Why did jpgoldberg tell Kenn White he only uses native clients instead of web client.
There is an article on the web by Kenn White about security of 1Password. At one point, he shows a comment by jpgoldberg saying that he, jpgoldberg, only uses native clients instead of web clients. What exactly does this mean, and should users be concerned about security of the web client? And if not, why does he seem concerned enough to not use the web client? Thank you.
1Password Version: 6.8.1
Extension Version: Not Provided
OS Version: 10.12.6
Sync Type: Not Provided
Referrer: forum-search:why does jpgoldberg only use native clients
Comments
-
I would think native clients have the potential to be more secure as they are a known piece of code.
Browsers could be all sorts of versions or have all sorts of plugin's that are all beyond AB's control.0 -
Twitter is a terrible terrible medium for real discussion in my opinion. Things can be taken out of context, there isn't enough space to respond with the details necessary to provide the context.
Jeffrey uses the web client but only for administrative purposes. This is the same for literally everyone else on the team as well I suspect. Our native clients provide a better experience over all.
The reason this discussion came up is because there's no way to confirm independently that the web client you are using is the exact same one we distribute. With native clients you can do this because they're code signed. So you can ask the OS to validate the code signature of the application and confirm that it came from us, and that it hasn't been modified in any way. There is no way to do this currently with the web client. In theory this could mean that you receive a tampered with web client and not be aware of it. That all said though, a vast majority of people won't actually do these tests anyway but for the few people who do, our native clients provide the way they can do that.
We're working through some ideas on how best to proceed so that this can be done with the web client as well, but have nothing really to show at the moment. It could simply turn out we create a native app that embeds the web client inside it and those who are concerned can then use this instead of the web client directly. This would let people validate the client independently if we provide some sort of hash of the web client.
Browsers are sort of a wild wild west in their own right. As frymc says, there's a lot of ways that a browser can change things in a webpage and while most of the time that could be for the better, there's possibilities for that to go the other direction as well.
Reality is a vast majority of people don't use the web client for more than sign up and administrative purposes as the native clients are far better. We're slowly but surely introducing more administrative options into the native applications as well so this further reduces the need for the web client in day to day use. And our recently public beta'ed command line client allows for far more administrative options for larger teams to be done in an automated way away from the web client.
We'll likely have more to say about this in the future but for now it's an issue we're aware of and have been aware of from the beginning. There just aren't really simple solutions to them.
I hope that helps answer your question a bit.
0 -
Thank you both. But part of my question is that I am not sure I understand the difference between the native and web clients. When I use the app on iOS, and the app on Mac, are those native clients? To turn on/off the travel mode, I guess I am using the web client? So jpgoldberg wasn't meaning he doesn't use sync feature through 1Password? Thanks for clarifying.
0 -
When I use the app on iOS, and the app on Mac, are those native clients?
Correct.
To turn on/off the travel mode, I guess I am using the web client?
Correct.
If you're accessing your 1Password data through the 1Password.com website in your web browser (Safari, Firefox, Chrome, etc) you're using the web client. If you're using the browser extension, or one of the 1Password applications, then you're using native applications.
So jpgoldberg wasn't meaning he doesn't use sync feature through 1Password?
Jeff uses the 1Password.com service, he just avoids viewing his 1Password data through the 1Password.com website, instead preferring to use the native applications (which use the 1Password.com service) to view them.
Ben
0 -
Thank you. So is it possible to turn on/off the travel mode within a native client? If so, how do I do it?
0 -
It is not possible to do that. Partially because it would sort of defeat the purpose. If you're in travel mode and are asked to unlock your device at an airport or similar, being able to re-enable it would make those vaults immediately available again. So, travel mode would sort of be defeated if it could be enabled from within the app.
It depends on how you'd be using travel mode whether that matters I guess. But as of right now, it can only be enabled and disabled via the web client.
0 -
Good point! Thanks!
0 -
On behalf of Kyle, you're welcome. :)
0 -
In reviewing 1Password security documentation, it seems that the web client is the weakest link in the chain. My main reason for occasionally accessing 1Password via a web client is to view admin settings for my family account. From this thread, it sounds like only using admin features and avoiding opening vaults mitigates some of the risks of using the web client. Is that the case?
0 -
It seems safe to say that is a fair assessment, however I do think that the comparisons above are relative (to the native clients). It is worth evaluating what threats you are likely to face vs the benefits you might gain using the web interface. If the web interface doesn't offer much value to you then there is probably no harm in avoiding it.
Ben
0 -
Thanks. Is the reason that not opening a vault in the web interface increases security because data is only unencrypted as it is viewed? It would be nice to have some of the admin features added to the native apps (e.g. authorized devices, two factor setup, family management, etc).
0 -
No. It is largely because A. web browsers tend to be a hostile environment with who-knows-what extensions installed and B. unlike the native clients the web interface is not signed, which means there is currently no good way to verify that what is running in your browser is what 1Password intended.
It would indeed be quite nice to either get the management functions added to the native apps or to build an admin tool that could do signing for the web client.
Ben
0