Can you elaborate on potential browser/Javascript vulnerabilities for Families/Teams?

wsjndr
wsjndr
Community Member

My main hesitation in approaching 1Password for Families is the set of potential browser-related vulnerabilities. When Teams/Families was first announced a long while ago, I had hoped that the implementation would be a vastly improved multi-user, multi-device offline/local sync. Having given your security whitepaper a quick read, I'm currently satisfied with the protocols in place with respect to Agilebits' storage of my encrypted data. However, your own acknowledgement, in the Beware of the Leopard section, of security limitations relating to browser crypto, Javascript, and a locally exposed Account Key.

With a separation between 1Password and the browser, I felt that even if something going on in the browser were to be compromised (e.g., a naughty extension/add-on, or something like Heartbleed), the damage would be limited to a collection of my most frequently used passwords yet my vault would remain secure. I don't want to leave any aspect of my vault security to something outside of Agilebits' design, especially since I've been happily using 1Password to securely store information not necessarily related to my activity in a browser (e.g, passport and credit card information, as well as other sensitive records, documents, and notes).

You see, I don't have a technical security background and I don't want to have to acquire one in order to maintain a level of comfort with respect to the security of my passwords and records. Once my vault security itself moves to the browser, the front-line of activity with the sometimes hostile internet environment, it seems like I'll now have to up my level of browser security awareness from cautious to paranoid. If my system starts to stress me out, then it's really not working for me anymore.

So, given this concern, is there any additional information you can share that would help me to feel confident about using 1Password for Families? For example, is there a simple way to use Families exclusively for browser-related passwords while maintaining a separate local vault for passports, credit cards, documents, etc.? Or perhaps my perception is wrong that a dedicated 1Password app handling encryption is vastly more secure than 1Password co-operating with a browser. I would really love to simplify the local admin of my family members' passwords and information without feeling like I have to adopt new behaviours of security paranoia.


1Password Version: 6.1
Extension Version: Not Provided
OS Version: OS X 10.11.3
Sync Type: wi-fi

Comments

  • Hi, @wsjndr, great question!

    We were just discussing this last week, I think it was. You are correct that the browser is somewhat of a hostile environment for crypto. Because of this, we are working towards our ultimate goal of providing a way to do everything in our client apps that you currently have to do in the browser. Our client apps are signed and not susceptible to malicious browser extensions, though they would still be susceptible to root-level attacks like keyloggers, so maintaining a secure system is still crucial regardless of whether you're using 1Password Families in the browser or not.

    Now, I will say that the existence of the web client (crypto in the browser) does not put you at risk if you don't use it. Unfortunately, as I mentioned, we don't yet provide a way to do everything you need to do outside the browser, so that is something we will be working on. There are still some safeguards you can take to mitigate the risks associated with crypto in the browser:

    • Install only trusted browser extensions. (Or better yet, use a different browser for 1Password than your normal browser, and don't install any extensions at all.)
    • Keep your system and browsers up-to-date -- good advice to help protect against many attacks, not just this one.
    • Pay close attention to browser security warnings

    Your other proposal sounds doable as well. You can create a local, offline vault outside of your family account for storing personal information that you don't need to share with your family. Or, if you need to share it with family, you can use a traditional sync method like Dropbox.

    We don't want you to have to adopt new levels of paranoia either. We are trying to develop a system which users can trust without major changes to their workflow. The points you bring up are known issues that we are still working to resolve, but if you implement the safeguards I listed above, you should be fine.

    I'm going to ping @jpgoldberg here to see if he has additional thoughts on this, since it is very important and close to his heart.

  • jpgoldberg
    jpgoldberg
    1Password Alumni
    edited March 2016

    Thanks, I really don't have much to add to what @rob has already said.

    @wsjndr is absolutely correct that the browser is a far more hostile environment than the operating system as a whole, and so web-apps face a greater threat than native applications and programs do. Furthermore native client applications are delivered in a more secure way than in-browser apps served from a web page. So yes, other things being equal, the native apps have more defenses than the web apps.

    I'd like to highlight something that Rob said,

    we are working towards our ultimate goal of providing a way to do everything in our client apps that you currently have to do in the browser.

    Since the Teams beta began, some of those have already come to fruition. I'm not making any promises about the speed at which these will be brought to the native apps, but keep in mind that the web app and the native apps use an identical protocol. It may be a while before absolutely every capability of the web app is available in clients for all of our platforms, but you should find it easier to rely less on the web-app as months pass.

    Meanwhile, as Rob says, follow good practices with installing things in your browser and paying attention to TLS warnings.

  • wsjndr
    wsjndr
    Community Member

    Okay, so the current implementation of Teams/Families puts my vault at greater risk compared to the current client apps.

    I wonder if anyone can share their experiences using two vaults: one for Teams/Families and another only on the client apps. How would that work on my iPhone? Would my iPhone be able to sync to both vaults?

  • Megan
    Megan
    1Password Alumni

    Hi @wsjndr,

    You've asked some great questions here, and I've learned a lot just by reading Rob and Goldberg's responses. I'm glad to see that they've helped you as well.

    I can certainly share my experience with using multiple vaults, and multiple accounts. I've got 5 personal vaults that have not yet been migrated to 1Password Families, and I'm a member of 3 different 1Password accounts (two Teams and one Family, if you want to get specific.) Obviously, because I work for AgileBits, I'm a little bit biased, but I think the way that 1Password handles multiple vaults has gotten really sophisticated over time, making it easy for me to access all the information that I need all of the time, while hiding the information that I only need occasionally.

    The vault selector in the sidebar has my vaults nicely separated into groups so I can easily see which vaults belong to which account, and Preferences > All Vaults (or Settings > Vaults > All Vaults on iOS) allows me to customize which vaults are included in All Vaults. This means that All Vaults really is the "all the information I need without any unnecessary clutter" vault (I guess you can see why they don't let me name things around here!

    Use Settings > 1Password for Teams in 1Password for iOS to sign in to all of your 1Password accounts. You can be signed in to multiple accounts, and still use personal vaults as well.

    I wonder if anyone can share their experiences using two vaults: one for Teams/Families and another only on the client apps.

    Reading your question again, I wonder if I might need a bit more clarification on how you're thinking of setting things up, because I might be answering a question that you're not asking.

    Personally, I hardly ever use the web interface of 1Password Families. I used the browser when I created the account, and to add members and set up a few vaults. Other than that, I've been working strictly within the 1Password app on my Mac. All the data in the vaults was added into the app directly.

    But, the short answer is, 1Password is flexible for your needs. You don't have to use only Families vaults or personal vaults, you can mix and match as you wish.

    I hope this helps, but if you've got more questions, we're here for you!

This discussion has been closed.