1 Password X Permissions

It seems like 1 Password X requires A LOT of permissions to do its thing.. where the older browser extension requires only two.

Don't want to be a nervous nelly, but what really is 1PX offering if you already have the standalone client installed on your machine? I see the little auto-suggest feature, but there is a fair amount of trust going into this 1PX extension that I'm finding it kind of hard to justify.

I see in the most recent release notes why two new permissions were asked for - is there a list explaining ALL the permissions that are listed for the 1PX extension? That might make it easier for me to cope with this extension seeing downloads and virtually everything else I do in a browser...

As an example - download permission for an event that happens once (the emergency kit)? Seems like a blanket permission that could easily be abused.

Thanks!


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

Comments

  • brentybrenty

    Team Member

    It seems like 1 Password X requires A LOT of permissions to do its thing.. where the older browser extension requires only two.

    @datx: That's a good observation. Indeed, with the 1Password desktop extensions, the native apps do pretty much everything, so the extension itself doesn't really need to be able to do much at all. :)

    Don't want to be a nervous nelly, but what really is 1PX offering if you already have the standalone client installed on your machine? I see the little auto-suggest feature, but there is a fair amount of trust going into this 1PX extension that I'm finding it kind of hard to justify.

    1Password X runs entirely within the browser, so in order to do anything at all, like the things you're used to being able to do easily with the native desktop app/extension, 1Password X needs permissions from the browser to do it, as it isn't running at the system level. Put another way, the browser is its operating system, so it needs to play by the browser's rules and ask for permission to do things.

    I see in the most recent release notes why two new permissions were asked for - is there a list explaining ALL the permissions that are listed for the 1PX extension? That might make it easier for me to cope with this extension seeing downloads and virtually everything else I do in a browser...

    Dave went into a bit of detail regarding recent changes, and Mitch posted a good overview earlier this year. :)

    As an example - download permission for an event that happens once (the emergency kit)? Seems like a blanket permission that could easily be abused.

    I suppose that's possible. However, the same would apply to any of the other permissions. After all, you're not constantly having 1Password X read and change data either, but presumably you want it to be able to do that sometimes, and therefore the permission to do so is necessary and must be requested upfront. Maybe there's a better way to handle this, but I don't know what it is and this is how the browser's security works currently. So we need to work within that framework.

    But more importantly, if we did ever abuse that, it would be far more costly to us than we could afford. We've built our reputation over more than a decade, and it takes very little for that to be called into question. Just read the comments when we change anything, even superficial design elements like the toolbar icon (which used to be a "key", and which saw a lot of controversy when we changed it, seriously). So we're not going to take any chances with security and privacy.

    I'm not even sure what kind of thing we could do with a "download" permission that would constitute abuse, but ultimately it doesn't matter because we just want to make it possible for users on Linux and Chrome OS and work computers to be able to easily save their Emergency Kits, so they can have a good experience like those on other platforms can, and so they hopefully have what they need to acmes their accounts in an actual emergency.

    So while I'm sorry that permissions can be a bit jarring for some folks, I do think the benefits vastly outweigh the risks. After all, you're already trusting 1Password to access everything you do on webpages, so that it can provide its core functionality of saving and filling login credentials. Everything else, while still valuable, is much smaller stakes in comparison, and we're grateful that you and the rest of our awesome customers trust 1Password to help you secure your digital lives in the first place. :)

  • Thanks for the thoughtful response.

    Strangely, the nervousness isn't even about 1Password as a company. As you mentioned (and I've read before), 1Password has far more to lose than to gain by doing anything malicious with the data or experiences entrusted to them.

    However - when you see some of the browser permissions, it is like sucking on a lemon.. Your face just puckers up and you can't do anything to stop it. :) By FAR the more "dangerous" browser permissions are ones I've accepted for other password applications and the older 1Password extension already.

    The links you provided I found to be very helpful. If I could make a suggestion, I think putting the collective "why" for each permission in a FAQ or knowledge base article would help irrationally paranoid users like myself sign off on them (and if an article like that exists, ignore me.. I just missed it).

    Thanks again!

  • brentybrenty

    Team Member
    edited February 2019

    Thanks for the thoughtful response. Strangely, the nervousness isn't even about 1Password as a company. As you mentioned (and I've read before), 1Password has far more to lose than to gain by doing anything malicious with the data or experiences entrusted to them.

    @datx: I hear you!

    However - when you see some of the browser permissions, it is like sucking on a lemon.. Your face just puckers up and you can't do anything to stop it. :)

    Yeah, that's a pretty good analogy. :lol:

    By FAR the more "dangerous" browser permissions are ones I've accepted for other password applications and the older 1Password extension already.

    I don't disagree.

    The links you provided I found to be very helpful. If I could make a suggestion, I think putting the collective "why" for each permission in a FAQ or knowledge base article would help irrationally paranoid users like myself sign off on them (and if an article like that exists, ignore me.. I just missed it). Thanks again!

    Likewise, thanks for your feedback on this. I think that's a good idea. :)

    ref: web/support.1password.com#1781

This discussion has been closed.