SSL interception proxy

robmcalavey
robmcalavey
Community Member

The company I work for has recently moved to an SSL interception proxy. Since the move, 1Password no longer seems to sync, but it did work fine on the old proxy. If I move back to the old proxy, or to a non-proxied network, sync still works fine.

I haven't been able to determine from the logs whether it's being blocked by the proxy, or whether 1Password itself is preventing the connection.

So, I have three questions:
1. Is there a way to work out why the sync isn't working?
2. Does 1Password itself block syncing if the certificate presented to it doesn't match what it expects?
3. Is using 1Password over an SSL interception proxy safe? That is, is there any way someone inspecting the traffic could see either my master password, or the data contained in my vaults?

I'm using 1Password for Families.

Thanks!


1Password Version: 6.6.4
Extension Version: 4.6.3.90
OS Version: OS X 10.11.6
Sync Type: Families

Comments

  • AGAlumB
    AGAlumB
    1Password Alumni

    @robmcalavey: Thanks for reaching out. I’m sorry for the trouble! Great questions here:

    Is there a way to work out why the sync isn't working?

    I think you already hit the nail on the head. If SSL is being "intercepted", that implies that it's being broken as well...

    Does 1Password itself block syncing if the certificate presented to it doesn't match what it expects?

    Indeed, if someone else is intercepting the traffic, 1Password will refuse to connect to sync, update, or load the web interface.

    Is using 1Password over an SSL interception proxy safe?

    It isn't possible for anyone to eavesdrop on 1Password's communications because the connection will be refused if it isn't end-to-end encrypted between your device and the server. However,

    That is, is there any way someone inspecting the traffic could see either my master password, or the data contained in my vaults?

    If a flaw in SSL/TLS is found that allows this to happen, then it still doesn't matter. Since your data is encrypted locally on your device using Your Secret Key and Master Password, and neither of these are ever transmitted or known to anyone but you, an attacker cannot decrypt your data even if they're able to capture it. 1Password just doesn't depend on the transport layer for its security.

    I hope this helps. Be sure to let me know if you have any other questions! :)

This discussion has been closed.