Why only allow browser(s) that are signed?
Only allow browser(s) that are signed...cause it is not safe!.
That is a non argument to me, cause every rogue extension can compromise a browser.
Two of the recent extensions for Google Chrome that has evil code are Web Developper and Copyfish:
https://a9t9.com/blog/chrome-extension-adware/
Others leaves it to the user to decide what is working for them.
So please make this optional.
1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided
Comments
-
Hi @KJS,
Thanks for writing in.
Yes, every security system can be compromised, there isn't one that can't be. However, the only thing anyone can do is make it difficult and longer to break, so that a better solution will be found in time. Right now, this is the best solution we have for our users, which is to enforce that 1Password extension can only run in browsers we can verify. We've already seen reports where certain users had Chrome installed with invalid chain of certificates and 1Password stopped running because of it, it could've made things worse if no one knew about it.
We'd like to make it a hidden advanced option for certain users in a future update. We're still adding more and more extra security checks over time in 1Password updates and such an option to disable them may not be feasible over time, which is why we're not adding one right now because it may break in time.
0 -
Hi Mike,
Thanks for your answer.
I think an option with a big red flag will be the better solution, lot of peeps tweak more privacy minded browsers nowadays and that part of the market is growing rapidly. Over time it will probably solve, more and more code is getting signed, and that is another can of worms.
0 -
Thanks for the feedback. There are certainly a lot of factors to consider.
0
