Chrome Extension now requires "Read and Change all your data on the websites you visit?"... really..

The newest version of the extension "1Password: Password Manager and Secure Wallet" requires more permissions, so it has been disabled.
It can now:

  • Read and change all your data on the websites you visit.
  • Communicate with cooperating native applications.

Why on earth does a password manager need to read or change all the websites I visit? About to uninstall it... thanks for wrecking this for me.


1Password Version: 4.6.1.620
Extension Version: 4.6.4.90
OS Version: Windows 10
Sync Type: Dropbox

Comments

  • AGAlumB
    AGAlumB
    1Password Alumni
    edited April 2017

    @nawlbergs: Thanks for reaching out. I’m sorry for the confusion! Indeed, this is Chrome working as intended, to stop dodgy extensions sneaking in extra permissions. Ironically the part that's giving you pause (and rightly so) has actually been the case for years:

    Read and change all your data on the websites you visit.

    1Password needs to be able to read the URLs to match logins and modify the page to be able to fill it. After all, without those capabilities you probably wouldn't have any interest in using it in the first place.

    But the reason that Chrome is disabling it and notifying you now is because of something we've recently changed:

    Communicate with cooperating native applications.

    Since the 1Password browser extensions were first developed (we had browser integration before that, but via a very different method, rather than official extension APIs, which did not exist once upon a time) 1Password has been using WebSockets to communicate with its browser extensions. This is basically just a standard for doing local communications, much the way things work over the internet, only confined to your machine. However, starting with 1Password extension version 4.6.4, we're using Native Messaging with Chrome. It's something we're bringing to other browsers as well, it's just ready for Chrome first.

    If you've never had a problem with the browser extension not working (I mean, like, at all), then you're very lucky and probably won't care about most of this, but Native Messaging offers two important things for 1Password users:

    1. No more having to deal with 3rd party software blocking communications between 1Password and its extension, rendering it useless to you. This is a huge win for anyone who uses antivirus, firewall, proxy, or other security software that interferes with local communications on their machine. This is most prevalent on Windows.
    2. No more 1Password mutual authentication prompts when you install/update/reset the browser/1Password/extension. With Native messaging, 1Password can negotiate a secure connection purely on its own, and there's no way for other users' processes to try to connect to it.

    Essentially, it's more secure and — with the exception of a one-time notification from Chrome — less hassle. And frankly, I've found the extension to be more responsive with Native Messaging as well. I hope this helps clarify things, but be sure to let me know if you have any other questions! :)

    P.S: As sort of a footnote, be sure to take a look at the permissions you've granted your other extensions. I've found than many require the same or even broader permissions, and I wouldn't necessarily want to give them the same degree of trust that I do 1Password.

This discussion has been closed.