default settings with all protection components activated.

    Are you using any other anti-malware software? Or have you changed settings in Bitdefender Total Security?

  • Julien4
    Julien4
    Community Member

    Hi Alex, as far a I know, I have not changed the settings but I installed this a while ago.

    I have windows defender (which is turned off) but aside from that I have no other anti-malware that I can tell. Is there a support number I can just call to troubleshoot this over the phone?

  • AGAlumB
    AGAlumB
    1Password Alumni

    @Julien4: We're a small team and don't have the means to provide inbound phone support, so we try our best to solve problems via forums or email if at all possible. For example, it is impossible to receive a Diagnostics Report over the phone, and following steps at your own pace is a huge advantage of forum and email support.

    But of course if you would prefer email support, you can email us instead: support+forum@agilebits.com It is the same team of people replying both here and via email, but if you prefer email, please do include a link to this thread in your email, along with your forum username so that we can "connect the dots" and attach a Diagnostics Report, which can give us some insight into what's happening in your case. You should receive an automated reply from our BitBot assistant with a Support ID number. Please post that number here so we can quickly track down your email and ensure that it is dealt with quickly. Thanks in advance! :)

  • Julien4
    Julien4
    Community Member

    Hey guys, a better question for me would be: Is this really something even worth bothering to deal with? I'm a business owner and there are 101 things I need to do every day. What kind of threat level does this actually pose to me? Typically I would delegate something like this but employees do not get involved with my 1password account for security reasons. I'm pretty tech savvy with software etc. but not when it comes to troubleshooting stuff like this.

    I need to weigh the risk against the time it's going to take to deal with this. Please advise.

  • Hey @Julien4,

    Assessing the potential risk of this is not an easy thing to do. Generally using code signature verification is meaningful measure to reduce the risk of handing information to a fake/malicious browser.

    My colleague @AGKyle has a good explanation of what code signature verification does:

    Basically developers can "sign" an application and the operating system will do a check to make sure that the code is signed and matches what the public key says. Imagine it like an encrypted email. The developer signs the application with their private key, the public key can then be used to make sure that the application is signed by the person claiming to have signed it. Note that even malicious developers can sign their app, signing can tell you if the keys match and the application is signed by the key. But you can also check who signed it. That's what we do, we validate that the application is signed and the signer is who you expect it to be.
    In version 1 of 1Password for Windows (and version 3 and earlier on Mac) we did not validate this because it wasn't highly used. It's now being used for nearly everything of value so it makes sense to use it.

    What this ultimately provides you is a way to determine if an application has been tampered with. If a malicious user for example downloaded Firefox and altered the code and recompiled they could then insert this recompiled version into a targeted computer and it would do what they wanted it to do. Perhaps they modify it to grab all keys typed into the application. This is all hypothetical. The malicious person would still need access to your computer, either remotely or locally. That's a bit outside the scope of this discussion but to modify the application they would have to have:

    a) Local access to your computer
    b) Remote access to your computer
    c) Access to the Firefox servers to upload his modified version of the application in place of the official one
    d) Bypass the Firefox servers, sending users to another server that has his modified version on it

    Make sense so far?

    c and d are pretty unlikely to ever happen but it's theoretically possible. a and b are far more likely but if you are careful with your computer setups, download only trusted software, then you shouldn't have any problems.

    Now, if you disable the code signing check then we'd never check that Firefox comes from Mozilla, or IE comes from Microsoft, or Chrome comes from Google, etc. This means you have a possible vector of attack by a malicious user. Is it likely? Probably not, someone would have to target you very specifically.

    In my personal opinion, if you're on a PC that is running an up-to-date version of Windows, has anti-malware software with updated threat signatures installed, and you're only ever installing software, especially browsers, from tursted sources, then I would consider the risk fairly low.

    We would love to see this fixed for you and the option enabled but that's up to you.

    Cheers!

  • Julien4
    Julien4
    Community Member

    Hey Alex,

    Thanks very much for providing that info. It's enough for me to make the decision!

    Cheers

  • On behalf of Alex and Kyle, you're welcome.

    Please note that sometime we also add security checks in place where we think a range of attack vectors is more likely in the near future. It's better to have a product that has a plan for something in the future than to have a program that needs to be updated after the attack occurs. It's better to be safe than sorry.

This discussion has been closed.