1Password X Security

The full featured application and limited browser extension architecture of 1Password is what I first appreciated about your product and convinced me to adopt a password manager in the first place. I gained trust in your subscription service and the architecture you designed for that by reading your security white paper. That said, I do have concerns about a password manager being exposed to the larger attack surface of a desktop web browser. AgileBits representatives have been quick to point out the larger attack surfaces of competing products that live entirely in a browser extension elsewhere on this forum. I do appreciate that the extension brings 1Password to more platforms and presents a unique opportunity to reimagine the product, but the blog post announcing it strikes a tone that makes me think the days will eventually be numbered for the standalone client and light extension model.

I don't expect you to comment on your future plans, but I would like to better understand the change of heart and what makes your approach to putting the brains in the extension more secure than others.


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

Comments

  • Hi @wxkeith,

    You’re right about the browser having a larger attack surface. We mitigate that in two general ways:

    • The first is to rely on the security model of the 1Password service, which you read about in the white paper. The hard work is still done by the clients, and we still have the same protections from network-based attacks.
    • The second is to not execute in the untrusted browser environment. We build on the WebExtensions API, which allows for the app logic to run in a sandboxed “background page.” Normal JavaScripts have no access to this page. They would have to break the Chrome security model to get there—a risk, but one that is no less present for native apps.

    That leaves us with one other attack vector that is more concerning in the browser: phishing. A page could pretend to be 1Password and display fake UI. This is definitely more of a concern for a browser app, and we protect against it by never asking you to input your Master Password in “inline” elements that appear to be part of the page. I’d like us to do more here in the future.

    I also want to clarify that there is no change of heart. 1Password X is a new addition to the family and not a replacement for our Mac/Windows desktop apps or the existing extension. New versions of those are in the pipeline even as we made this announcement. :)

  • wxkeith
    wxkeith
    Community Member

    Thanks for the speedy reply, @Mitch!

  • beyer
    beyer
    1Password Alumni

    On behalf of Mitch, you're very welcome! I hope you have a pleasant week.

    --
    Andrew Beyer (Ann Arbor, MI)
    Lifeline @ AgileBits

  • Any time. Im going to write up a bit more in a support article which I’ll link here when it’s ready.

    I didn’t touch on how our approach differs from the competition because I don’t want to misrepresent other apps. But I will say we’re relying on browser technologies that simply didn’t exist more than a couple years ago, like WebCrypto and a standardized extension API with sandboxing guarantees. Without these we couldn’t have built anything like 1Password X to our standards.

  • pervel
    pervel
    Community Member

    @Mitch:

    They would have to break the Chrome security model to get there—a risk, but one that is no less present for native apps.

    Probably technically true, but the problem is that people tend to try out and install browser extensions much more promiscuously than they do native apps. And there have been several hacked extensions already:

    https://thehackernews.com/2017/08/chrome-extension-hacking.html

    Hopefully, it is a lot harder for such hacked extensions to steal 1Password data.

  • AlwaysSortaCurious
    AlwaysSortaCurious
    Community Member
    edited November 2017

    Yup, @pervel , feel the same way.... I have to try X, but I do know I like the app workflow. But i May take a pass. I’d rather depend on these guys than google.

  • AGAlumB
    AGAlumB
    1Password Alumni
    edited November 2017

    We've got some more details on the security here too:

    About 1Password X security

    And be sure to let us know if you have any questions. :)

    @pervel, @wxkeith, @AlwaysSortaCurious: But I also wanted to mention that I had a similar reaction to 1Password X initially, that it sounded like we might be moving away from native apps and going browser-only in the future. That's an understandable read, and one I can relate to as a long-time 1Password user myself. But as a part of the AgileBits team, I can tell you with certainly that this couldn't be further from the truth: we're really proud of our native apps, and the kinds of powerful things we can do there isn't something we want to give up either — as users and as the folks making it! So think of 1Password X as just another great way to use 1Password...especially in environments where we couldn't before, either due to platform or because of restrictions on installing apps locally. Cheers! :sunglasses:

  • khad
    khad
    1Password Alumni

    About 1Password X security was just published if anyone following along would like to read it.

    I'll be keeping an eye on this discussion to see what else we need to add.

    Related to the most recent comments: advice to not install untrusted browser extensions is general [1Password] security advice. That hasn’t changed with the introduction of 1Password X.

  • AGAlumB
    AGAlumB
    1Password Alumni

    @pervel: I also wanted to clarify that 1Password X is not storing data in the browser. And if and when we do, it will be using strict security controls (as Mitch mentioned above) that protect your data — and ours. You also make a great point about installing untrusted extensions. While another extension cannot simply steal your 1Password data (regardless of the "flavour" you're using), it is important to note that if you are granting other extensions broad permissions (many request access to everything on the webpages you interact with) that would allow them to capture your login credentials after you fill them using 1Password. Just another reason to exercise good security hygiene — and perhaps use 1Password in a browser/profile where you do not have other extensions installed with such broad permissions. Better safe than sorry. :sunglasses: :+1:

  • AlwaysSortaCurious
    AlwaysSortaCurious
    Community Member
    edited November 2017

    Thanks, guys. @khad something to keep in mind is what @pervel pointed out. The dev account of extension developers got owned and the apps altered (Web Developer for example, which is used by just everybody). Perhaps some hash or check or I won't provide technical solutions to more technical people, but in any case, it is a valid issue.

    Edit: LOL! Wait, they current extension suffers from the same issues, no? Or how is it materially different? Hmmm... Might have jumped the gun, or perhaps there is a real nuance here to explore.

  • khad
    khad
    1Password Alumni

    The threat of a compromised download source has not changed with the release of 1Password X. That's why it's always important to use strong, unique passwords and enable two-factor authentication everywhere it is available (including and especially on developer accounts).

  • wxkeith
    wxkeith
    Community Member

    Just checked back in this thread and wanted to say thanks to all the 1Password folks for dropping in. The About 1Password X security page is a great addition! 8-)

  • khad
    khad
    1Password Alumni

    Thanks, @wxkeith! I just pushed a (tiny) update to About 1Password X security a couple hours before you posted. I split the first section into "Your data is protected by strong encryption" and "Your data is protected at rest and in transit" to help clarify that the security of 1Password X is the same security already protecting folks' 1Password accounts.

  • mallow76
    mallow76
    Community Member

    Hi - just trying to log into the extension just now using my 1password account. The sign in web page that I am taken to asks for my email, my secret key and my master password. I thought there shouldn't be any inline things on a webpage asking for our Master Passwords. Can you clarify?

  • AGAlumB
    AGAlumB
    1Password Alumni

    @mallow76: Thanks for reaching out. I’m sorry for the confusion! 1Password.com can only work in your browser, so that's the only way to sign into that currently. In the future we'd like to do some magic if you're using the native 1Password app, so that you can sign in there and it can integrate with the new 1Password X extension in Chrome. So long as you're not entering your 1Password.com account credentials somewhere other than 1Password.com though you're in the clear. I hope this helps. Be sure to let us know if you have any other questions! :)

  • awdfg
    awdfg
    Community Member

    I noticed in 1password X when I'm editing an existing site it opens the vault in a new page that is protected by https. I'm wondering what the risk is of any kind of MitM is if I'm on a public wifi etc., while editing.

  • AGAlumB
    AGAlumB
    1Password Alumni

    @awdfg: Thanks for getting in touch. Good question! Generally speaking, unless you're using "security" software that modifies Chrome to perform a person-in-the-middle attack on you, you'll be protected by TLS over HTTPS. However, 1Password.com does not depend on that for security:

    Three layers of encryption keeps you safe when SSL/TLS fails

    All of your data is encrypted and decrypted locally on your machine, so even without a secure connection an attacker won't be able to read it. That said, you should still use a VPN if you're on an untrusted network, as that will protect the rest of your traffic (security) as well as prevent snoopers from seeing which sites you visit (privacy). But if a secure connection to 1Password.com cannot be established, the server will reject the connection. It's very strict about this, and we regularly hear from users who encounter issues like this because their security settings have been modified by something.

    Anyway, I hope this helps. Be sure to let me know if you have any other questions! :)

  • awdfg
    awdfg
    Community Member

    Thanks for the reply. I was wondering how it was handled in the browser but if the data is encrypted before it's uploaded to the 1password servers, that puts my mind at ease.

  • AGAlumB
    AGAlumB
    1Password Alumni

    You're welcome! Indeed, all the crypto is done locally on your device — even when you use 1Password.com in your browser — and the "keys" used are never sent to us; all we get is the encrypted blob. Cheers! :)

This discussion has been closed.