Can / does 1Password only fill information one secure (httpS) pages?

Surprisingly I couldn't find an answer in my initial searches on google or the forums or digging through the settings.

Does or can 1Password only fill usernames/passwords if the current page is using https? Some sites login forms default to http although they can / do support https on the login page. As an added safety measure I'd like to only fill information from 1Password if the site is using https to, for example, reduce the risk of being redirected to http by something like the VPNFilter router malware.

Currently using 1Password 6.8.9


1Password Version: 6.8.9
Extension Version: 4.7.3
OS Version: 10.14
Sync Type: Dropbox
Referrer: forum-search:https only

Comments

  • AGAlumB
    AGAlumB
    1Password Alumni

    @DigitalOxygen.ca: Ah! Good question. The answer to "Can / does 1Password only fill information one secure (httpS) pages?" is no. It will fill at (insecure) http:// URLs, but only if your Login is saved with an http:// URL. Saving an https:// URL is obviously better for security reasons, but also usability, since then 1Password can take you to the secure page when you use Open & Fill. I hope this helps. Be sure to let me know if you have any other questions! :)

  • DigitalOxygen.ca
    DigitalOxygen.ca
    Community Member
    edited October 2018

    Make sense and works for me, thanks.

    I would like to request though that a feature be added that functions similar to the HTTPS Everywhere browser plugin and either forces the browser to the https version (which may not be possible, granted) or warns the user they are filling on a non-https site or even prevents them from filling plain http site, depending on how they have it set.

    Lots of ways to implement it but I think we can do better overall the leaving it entirely up to the user update all the password entries in their vault which can be very tedious if they have hundreds or thousands of entries.

    For example I have 1,500+ entries and the only method I see so far is to navigate through each entry and visual check for plain http and update manually. Suggestions on a better method?

  • AGAlumB
    AGAlumB
    1Password Alumni

    I would like to request though that a feature be added that functions similar to the HTTPS Everywhere browser plugin and either forces the browser to the https version (which may not be possible, granted) or warns the user they are filling on a non-https site or even prevents them from filling plain http site, depending on how they have it set.

    @DigitalOxygen.ca: I'm not sure that makes sense. If the login is saved with an HTTP:// URL, Watchtower will suggest you update it to use a secure page. If it is saved with an HTTPS:// URL, that means one exists and can be used -- after all, that's where you saved it!

    Lots of ways to implement it but I think we can do better overall the leaving it entirely up to the user update all the password entries in their vault which can be very tedious if they have hundreds or thousands of entries.

    It's literally just a click. But it does sound like you may be using an outdated version that does not have this functionality.

    For example I have 1,500+ entries and the only method I see so far is to navigate through each entry and visual check for plain http and update manually. Suggestions on a better method?

    Consider upgrading, for many reasons. ;)

    1Password 7 for Mac: The Best Ever

    I do find it surprising though if you really have "hundreds or thousands of entries" saved as HTTP:// since that hasn't ever been common, and I haven't heard from others about cases like this -- and 1Password has worked this way for many years.

  • DigitalOxygen.ca
    DigitalOxygen.ca
    Community Member

    As per the original post I am using 1Password 6.8.9. I see nothing related to http / https in the Security Audit section in the left menu nor have I ever seen any suggestions pop up when filling passwords or anywhere else.

    I was not saying that I have 1,500+ entries that were http but rather that I have that many in total and in the absence of a feature like you described it seems the only way to do it is manually going through all the entries to find and fix http urls.

    I'll consider upgrading to version 7 for better auditing features like this.

  • AGAlumB
    AGAlumB
    1Password Alumni

    @DigitalOxygen.ca: Ah, sorry for not being clearer. Indeed, "unsecured website" warnings are a feature we added in the new Watchtower in version 7. I think it's worth upgrading, and not just for that. It is, however, really useful for this particular purpose:

    But if you have any other questions about it, let me know. Cheers! :)

This discussion has been closed.