Not open source extension, do we need to trust 1Password ?

demdo
demdo
Community Member

Hello,

I have read the whitepaper, I understand the great work done by 1Password team. But I have studied the webCryptoAPI, I know that you are using it.

The issue is that during the key derivation function we need the passphrase as input, how can we protect ourselves even from 1Password 'stealing' ?

Please do not take my question as a provocation, I really try to understand the webCryptoAPI protection mecanism. Event if we derive the key with a non extractable property, we can not protect from an input 'stealing', or can we ?

Because the js package is not open source, we are not able to check in case this is done with full knowledge of the facts or by error, bug...

A last precision: the effort of transparency of 1Password is really appreciable, the whitepaper is an evidence of that, however I just want to understand the security risk inherent to web apps in general and how 1Pasword mitigates them.

Thank you.

PS : I have posted another question in reddit : https://www.reddit.com/r/1Password/comments/a1qxgq/understand_the_kek/
I think it was not the right place, if someone can also explain me the key chains, because I found some unclear and contradictory explantions.


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

Comments

  • Because the js package is not open source, we are not able to check in case this is done with full knowledge of the facts or by error, bug...

    Sadly, even if we open sourced the JS package you wouldn't be able to verify this. You would need a way to verify that the version of our package that's used on our website is the same as the one whose source you're reading. And that's a tougher problem to solve.

    The JS code is relatively un-obfuscated and should be pretty legible if you pass it through a prettifier. We encourage people to inspect it directly instead of taking our word for it.

    Rick

This discussion has been closed.