Please use update servers with your domain name in the FQDN
I'm using LittleSnitch and every time 1Password wants to update itself, the DNS names it wants to connect to are obscure and seem untrustworthy. Like this one, that just happened: "1Password Updater wants to connect to cdn-s.gumiyo.com on TCP port 443". I've also seen seemingly random FQDNs for cloudfront too. I'd like to see FQDNs that imply ownership from AgileBits, otherwise I'm skeptical of botnet traffic that's hijacked my 1Password application and is leaking my credentials.
It would help decrease my anxiety, both personally and from a corporate security perspective, if 1Password could use consistent and more human-friendly names like "updates.agilebits.com" or "beta.agilebits.com", etc to host its downloads.
Comments
-
Hey @x509v3,
1Password downloads its app updates from Amazon CloudFront. And even though their actual domain is app-updates.agilebits.com, sometimes an app like LittleSnitch may report one of the CNAME records that points to the same address that AgileBits uses, since CloudFront servers are used by many companies.
From 1Password and Your Privacy:
There is a peculiarity of how some firewall software, Little Snitch in particular, may report these connections. Little Snitch’s Connection Inspector will display “all names currently known to resolve to one of the IP addresses of the server.”
Given how the Cloud Front content distribution network operates, the particular cloudfront.net subdomains do not correspond to a unique IP address. Nor is an individual IP address limited to a single cloudfront subdomain. For example, one of the IP addresses associated with d13itkw33a7sus.cloudfront.net is 54.230.49.141. That same IP address may also be associated with some other cloudfront subdomain entirely unconnected to Agile Bits. That IP address may also be associated with something like example.com.
The upshot of this interaction between Cloud Front domain names, IP address, and Little Snitch’s reporting habits is that Little Snitch erroneously reports 1Password attempting to connect to example.com in that example.
1Password is connecting to CloudFront for the software updates (also for rich icons, news, and help files), but because of that peculiarity, LittleSnitch may report a domain such as cdn-s.gumiyo.com. But it doesn't mean that the updates aren't coming from AgileBits, it's just a different domain that is associated with CloudFront. There have been several reports on the forums here by users experiencing LittleSnitch reporting 1Password connecting to strange domains, but they're all CloudFront aliases.
Here's some verification that cdn-s.gumiyo.com is actually a CloudFront alias:
host cdn-s.gumiyo.com cdn-s.gumiyo.com is an alias for d3b825c9rbnhuu.cloudfront.net. d3b825c9rbnhuu.cloudfront.net has address 54.230.69.53 d3b825c9rbnhuu.cloudfront.net has address 54.230.69.108 d3b825c9rbnhuu.cloudfront.net has address 54.230.71.125 d3b825c9rbnhuu.cloudfront.net has address 54.230.71.225 d3b825c9rbnhuu.cloudfront.net has address 54.230.69.201 d3b825c9rbnhuu.cloudfront.net has address 54.240.188.225 d3b825c9rbnhuu.cloudfront.net has address 54.240.188.214 d3b825c9rbnhuu.cloudfront.net has address 54.230.69.23But if you're still concerned about using the 1Password Updater, you could always download the latest version of 1Password 4 from the AgileBits downloads page and manually install the update.
Hope that helps! :)
0 -
Thanks -- helpful. It's too bad that CDN won't assign a global load balanced IP address space per client (like Agilebits) to make this more readable.
0 -
I've got to imagine with the number of customers Amazon has, issuing a unique public IP v4 address for each of them would be next to impossible. When IPv6 becomes more common practice, I'm sure that'll be a thing. :)
Thanks.
Ben
0
