Improving Watchtower results
![[Deleted User]](https://w8.vanillicon.com/v2/84a925c07479a5ee7cfc039f066e204f.svg)
Hi there,
I have found a domain flagged as "vulnerable", but when I follow the link it provides in the UI, the website it brings up to show relevant details ends up showing that it's either not verified or not vulnerable which is contrary to the alert in the UI. This leads to a lot of confusion and a poor user experience.
There is a similar post here: https://discussions.agilebits.com/discussion/60055/watchtower-false-alerts
My suggestion... If the website entered is "www.example.com" in the UI, and the heartbleed vulnerability or whatever the root cause is ends up being only for the example.com domain (without the www), then it should either not show an alert at all or else show one that can be dismissed or reported back as a false positive for further investigation. Alternatively, perhaps it should be corrected to direct a user to the page where it actually found the relevant alert data.
In the example provided in the other post, it noted that https://watchtower.agilebits.com/check?h=www.lotro.com shows it is unverified, but https://watchtower.agilebits.com/check?h=lotro.com shows that there was a SQL injection attack. So if the UI shows www.lotro.com instead of lotro.com.... why is Watchtower flagging it? And if it's understandable to flag it because of the domain itself (I think I'd be okay with this behaviour, better safe than sorry after all), then why isn't the alert link going to the page that it actually found the relevant data from?
The way it is now is misleading to users, as it shows an alert which links to a page showing no data about such an alert, or it acts perhaps a bit different then expected in some users may expect it to look at the exact URL entered rather than just the primary domain.
Now I have my own example domain for which I've noticed this happening as I am adding more and more data into 1Password, but it's perhaps a little embarrassing for me to post here publicly, so I'd rather send it via email if it's needed for investigation. The logic remains the same though. Basically Watchtower is flagging one of my records as possibly vulnerable, but the link doesn't go to a page which shows anything about a vulnerability. However if I modify the Watchtower service URL to exclude the www then it shows the vulnerability (which is heartbleed in this example). What makes it more confusing in this particular case though is typing it without the www in the URL of a web browser actually redirects to the www sub-domain which Watchtower has as unverified, so that adds a little extra spice into the mix there. ;)
Adding insult to injury (if I'm understanding this correctly), is the blog post I found which clearly states the domain does matter and that watchtower only checks the exact domain entered. On the blog post, it states: "Subdomains matter: It is important to remember that 1Password Watchtower checks the exact domain you tested. So even if go.com doesn’t use SSL, subdomains such as disney.go.com, may. It does not appear that one ever sends passwords to go.com itself, so its lack of SSL does not put passwords at risk." -- And if I'm reading this right, this seems contradictory to what was explained to users in the other forum post I linked to earlier, and contrary to my own experiences with it as well.
1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided
Comments
-
Hi Dustin,
The full domain does matter. Not all subdomains were necessarily vulnerable, so it's possible for a naked domain (lotro.com, for example) to be vulnerable while a subdomain (www.lotro.com) might not be, or vice versa. In this case, it might just be that we didn't actually check www.lotro.com when we did the scan back in 2014 (I believe that's when it was). It's an old one, so it's hard to say for sure what was the reason, but that's my guess.
If you're concerned about a site in particular, though, send an email to our support team, and we'll be happy to check it out.
Thanks.
0 -
Hi Andrew,
I think my points may have been missed. I'll sum it up because I just wrote a lot of garbily-gook, haha.
1) 1Password on Mac shows me that a URL www.example.com is vulnerable. So I click on the link and it brings me to a page which clearly does it is unverified with no reference notes at all, which basically contradicts the message seen in 1Password. This is confusing and leads to a poor user experience. Also, this seems like a bug when it is classifying www.example.com as vulnerable when it is actually just example.com. As stated by 1Password in multiple areas... subdomains are different and are not the same as the parent domain, and vice-versa. So if they are indeed different, then why are they being treated the same?
2) If I change the URL query in the Watchtower service to use example.com instead of www.example.com then it does indeed show a vulnerability. Why didn't the 1Password application show the correct link to the vulnerability? This seems like a bug to me.
3) I just recently realized that Dailymotion was vulnerable from a hack per an email they sent me out today. I checked 1Password and it never classified it as vulnerable in Watchtower. However, when finding it manually, it does show a reference note to a vulnerability. So why isn't this one being flagged? Watchtower URL for reference: https://watchtower.agilebits.com/check?h=www.dailymotion.com
In summary, I can't say that the user experience with the Watchtower functionality has been stellar. It seems like it has many bugs or else just a very confusing and/or contradictory functional behaviour. I think there's definitely room for improvement on it. It has great potential though, so I'd love to see it beefed up with the bugs fixed and user experience improved.
I'll also email separately and reference this thread when I sent my other example in private. :-)
-- Dustin
0 -
Hi Andrew, I think my points may have been missed. I'll sum it up because I just wrote a lot of garbily-gook, haha.
@DustinDauncey: Thanks for the patience and good humour. I think we'll get there. :lol:
1) 1Password on Mac shows me that a URL www.example.com is vulnerable. So I click on the link and it brings me to a page which clearly does it is unverified with no reference notes at all, which basically contradicts the message seen in 1Password. This is confusing and leads to a poor user experience. Also, this seems like a bug when it is classifying www.example.com as vulnerable when it is actually just example.com. As stated by 1Password in multiple areas... subdomains are different and are not the same as the parent domain, and vice-versa. So if they are indeed different, then why are they being treated the same?
This is a fantastic question, and it goes back to another area of user experience: In most cases, we don't want our subdomain.domain.tld to be treated differently than domain.tld — maybe Google is a good example, since we probably want to use accounts.google.com and mail.google.com interchangeably in most cases. So this is how 1Password treats login URLs by default, which is a bit different than what you're suggesting for Watchtower...which is using these same login URLs. I get what you're saying, but I'm not sure we can have our cake and eat it too here. And I think it's better that 1Password suggest that www.example.com might require our attention even if it turns out that only example.com is affected. Better safe than sorry. But We'll certainly see if we can improve this in the future. There are just a lot of things to consider.
2) If I change the URL query in the Watchtower service to use example.com instead of www.example.com then it does indeed show a vulnerability. Why didn't the 1Password application show the correct link to the vulnerability? This seems like a bug to me.
This goes back to the URL matching I talked about above, which is really critical for the 1Password app. But I do think that this may be an opportunity for improvement on the Watchtower website (though we'll see what Andrew says).
I wonder if it might be better to list all related subdomain/domain matches when viewing. For example, a www.example.com alert would take you to a webpage listing www.example.com, example.com, and any others in the database, just to make it easier for the user to get a clearer picture.
3) I just recently realized that Dailymotion was vulnerable from a hack per an email they sent me out today. I checked 1Password and it never classified it as vulnerable in Watchtower. However, when finding it manually, it does show a reference note to a vulnerability. So why isn't this one being flagged? Watchtower URL for reference: https://watchtower.agilebits.com/check?h=www.dailymotion.com
That's a really good question. Sometimes there's some delay with the database update. Is Watchtower showing it's current on your Mac (1Password Preferences > Watchtower)?
In summary, I can't say that the user experience with the Watchtower functionality has been stellar. It seems like it has many bugs or else just a very confusing and/or contradictory functional behaviour. I think there's definitely room for improvement on it. It has great potential though, so I'd love to see it beefed up with the bugs fixed and user experience improved.
I agree. Thanks so much for your feedback on this! It always makes me happy to hear that folks are getting use out of Watchtower and 1Password's other Security Audit tools, and if we make it better it will help even more people.
I'll also email separately and reference this thread when I sent my other example in private. :-) -- Dustin
Great! I see that we've received your email, so we can continue the conversation there. We'll look into that and get back to you shortly! :)
ref: XVU-79759-936
0
