Professional third-party code reviews

McGarnacle
McGarnacle
Community Member
edited March 2016 in Lounge

Tavis Ormandy has been doing the rounds destroying AV products, including Trend Micro and Comodo. The most embarrassing elements have been with the browser plugins. I can foresee that he and others will be moving to password managers as a matter of course.

I am aware of other threads regarding crypto, NSA and other privacy concerns, but I'm still not convinced that merely having an ethical stance on something is sufficient assurance. To be honest, I'm more concerned about Credit Card details being stolen than a backdoor implanted by spooks.

What, if any, professional third-party code reviews have been conducted on the 1Password suite? In particular, what assurance activities are given to the browser plugins, which is easily the most exposed asset that can access my unlocked credential store?


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided
Referrer: forum-search:code review

Comments

  • julie-tx
    julie-tx
    1Password Alumni

    Tavis -

    We've not had 3rd parties code source-code level reviews of 1Password, but we have had bug-bounty programs and reviews of the 1Password for Teams server configurations. You can find those results in Third Party Reviews.

    The browser extension itself does not have access to your unlocked credentials. A "helper" application communicates with the browser extension, thereby isolating your unlocked vault data from the browser environment. So, a malicious extension or browser vulnerability would not have access to your entire vault, only whatever credentials were present for your current web page.

  • jxpx777
    jxpx777
    1Password Alumni

    @McGarnacle I thought I would jump in since I spend the vast majority of my time working on 1Password's browser extensions and form filling logic.

    To follow on to what Julie said, you might find this page from our support site useful. Moreover, there has been some discussion recently about the fact that our traffic between 1Password and the extension is not encrypted. @jpgoldberg has published a response to that over on Medium that will also prove helpful I think. What we haven't done is react with a knee-jerk to add some trivial obfuscation with a shared key or something equally useless. This does virtually nothing to add security and only gives the false impression of security to the uninformed.

    That being said, we are also looking at alternatives to this current mechanism, mostly to aid in stability and reliability; further minimizing these already narrow attack vectors is just an additional entry in the "Pro" column. The current mechanism is subject to things like proxy servers, ad blockers, VPN software, antivirus and other security software, and this causes a variety of issues from a total failure of the extension to connect to 1Password to failures with validating the authenticity of the request coming from the browser.

    I hope that helps. If you have any other thoughts, questions, or concerns, please don't hesitate to write back to us. We're always here to help.

    --
    Jamie Phelps
    Code Wrangler @ AgileBits

  • cmroanirgo
    cmroanirgo
    Community Member

    As this article has foretold, Tavis Ormandy has reviewed indeed 1Password and his initial impression is less than flattering:

    I have noticed that solutions (LastPass and Keeper) have all applied updates to their browser extensions in very short time, but I've not seen any security announcements from you guys...historically you (at AgileBits) have been rather forthcoming regarding concerns. Perhaps I've missed it? (The twitter storm is hard to follow).

  • julie-tx
    julie-tx
    1Password Alumni

    Hi, @cmroanirgo -

    Bug hunting typically comes with various non-disclosure intervals during which time an identified vulnerability, should one be found, is embargoed to allowed the vendor time to correct the problem. Generally speaking, announcing a vulnerability before there is a solution is a bad idea. Major vendors, including Apple and others, follow this same set of guidelines.

    1Password has been continually poked and prodded for vulnerabilities via a number of programs, including our currently active private bug bounty program with Bugcrowd. If you want to view the latest published results, they can be found here.

  • jpgoldberg
    jpgoldberg
    1Password Alumni

    One of the difficulties with reporting the existence of a bug prior to its details being released (which shouldn't be done until the vendor has had the opportunity to address it) is that it creates uncertainty. That uncertainty is a problem. People tend to assume the worst, and even the experience of uncertainty raises a level of fear.

    We continue to encourage Tavis to poke around and offered him information about how things work, even if we aren't entirely happy with his manner to public commentary.

  • cmroanirgo
    cmroanirgo
    Community Member

    Hi, @julie-tx & @jpgoldberg ,

    Of course it's a bad idea to reveal vulnerability details before they're fixed. Thanks for the Bugcrowd, etc links -- it shows that you guys are serious in security.
    What I was really asking for was (in a roundabout way): what's the best url I should watch for security related release notes?

  • julie-tx
    julie-tx
    1Password Alumni

    @cmroanirgo -

    That would be the link to watch. My goal is to make sure we post results every few months so y'all know we're still showing you some security love.

  • Damnatus
    Damnatus
    Community Member
    edited October 2016

    Fixes out now. Im curious about the details hopefully revealed in the next upcoming days.

    Jeffrey Goldberg linked this on Twitter (hadn't found it): https://discussions.agilebits.com/discussion/70301/background-for-4-6-1-security-changes/

  • AGAlumB
    AGAlumB
    1Password Alumni

    Indeed. Glad this is finally out there for everyone to use after all the work behind the scenes to make it happen. :) :+1:

This discussion has been closed.