How secure is the connection between 1Password mini and the browser extension?

My company said that they think 1Password browser extensions are not secure, but that the 1Password base app is secure. They claim that if I only use the base app I am secure, but that the extension hosts some kind of mini server, and it transmits between the base app and the extension, or between the extension and the equivalent on Windows of 1Password Mini, in clear http. They claim that they've been able to spy on and monitor the connection, and capture passwords in clear text. Thus they prefer LastPass.

I'd prefer 1Password (I like the interface, and I believe it's secure). I read https://support.1password.com/mini-extension-security/ but what it seems to focus on is that the 1Password Mini will authenticate the browser extension before it communicates. I won't challenge that, and I appreciate it; but I'm not yet comforted against what my I.T. team told me. They didn't challenge that it doesn't authenticate, but rather they claimed that when it does communicate that it sends in plaintext over its localized "server". Can you help me refute that?


1Password Version: 4.6.0.604
Extension Version: 4.5.4.90
OS Version: Windows 7
Sync Type: Dropbox

Comments

  • MikeT
    edited March 2016

    Hi @chazzunokuthunuchtec,

    They are correct in how 1Password is working to fill/save your data, the 1Password extension connects to 1Password Helper/mini on a localhost port and ask for specific credentials to fill in. Keep in mind that 1Password has to give the site your username/password in the plain text format, sites wouldn't know how to decrypt your data. LastPass and some others do the same thing, they have to give the site the data in plain text format but they retrieve the data differently since LastPass is self-contained in its own extension, it doesn't need to grab your data on the local drive like we do.

    However, note the localhost part. The information does not leave your local computer and your localhost traffic cannot be intercepted without admin/root rights.

    With that in mind, if they're able to spy on your localhost traffic, then your system is compromised. Ask them how are they able to spy on your localhost traffic in the first place.

    If your IT has admin rights, they can also install spying tools to intercept your master password and monitor your clipboard to copy any data from there.

    We can't protect you against compromised systems like this, 1Password can keep your data secure by keeping your data in an encrypted form on the drive but if someone has total control to your system, they'll just wait for you to open the program and enter the password or copy data to your clipboard, they can do anything they want with admin rights.

    Also, if they have admin rights to your system, using the 1Password program only won't protect you. Think about how you have to get the data from the main program into the sites, you have to copy the username/password and how do you do that? You copy via the clipboard, which is plain text only and the IT guys can install sniffing tools without admin rights to grab your data from there as well.

    If you want to learn more, I'd suggest reading our blog post on a related issue here: https://blog.agilebits.com/2015/06/17/1password-inter-process-communication-discussion/

  • chazzunokuthunuchtec
    chazzunokuthunuchtec
    Community Member

    In this example the computer is owned by the company, and most individuals are standard users, and the I.T. team controls the admin password, installations, and updates. They may not see the computer as "compromised" but I think they would want the extension to use https with the base app, and then the extension could, from there, put the password in securely?

    I read one of the posts on this site about not being able to protect against other extensions or object which can "see" what is submitted in the page, and not submitting sensitive data in untrustworthy pages, but if I can persuade them that 1Password is every bit as secure as LastPass, then I will feel better personally even if they are not persuaded to change.

    My views in favor of 1Password are partly rooted in the fact that my personal computer is an iMac, at home, and I own iOS mobile devices, and I will continue using 1Password on my personal devices, and at work where possible, even if the company wants something else for a corporate or enterprise solution. I like 1Password more, I prefer its interface, and that I can choose to have it locally if I don't sync it via cloud services if I so desired.

  • Hi @chazzunokuthunuchtec,

    They may not see the computer as "compromised" but I think they would want the extension to use https with the base app, and then the extension could, from there, put the password in securely?

    You can find out why that wouldn't work either here: https://discussions.agilebits.com/discussion/comment/185245/#Comment_185245

    For example the "obvious" thing to do would be to use wss:// (websocket with SSL) instead of ws:// (unencrypted websocket). But that would require that Mini (or Agent on Windows) to have a certificate with a private key in operation. It really isn't hard for an attacker to extract the private key from such a process if the attacker already has some powers on the local machine.

  • chazzunokuthunuchtec
    chazzunokuthunuchtec
    Community Member

    I think both password options are good. I am satisfied that my work would not be able to "see" on any computer they don't own, such as my personal computer which I own. That goes for any other third party, too. But they can do pretty much anything they want on the computers they own. So now it comes to preference, and I like 1Password, and will continue to follow its updates and progress. Thank you.

  • MikeT
    edited March 2016

    You're welcome.

    We are always working on finding better solutions for each part in 1Password and we hope to find a better solution for this communication method in the near future.

This discussion has been closed.