How does my.1password.com work?

acee
acee
Community Member

I am new to 1password, using your cloud service to sync my account data using the Windows desktop application.

However, because I don't want to install the desktop application on my work computer and because I have a Windows 10 Phone (for which there is currently no available app), I am forced to use the my.1password.com website to log in and access my vaults when not on my personal computer.

What I was curious about, however, is that most of the 1password literature about our encrypted data suggests that encryption is end-to-end and that it is never transmitted "unencrypted". Also, it is suggested that AgileBits at no point ever has our master password or our secret key.

When we access our account data via the my.1password.com website, does this still hold true?

A conventional web application would typically do all processing on the server-side (i.e. using this approach, this would mean that my.1password.com takes our master password and our secret key as form input, decrypts the data on the server side, and then presents it back to the client).

It seems that this would be undesirable (since in other places, AgileBits claims that the designs are meant to assume conventional transport-level encryption such as SSL/TLS are compromised), and I'm thinking that given the level of thinking your team demonstrates, that this is probably not how you handle our data on the my.1password.com web application.

The other alternate approach I could imagine you used is that the my.1password.com website contains all logic required to do the data decryption given a master password and secret key on the client side (e.g. via JavaScript). In this way, it seems that the end-to-end encryption feature of 1password is preserved?

Can you confirm whether or not this assumption is true/false? I want to make sure I understand any risks associated with using the my.1password.com application as opposed to using the regular desktop application.

Thanks!


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

Comments

  • jpgoldberg
    jpgoldberg
    1Password Alumni
    edited June 2017

    That is a very good question. Because you are interacting with your data in a web browser it appears as if the server is serving it up or that your credentials are being transmitted to the server. Looks can be deceiving.

    Instead what happens is that when you go the the web site you fetch a 1Password client in JavaScript. That is a full client that runs entirely within your browser on your machine. All encryption is taking place locally, and no secrets ever leave your machine.

    So yes, you are correct with

    The other alternate approach I could imagine you used is that the my.1password.com website contains all logic required to do the data decryption given a master password and secret key on the client side (e.g. via JavaScript). In this way, it seems that the end-to-end encryption feature of 1password is preserved?

    I hope that helps. Cheers.

  • acee
    acee
    Community Member

    Awesome, thanks for the confirmation!

  • jpgoldberg
    jpgoldberg
    1Password Alumni

    You are very welcome. And if you would like more detail about all of this (and so much more) take a look at our Security white paper (PDF).

This discussion has been closed.