Firefox Browser extension not updating

Spaldo
Spaldo
Community Member
edited June 2017 in 1Password in the Browser

Hi, I briefly discussed this issue in this thread; https://discussions.agilebits.com/discussion/76577/minor-issues-with-firefox-browser-extension#latest

There was a guide I found that helped; https://support.1password.com/cannot-install-extension/#firefox

However, since then the Firefox extension is still not updating automatically. I have tried updating using the usual method and get permission/download issues.

Any ideas of what I can do to make sure it does auto updates of the extension? 1Password windows program updates fine by itself.

FYI; I am using Bitdefender 2017


1Password Version: 6.6.428d
Extension Version: 4.6.3
OS Version: Windows 10
Sync Type: Not Provided

Comments

  • AGAlumB
    AGAlumB
    1Password Alumni

    @Spaldo: Thanks for reaching out. I’m sorry for the confusion! It isn't possible for 1Password to update the extension itself. This is handed by the browser. And I have noticed that Firefox seems to be less consistent about doing this. You can probably force an update in Firefox Tools > Addons, but sometimes removing and reinstalling the extension is necessary. However, it is possible that BitDefender prevents Firefox from updating automatically. I don't have a solution for you if that's the case, but perhaps they'd be able to help. Given that we've seen issues with it blocking installation in the first place, I wouldn't be surprised if the same happens when Firefox is trying to download updates. But one other possibility (especially if you see the same behaviour with BitDefender disabled) is that your Firefox profile is corrupted. Let me know what you find!

  • Spaldo
    Spaldo
    Community Member

    With Bitdefender enabled:

    • I tried update via Firefox. It didn't find any updates.
    • I tried manually updating via your site, gave me an error

    With Bitdefender disabled (SSL setting) it updated manually fine.

    That would make me lean towards being Bitdefender/1Password related rather than Firefox itself.

    So do you think that the best action would be to contact them as there is nothing you can do on your end to work with Bitdefender?

  • matthew_ag
    matthew_ag
    1Password Alumni

    Hey @Spaldo,

    Unfortunately your testing matches ours also. To the best of our knowledge, when Firefox downloads our extension with BitDefender's "Scan SSL" feature enabled, BitDefender scans the downloaded extension before handing it over to Firefox and finds something it doesn't like. We suspect that when we added some code to ensure the connection between the browser extension and 1Password app is mutually authenticated BitDefender is flagging this as dangerous and cancelling the download. To Firefox, this appears as though the download failed.

    So do you think that the best action would be to contact them as there is nothing you can do on your end to work with Bitdefender?

    It would be really wonderful if you contacted BitDefender regarding this - hearing about this from their customers will hopefully encourage them to test this scenario out and fix this false positive in BitDefender's scanner.

    I hope that helps. Please let us know if we can be of further assistance.

    Best regards,
    Matthew

  • AGAlumB
    AGAlumB
    1Password Alumni
    edited June 2017

    I tried manually updating via your site, gave me an error

    @Spaldo: What was the error? That sounds like what I was referring to earlier: it being blocked. I think the reason you only see an error when manually updating because the automatic process is meant to happen entirely in the background.

    With Bitdefender disabled (SSL setting) it updated manually fine.

    Good to know. Can you tell me the specific name of the setting, in case it comes up again i the future?

    If this is what I think it is, BitDefender is breaking SSL, which can not only prevent you from updating 1Password (the server should reject connections that have a person-in-the-middle, as that is insecure), but also many other sites that use proper strict security. As you can imagine, we don't want an impostor to be able to impersonate us and give you a malicious app or extension. And while I don't recall this happening with BitDefender specifically, other "security" suites have in the past opened up their users to some serious attacks by doing this when hackers found a way to use the software's own self-signed certificate used to decrypt the secure data to do the same to their users.

    That would make me lean towards being Bitdefender/1Password related rather than Firefox itself.
    So do you think that the best action would be to contact them as there is nothing you can do on your end to work with Bitdefender?

    There just isn't anything we can do to prevent BitDefender (or anyone else) from doing this. Only you can. And we do not want to relax our security to accommodate this behavior, as it would put all 1Password users at risk. The best thing to do is not allow anyone to access your secure communications, as these are meant to be end-to-end encrypted between you and the website you're visiting — whether that be agilebits.com or amazon.com. Stay safe out there.

  • Once_Nice_Twice
    Once_Nice_Twice
    Community Member

    Well, is it related to my getting "connection failure" every time I attempt to grab the Firefox extension manually today? I'm new and don't have many more hairs left to turn gray...

  • Spaldo
    Spaldo
    Community Member

    Hi, thanks for the replies.

    @matthew_ag ,

    It would be really wonderful if you contacted BitDefender regarding this - hearing about this from their customers will hopefully encourage them to test this scenario out and fix this false positive in BitDefender's scanner.

    I will submit a ticket now.

    @brenty

    Good to know. Can you tell me the specific name of the setting, in case it comes up again i the future?

    You have a guide here; https://support.1password.com/connection-failure/

    However, it isn't totally correct, the actual steps to disable SSL in Bitdefender & allow installation of the 1Password extension is as follows:

    1. Open Bitdefender.
    2. Select Protection > View Modules > Web Protection and turn off Scan SSL.
    3. Install the 1Password extension in Firefox.

    I think one of the sections may have changed names...

  • matthew_ag
    matthew_ag
    1Password Alumni

    Hey @Spaldo,

    Thank you so much for submitting that ticket and for confirming "Scan SSL" as the setting name. If BitDefender reply you can let them know we would be very happy to work with them to fix this.

    Please let us know how it turns out.

    I think one of the sections may have changed names...

    Thanks for letting us know! In BitDefender 2017's screen this is what I see:

    Does this match what you see?

    Best regards,
    Matthew

  • matthew_ag
    matthew_ag
    1Password Alumni

    Hey @Once_Nice_Twice,

    Thanks for writing in! If you're using BitDefender and you're seeing that connection failure message then it's likely you're hitting the same issue. As Spaldo mentions, we have a guide for how to resolve this - please check that out and let us know if it helps!

    If however you're not using BitDefender and are seeing a Connection Failure message when trying to install the extension then it's possible you're hitting an another issue. The work around is to download it in another browser and then installing it in Firefox. Here are the steps to do that:

    1. Open the following URL in a browser other than Firefox:
      https://agilebits.com/onepassword/extensions

    2. Click "show all extensions"

    3. Under Firefox click "Install", this'll download the .xpi file for you.

    4. You can drag that from Finder / Explorer on to Firefox and it'll prompt you to install it.

    Let me know how that goes and if you've any questions about anything above don't hesitate to send a reply.

    Best regards,
    Matthew

  • Spaldo
    Spaldo
    Community Member

    HI @matthew_ag ,

    Yes, that is the front screen, but, when you go into modules it is a little different than the original guide I linked above.

    Here is the reply from Bitdefender:

    Thank you for contacting us regarding this matter.

    Please be informed that BitDefender's SSL browsing feature provides https secure web site and email scanning. Https technology itself prevents such attacks, but even a small chance such attacks can be performed,the SSL scanning feature successfully stops this attack.

    When various certificates are scanned, Bitdefender provides security by changing the location of this site's internet certificate and ensuring that the information is decrypted and encrypted. It is known that when you enable SSL scanning in Bitdefender, a fake certificate sequence is downloaded for encryption and encryption in SSL traffic (this is referred to as the middle or MITM).

    If you need to have this module disabled, you can easily turn it off, restart your internet browser and you will be able to take advantage of other security verification.

    To disable BitDefender's SSL scanning, make the following settings for your product:

    1. Open the BitDefender interface and click on Protection.
    2. Select Web Protection settings, disable SSL scanning, and restart your web browser.

    Disabling this feature will not leave your system unprotected, and you will continue to benefit from BitDefender security. This will also not affect the Auto-Pilot mode or the safety situation.

    Unfortunately it appears to be a stock standard reply and not specifically address the issue or look like any attempt to work with 1Password to fix this specific issue, rather, just tell me to disable the feature :(

  • AGAlumB
    AGAlumB
    1Password Alumni

    Unfortunately it appears to be a stock standard reply and not specifically address the issue or look like any attempt to work with 1Password to fix this specific issue, rather, just tell me to disable the feature :(

    @Spaldo: Honestly, while I understand that generally that's not the response you'd want to hear, in this case that's for the best. As I mentioned above, breaking secure web communications affects much more than just 1Password, so from a security and privacy perspective it's important to disable this to protect the integrity of your communications with all websites. The contents of your communications should be confidential between you and the site you're visiting.

  • Spaldo
    Spaldo
    Community Member

    @brenty , so it is just best to disable that feature anyway?

    Here is their reply to me after that one. I asked them to see if they can fix the link between 1Password & Bitdefender.

    Thank you for your feedback.

    We would like to inform your suggestion was passed along to the Bitdefender development team to be taken into consideration when releasing new product features. Let us know if there is anything else we need to know to improve.

    However, please note that Bitdefender already has a similar feature integrated, namely, Password Manager.

    Password Manager helps you keep track of your passwords, protects your privacy and provides a secure browsing experience.

    Using a single master password to access your credentials, Password Manager makes it easy for you to keep your passwords safe in a Wallet.

    To offer the best protection for your online activities, Password Manager is integrated with Bitdefender Safepay™ and provides a unified solution for the various ways in which your private data can be compromised.

    Password Manager protects the following private information:

    • Personal information, such as the e-mail address or the phone number
    • Login credentials for the websites
    • Bank account information or the credit card number
    • Access data to the e-mail accounts
    • Passwords for the applications
    • Passwords for the Wi-Fi networks

    Nonetheless, your suggestion to check the interference with Bitdefender and enable 1Password in Firefox is valid and as we said, will be considered.

    So they have just advertised the Bitdefender product instead ;)

    I might just disable that option anyway...

  • AGAlumB
    AGAlumB
    1Password Alumni

    @brenty , so it is just best to disable that feature anyway?

    @Spaldo: Yes, definitely. Your communications with websites should be between you and them, and not monitored by a third party. I appreciate that they want to offer this scanning feature to their users, and I respect that they offer a way to disable it, but it really does fundamentally break the security model of the web.

    Here is their reply to me after that one. I asked them to see if they can fix the link between 1Password & Bitdefender.
    So they have just advertised the Bitdefender product instead ;)
    I might just disable that option anyway...

    I think it's best to forget about 1Password for a moment, because this issue affects other things as well. If BitDefender is scanning your secure traffic, they have to decrypt it to do so; and to accomplish that, they need to insert their own certificate posing as the websites you communicate with. I don't doubt that they do so with only the best of intentions, but this practice means two things:

    1. They are able to see everything you send over the internet, even on what is meant to be a secure, point-to-point connection with a specific website, and they are posing as that site to do so.
    2. Similarly, they are posing as you to the website, relaying the information you send on your behalf, after decrypting it, scanning it, and re-encrypting it.

    This puts them in a very delicate position. They need to ensure that they do not collect your data even though they can, and that it is not leaked or exposed anywhere. And I have no doubt that they have every intention of protecting you and the rest of their users, since someone malicious who is able to pose as them or compromise their systems could do a lot of damage. In the not-so-distant past this has happened with companies doing the same, when their servers were compromised, or when their own certificate was stolen and used to decrypt their users' communications just as they were doing. There's just a lot that can go wrong. That's why we don't collect user data: because that means it could be stolen from us, or the mechanisms we use compromised and used against our customers.

    That said, I have no doubt that some of their customers want this feature though, and that it can offer a security benefit in some scenarios — for example, connecting to a malicious site securely, they'd potentially be able to warn you about unsafe there content. But it can't inoculate against unknown and zero-day vulnerabilities, and it still presents a risk when connecting to safe sites all of the time. In this case, AgileBits has very strict security to prevent someone from posing as us to give 1Password users something malicious posing as our software. And similarly Firefox is doing its job by rejecting the connection when there's a 3rd parry, however well-intentioned, listening in the middle.

    It's definitely a complex issue, but hopefully this helps illustrate the situation and challenges on all sides.

  • Spaldo
    Spaldo
    Community Member

    Hi @brenty , thanks for the detailed reply and explanation, I appreciate it. I didn't quite grasp it entirely until I read your post.

    I understand what you mean by them having good intentions, though, making a potentially dangerous situation for the 'secure' data. I will keep this feature turned off.

    Now it makes me wonder if there are any other good intended features that are compromising my data...

  • littlebobbytables
    littlebobbytables
    1Password Alumni
    edited June 2017

    Hi @Spaldo,

    I think you might find the following interesting reading.

    Disable Your Antivirus Software (Except Microsoft's). Now it's just an opinion of course but Robert O'Callahan is a former Firefox developer and the Justin Schuh mentioned is Google Chrome's security chief according to this Ars Technica article on the same subject.

    The intent is good but implementation is a massive factor when it comes to computers, mess it up and it just makes matters all the worse.

    The same applies to us too. We have to be extremely careful at every step of the process as we're dealing with incredibly sensitive information. You wouldn't store what's in your vault in a text file or excel spreadsheet so we have to make sure the encryption and security is up to scratch lest we end up doing more harm than good.

This discussion has been closed.