'Mail Secure Note' Massive security hole - confidence lost.
Your 'Mail Secure Note' feature is a massive security hole. It leads the user to believe they can SECURELY mail a Note (that's what it says on the tin).
That is absolutely not true as the resulting email can be totally understood by anyone in the world with a trial copy of 1Password. Your own documentation says the email is 'obfuscated' not encrypted.
My friend and I used this to copy our totally secure data to each other for the purpose of backup/redundancy. Now we know that anyone in the world who can hack an email has access to it.
I am VERY careful with my secure data and feel sick in the stomach that AgileBits have misled me to disclose my secure data to the world.
A search on the forum shows many, many people have been complaining about this for YEARS and it seems you have done NOTHING.
Either make the process secure or kill it.
Please respond within 7 days or this hits the I.T. press
If any of our accounts are unlawfully accessed in the near future, we will be coming for you
1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided
Comments
-
I will leave it to those who know more to say whether there is any force in your post.
But to me, I think you have simply misinterpreted what is being said on the tin.
It does not say that you can securely mail a note, it says that a Secure Note (a category in 1PW) can be mailed, without any claim that the mailing is secure, just that you have chosen to mail an item securely stored in 1PW.
0 -
When you see 2 options: "Mail Secure Note" and "Mail as Plain Text", what inference would you draw?
0 -
Hi @markv,
I'm sorry for any confusion caused by this feature. As danco mentioned "Secure Notes" are a category of item in 1Password (along with "Logins," "Identities," "Credit Cards," and others). The "Mail [category of item]" option obfuscates the item such that anyone you send it to who has 1Password can open the item, which is the point of the feature. If the item were encrypted by 1Password prior to transmission the receipient wouldn't be able to open it without knowing your Master Password. If it is possible to have a pre-shared secret with the receiving individual then it probably makes more sense to set up a shared vault, rather than sharing each individual item via mail. This is not always possible, however, which is why we offer this feature. The security of the item in transit largely depends on the method of transit you choose. We have a knowledge base article that details this available here:
Is item and vault sharing safe?
If you do not have a secure communication channel (such as encrypted email or iMessage) we'd recommend setting up a shared vault instead. The easiest way to share vaults is with 1Password for Families, or 1Password for Teams, whichever is more appropriate for your use case.
Again I apologize for any confusion about what this feature does.
Ben
0 -
Ben,
Share [category of item] seems nothing more than a dangerous trap for users.The difference between "Mail Secure Note" and "Mail as Plain Text" is unclear.
Even after reading the User Guide I believed the string of gobbledygook to be encrypted otherwise I would never have used it.
ISTM that Mail Secure Note simply misleads the user, even after having read about 'Sharing an Item' in the User Guide.
The item you quote does make the process clear but what level of research to you expect a user to go to before using a program feature?It sounds like you think everything is absolutely fine but I would request that (a) you make it the icons clearer and (b) most definitely make the User Guide clear that it means obfuscation not encryption.
A totally clear, but long winded pair of options would be:
"Mail [category of item] obfuscated but not encrypted", "Mail [category of item] as Plain Text".It is spurious to bring in email encryption here. If you encrypt, you are perfectly safe using Mail as plain text.
"Mail [category of item]" also waves a huge red flag by the presence of the string onepassword://
A hacker simply has to look for that to be alerted to juicy content.Mark
0 -
Mark,
Thanks for your comments. I can definitely see your perspective, and hopefully we can come up with a way to improve here. While I agree your "Mail [category of item] obfuscated but not encrypted" suggestion is more clear, I'm not sure how practical it is to try and jam all that text onto that tiny button. ;)
I'm not entirely sure what the practical solution is here, but I'll definitely bring the conversation up with our development and documentation teams.
Thanks for keeping us honest.
Ben
0 -
From a technical point of view, as @bwoodruff implies, there's really no technologically feasible way to mail a secure note to an unknown third party. That's just a function of the nature of encryption and the whole idea of a chain of trust that's been inherent since the first versions of PGP surfaced in the late eighties (I remember being involved in these discussions back then on Usenet and Fidonet :) ).
While it would be cool for 1Password for enable some kind of web-of-trust PKI infrastructure for sharing items between vaults, that's probably outside of the scope of what 1Password is trying to accomplish right now, as there's a whole myriad of complex technical and trust issues around that (we can certainly dream, but I'd also love to hear @jpgoldberg weigh in on this one, assuming that it doesn't drag the thread off in a complicated direction :) ).
At any rate, it doesn't change the key point that @markv is making, which is that the language used in the software is obviously misleading to the layperson. While anybody with an understanding of encryption would know that secure mailing in the fashion in unachievable, obviously 1Password shouldn't be designed only with the crypto-geeks in mind :) .... I'm not really sure either what language could be used to differentiate the obfuscated versus secure version, perhaps "Send as 1Password item" versus "Send as Plain Text" ... I'm not sure that would be clear either, but certainly it would be less misleading than "Send as Secure Note", I'm just not sure how much less :)
0 -
Thanks for all the thoughtfull comments.
It was only when importing the Mailed Secure Note that the penny dropped, when I wasn't asked for a password. Not sure if I was expecting to have to enter my password (pointless) or my friends (breaching their security). Or for a new shared password set by the sending user when the [item] was exported (perhaps that could work).ISTM that the only benefit of the feature above Mail as Plain Text (which makes it scarily clear what you're doing) is a small amount of convenience on the receive/import side.
The more I think about it, the presence of that plain text onepassword:// in the email is a worry because that really is a magnet for hackers. There couldn't be a more blatent way of flagging secure/sensitive data! If you hack an email server just search for that string.
So sending as plain text would be real-world MORE secure as it's less likely to be noticed by the bad guys.0 -
I think that last bit may be a bit of a stretch, @markv. Don't you think they might search for
password, if that is what they are looking for? ;) There is at least a hoop to jump through when sending the item obfuscated. There are no hoops when sending plain text.Not sure if I was expecting to have to enter my password (pointless) or my friends (breaching their security). Or for a new shared password set by the sending user when the [item] was exported (perhaps that could work).
If you have the ability to securely pre-share a password then you might as well share a vault instead of the individual items.
The feature is primarily intended for things like sharing WiFi passwords, where A) it is unlikely that you've previously set up secure sharing with the receiving indivdual and B ) the data is not of critical sensitivity. We need to do a better job of conveying this.
Thanks!
Ben
0
