How do I disable the 1Password warning: unsecured HTTP page?

tealduck
tealduck
Community Member
edited June 2017 in 1Password 4 for Windows

I'm sure some users might appreciate this but I find it to be quite annoying. Is there a way to disable this warning message?


1Password Version: 6.6.439d
Extension Version: 4.6.6
OS Version: Windows 7
Sync Type: Not Provided

Comments

  • MikeT
    edited June 2017

    Hi @tealduck,

    Thanks for writing in.

    No, you cannot disable this message and we will not offer it as an option. What is happening is that you originally saved this item from a secure page and now the extension is attempting to fill on the insecure page that will expose your credentials in clear view.

    If you're willing to expose your data for a specific site, what you can do is edit the saved URL to the insecure URL (removing https://) and the message will not show up.

  • tealduck
    tealduck
    Community Member

    Sure that makes sense, why would you want to satisfy a customer? Some things don't change.

    Just FYI, this login is used by lots of URLs, it just so happens that one of them is "unsecure",

  • Hi @tealduck,

    Just FYI, this login is used by lots of URLs, it just so happens that one of them is "unsecure",

    I'm not sure what you mean exactly but if you're reusing the same credentials on various sites then that means the entire security of all of these sites are severely weaken by that specific page. You should contact the owner of that site to update to support HTTPS instead.

    Sure that makes sense, why would you want to satisfy a customer? Some things don't change.

    It's not about satisfying everyone, it's about adding more and more settings that makes the program difficult to use. We want 1Password to be simple to use without complicating the UI with all random settings.

    In this case, adding an option that can expose your data in clear view is just something we are not going to do.

  • tealduck
    tealduck
    Community Member

    So I don't think you have thought out all of your use cases. The owner of the site is my company and the server is on an internal network that is not accessible to the world. Yes, the password is transported on our internal network in clear text but the impact is marginal at best. The login credentials are actually my Active Directory credentials.

    So yes, on external sites I follow the practice of one unique password per site, but internally that is not an option. I also don't believe I'm the only person working in an organization. Now maybe it is your choice to not service business users and that is okay. I just wish I had known that before I subscribed.

    In regards, to keeping the application simple. That is always a fine line and I can understand you not wanting to clutter your interface with a lot of advanced options. However, many applications choose to let users define these options in a configuration file. Look at Firefox, they have the most common and relevant settings in a couple of tabs. They also offer an advanced page that allows more experienced folks to customize the application further.

    What do you really accomplish by just saying no to options? The answer is NOT simplicity for your users it is alienation of your existing users.

  • Greg
    Greg
    1Password Alumni

    Hi @tealduck,

    Thank you for your feedback! It is appreciated.

    While it makes a perfect sense to have such option for advanced users, we do not want other people to switch this warning off, because it will compromise their security. Since the security and safety of ones data is our top priority, we have to consider all use cases, not only outliers.

    Have you tried to create a separate Login item for that HTTP page? Does it help?

    Thanks!

    ++
    Greg

  • Manaburner
    Manaburner
    Community Member

    Reading this I'm curious how it came to this situation in the first place. @tealduck do you sometimes open the same site (let's say a firewall config page) sometimes via HTTP and sometimes via HTTPS and you happened to save the login item for that site while you were using HTTPS?

  • tealduck
    tealduck
    Community Member

    It came up because most of our internal sites do in fact use HTTPS. However, we stood up an isolated test web server for a proof of concept and that is what is now causing all of the grief. The main reason I switched to 1Password from RoboForm was the ability to share logins among URLs. That way when the password changes I only have to make the change in one login and not dozens. I have heard that LastPass now supports this feature so I will be reviewing that software in the near future.

  • tealduck
    tealduck
    Community Member

    @Greg - Yes creating a new login did alleviate the issue and so the warning is now less obtrusive, Thank you for the suggestion.

  • Greg
    Greg
    1Password Alumni

    @tealduck: Great news! Thank you for keeping us posted. :+1:

    Please do not hesitate to contact us with any questions you might have with 1Password 6 or 1Password in general. We are always ready to help you with tips and tricks and best practices. Thank you!

    Cheers,
    Greg

This discussion has been closed.