Is 1Pw for Teams/Families vulnerable against the DROWN attack [Teams is not vulnerable to DROWN]

ntimo
ntimo
Community Member
edited March 2016 in Business and Teams

Hello,
is 1Pw for teams affected by the drown attack? More Information about it can be found here https://drownattack.com/

Thx Timo :)

1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

Comments

  • julie-tx
    julie-tx
    1Password Alumni

    @Timo -

    All of the 1Password for Teams based products, which includes 1Password Families, use multiple layers of encryption to protect the data in-flight as well as at-rest.

    The DROWN attack affects one of the two in-flight encryption layers - SSL/TLS - but does not affect the other (256-bits session key encryption of the encrypted payload data) or the at-rest encryption layer (256-bit AES keys used to encrypt the actual data). Those two layers of encryption are completely unaffected by DROWN. Briefly digressing, your data is first encrypted with the various vault keys. It is then encrypted using the 256-bit AES session key. That twice-encrypted data is again encrypted a third time in the usual manner by SSL/TLS.

    DROWN is a cross-protocol attack. That is, if our certificates are used with a server which is affected by DROWN that would affect the security of that same certificate with the 1Password for Teams servers. There have been a fairly large number of attacks against SSL/TLS over the years, with Heartbleed perhaps being the worst prior to DROWN. 1Password for Teams was designed to function in an environment in which SSL might be vulnerable to an existing or future attack. SSL/TLS is a session encryption technology - each session is encrypted using keys which are only valid for that session. 1Password for Teams provides an additional session-based encryption layer precisely to protect against unknown future vulnerabilities within SSL/TLS itself.

    All of this is a very long way of saying "No" - an attacker would have to get through all three layers of encryption for the service to be vulnerable.

    We are verifying that the other services (such as this discussion forum) you didn't ask about aren't vulnerable either.

This discussion has been closed.