Bizarre download servers
Why should we trust 1P to download its updates from servers that have names we don't recognize? For instance: cdn.quilt.janrain.com
Comments
-
Is that an update server? Some of the bizarre names are just for the fancy icons of items, and this can always be turned off.
0 -
Hey @blastmaster,
Don't worry, there's an explanation for this behaviour. 1Password makes various outside connections, including app updates from Amazon CloudFront. Sometimes an app like LittleSnitch may report one of the CNAME records that points to the same address that AgileBits uses, since CloudFront servers are used by many companies.
From 1Password and Your Privacy:
There is a peculiarity of how some firewall software, Little Snitch in particular, may report these connections. Little Snitch’s Connection Inspector will display “all names currently known to resolve to one of the IP addresses of the server.”
Given how the Cloud Front content distribution network operates, the particular cloudfront.net subdomains do not correspond to a unique IP address. Nor is an individual IP address limited to a single cloudfront subdomain. For example, one of the IP addresses associated with d13itkw33a7sus.cloudfront.net is 54.230.49.141. That same IP address may also be associated with some other cloudfront subdomain entirely unconnected to Agile Bits. That IP address may also be associated with something like example.com.
The upshot of this interaction between Cloud Front domain names, IP address, and Little Snitch’s reporting habits is that Little Snitch erroneously reports 1Password attempting to connect to example.com in that example.
1Password is connecting to CloudFront for the software updates (also for rich icons, news, and help files), and although LittleSnitch may report cdn.quilt.janrain.com, it's just a domain that is associated with CloudFront. There have been several reports on the forums here by users experiencing LittleSnitch reporting 1Password connecting to strange domains, but they're really just CloudFront aliases.
Here's some verification for my explanation:
host cdn.quilt.janrain.com cdn.quilt.janrain.com is an alias for d3hmp0045zy3cs.cloudfront.net. d3hmp0045zy3cs.cloudfront.net has address 54.230.71.202 d3hmp0045zy3cs.cloudfront.net has address 54.230.68.242 d3hmp0045zy3cs.cloudfront.net has address 54.230.71.136 d3hmp0045zy3cs.cloudfront.net has address 54.240.188.42 d3hmp0045zy3cs.cloudfront.net has address 54.240.188.231 d3hmp0045zy3cs.cloudfront.net has address 54.240.188.103 d3hmp0045zy3cs.cloudfront.net has address 54.230.69.128 d3hmp0045zy3cs.cloudfront.net has address 54.230.71.30But if you're still concerned about using the 1Password Updater, you could always download the latest version of 1Password 4 from the AgileBits downloads page and manually install the update.
Hope that helps! :)
0 -
When we're talking about the security of the family jewels, this is NOT reassuring--certainly not to me and it shouldn't be reassuring to all of the people who have been using autoupdate. Much of the time, the update servers my installations access do not have a recognizable domain name. i.e., NOT amazon.com and NOT cloudfront.net. Often (maybe most of the time) it's a new name that I've never heard of before. What is with that?
0 -
@danco, I am indeed talking about 1P update servers. 1P doesn't access the 'net without Little Snitch's approval, and I have "use rich icons" turned off, because that's a privacy concern even though Agilebits says they don't (themselves!) use the information.
0 -
Often (maybe most of the time) it's a new name that I've never heard of before. What is with that?
Please see my post (#3) above.
0 -
Thanks. I've now read your response more closely/completely. It makes sense, and it means I must manually verify the address or manually update, neither of which is convenient. Software such as Carbon Copy Cloner always seems to access amazon for its updates. Is the method used by 1P a cost-saving measure or something?
0 -
If someone finds a Little Snitch configuration that makes it a little less greedy in finding names associated with an IP address, please let us know!
Little Snitch is actually trying to be helpful. It is presenting you with all possible "names" for that IP, hoping that you will recognize one of them. But, of course, that is not how people see that scary list.
Is the method used by 1P a cost-saving measure or something?
Using a CDN like cloudfront provides things that we really couldn't do on our own. One particular feature is capacity management. For us to run a server that is capable of handling peak demand (say when there is a major update) would be extremely wasteful of the capacity at other times. A CDN also makes the downloads much quicker for you, as the system is designed to find a host that is "nearest" to you in terms of network topology. Finally "outsourcing" the CDN means that we don't have to be in the business of maintaining high capacity servers. We can focus our efforts on building our software.
Where cost comes into it is whether we pay for the service we are using or get a multi-homed dedicated IP address that is never used by any other cloudfront customer. That would, indeed, be really expensive. Maybe when the world finally moves to IPv6 this will be easier.
0 -
Just for example, how does Dropbox manage to avoid this issue? It's updated maybe more often than 1P4 (counting betas, too) and many Dropbox users are non-paying.
We are talking security of the family jewels. How much is Agilebits really saving?0 -
Dropbox is in a completely different business than we are. They are in the data storage service business. We are in the security software product business. As such the infrastructure they have in-house is quite different from ours. Their infrastructure involves a lot of hardware to store data and make that data accessible to the internet. Our infrastructure is more people based: developers, customer support reps, etc. We don't have the means to build a system like Dropbox's just for the sake of distributing updates under our domain name.
1Password does do its own internal verification of updates before they are installed.
Thanks!
Ben
0 -
Just for adding in a little info to the Dropbox mix.
They connect to the following and this is only the very few I know of. I am sure there are more.
- www.dropbox.com
- www.getdropbox.com
- dl.dropbox.com
- dl-web.dropbox.com
- forums.dropbox.com
- *.amazonaws.com
- *.amazon.com
- *.dropbox.com
- *.getdropbox.com
- *.static.reverse.softlayer.com
These are the sites that you need to enter to get a Macs parental controls working properly. Well they were anywhere from two to four years ago. I have been a member of most of the discussions, or provided some of the background info to other members.
Some of the addresses came from Dropbox staff and some came from users looking to make the parental controls work. All of it was gathered in the Dropbox Forums
There has not been any real updates to the known list in about 1 year. Most times we ask folks to submit a ticket and allow support to help.
If you wanted to submit one you would visit. Dropbox Support Ticket
replies can take a few business days. Priority is given to Pro or Business (formerly Team) accounts.The above are not necessarily for updates but any connection the app makes. I know your real concern was with 1Password but included the info here just incase you wanted more info from Dropbox. Additionally just to point out even they connect to domains like this and yes it is real or was two years ago.
stork.amazon.com
~thightower : Dropbox & 1Password moderator
0 -
For another perspective, this is why we trust the 1Password Updater outbound connections. First, you downloaded 1Password Mac from the AgileBits Store to start things off. 1Password Mac includes its own updater. The updater makes an outbound connection for only three purposes: to see if any update(s) exist, to retrieve the relevant Release Notes and optionally to download software. It makes this connection and Little Snitch's handling sometimes includes what appears to be a non-specific domain name. After letting the connection complete, if the updater gets the okay from you to download whatever new version it has found for you only then does it grab the remote file and then verifies it is what it thinks it should be — before replacing your working copy of 1Password. So even if that outbound connection were going to i.got.u.example.com, any retrieved version would not be trusted by the updater.
1Password Mac users that use Little Snitch have come to trust that the updater itself won't let something bad happen and we generally grant it either access to outbound connections "Always" or for the truly paranoid among us, grant the access each time so that we stay fully aware of the access. The reported domain name isn't important given the context that the updater is going to check after itself no matter what.
Looking at my Little Snitch rules for 1Password Updater I see approved connections to i.agilebits.com:80, i.agilebits.com:443 and app-updates.agilebits.com:443. I trust each of those connections, no matter what the Little Snitch might say and with those rules I am not prompted by Little Snitch when the updater runs to do what it needs done.
0 -
cdn = content delivery network. aka a provider specialized in worldwide distribution of file downloads.
0
