Invalid Server Certificates - problems for admins using latest version of 1Password

Options
robcha
robcha
Community Member
in iOS

Hi guys, the latest version of the app with the new https check now refuses to load pages with self-signed SSL certificates. This sounded good when you added it I'm sure but you forgot that a lot of us out here use the 1password built-in browser to manage servers via web interfaces. These interfaces are invariably using self-signed SSL certs. Oh dear. :)

Instead of a refusal to continue could you change the behaviour to warn and give the option to continue as other browsers do? Lastpass recently made a design mistake very similar to this and have now fixed it, please do the same. :)

Other than that great apps, used them for ages and love them. Especially the Dropbox sync. Great job, thanks.

1Password Version: Latest
Extension Version: Not Provided
OS Version: iOS latest
Sync Type: Dropbox

Comments

  • escolar
    escolar
    Community Member
    Options

    Exact same problem.

    Warning was given in previous version but now fails.

    Please revert to previous behavior or better yet add security setting that allows mis-matched certs.

  • Nunuv Yurbiz
    Nunuv Yurbiz
    Community Member
    Options

    Me too. I connect to SecuritySpy's built in ssl web server. Before, I wanted 1P to save accepted certificates so I don't get the warning every time. Now, instead of addressing that, it has taken a step backwards as I can't even connect. Boo, hiss.

  • bonsaipappel
    bonsaipappel
    Community Member
    Options

    Same Problem here. I have to connect to a private mail server with a self signed SSL certificate and since the new version I can't connect anymore.
    Please fix this :-)

    Thanks.

  • Megan
    Megan
    1Password Alumni
    Options

    Hi @robcha, @escolar, Nunuv and @bonsaipappel ,

    I sincerely apologize for the trouble here. Our developers are currently looking into this issue. It appears to be related to the API that we're using, and we've filed appropriate rdars with Apple. We are also investigating how to fix this on our own end. I've added your comments to the issue in our internal tracker, and we'll do what we can to have this resolved for you soon.

    ref: OPI-2914

  • escolar
    escolar
    Community Member
    Options

    Thank you Megan. Appreciate the quick response.

  • bonsaipappel
    bonsaipappel
    Community Member
    Options

    Thanks for the quick relpy.

  • robcha
    robcha
    Community Member
    Options

    Thanks Megan. :)

  • Megan
    Megan
    1Password Alumni
    Options

    Hi everyone,

    Just to follow-up, our current 'workaround' is to access these sites in mobile Safari, where you'll have the ability to trust those certificates and move on. We'll keep you updated if this changes. :)

  • Nunuv Yurbiz
    Nunuv Yurbiz
    Community Member
    Options

    @Megan That workaround doesn't work for httpauth logins because httpauth pops up a dialog box to fill in, and the share sheet (1P extension) can't be accessed at that point.

  • Ben
    Ben
    Options

    Hi Nunuv,

    Yep -- a fair point. Copying & pasting is probably your best bet for those.

    Ben

  • escolar
    escolar
    Community Member
    Options

    Latest update for iOS9 doesn't solve this issue.

    Is a fix forthcoming?

  • AGAlumB
    AGAlumB
    1Password Alumni
    Options

    @escolar: As Megan mentioned, we won't be able to fix the webview bug that's at the root of the problem, but we'll see if we can find a workaround for this. Sorry for the inconvenience!

  • Nunuv Yurbiz
    Nunuv Yurbiz
    Community Member
    edited September 2015
    Options

    One more reason why I prefer to to use the 1browser instead copy/paste:

    Update: XcodeGhost Attacker Can Phish Passwords and Open URLs through Infected Apps

    Read and write data in the user’s clipboard, which could be used to read the user’s password if that password is copied from a password management tool.

  • AGAlumB
    AGAlumB
    1Password Alumni
    Options

    @Nunuv Yurbiz: Indeed. I prefer 1Browser myself too, but more from a convenience standpoint in most cases. Hopefully Apple will be able to check for this malware going forward.

    But in the mean time keep in mind that 1Password isn't copying any of your data to the clipboard itself. Your password, for example, will only end up there if you explicitly copy it. Now, it's important to note that any app on any OS can access any information you copy to the clipboard if it is running. But with 1Password on iOS, we have a few saving graces:

    • Apps do not stay running indefinitely, so for the most part you would need to 1 copy some sensitive data to the clipboard and then 2 open a malicious app that wants to collect your data.
    • In 1Password, you can manage how long these stay in the clipboard. Just go to Settings > Security > Clear Clipboard, and you can set it to 30s, 60s, 90s, 2m, or 3m to ensure that you have a little buffer, but that your password doesn't hang around forever even when you do need to copy it.
    • And last but not least, even if you copy a password to the clipboard and then immediately switch to a malicious app that steals it, since 1Password won't copy the rest of your login details (username, and even a website that it belongs to) it will be difficult for anyone to do anything with the password alone.

    So while there are definitely risks, there are things that we can do to mitigate them. Cheers! :chuffed:

  • Nunuv Yurbiz
    Nunuv Yurbiz
    Community Member
    edited January 2016
    Options

    Turning back to this, it continues to irritate me that the 1Browser doesn't give the option to approve a suspect certificate (Safari for iOS does).

    But there are a couple of workarounds using http auth: (1) use another browser that stores and fills in http auth requests (such as Atomic, unlike Safari), (2) put the username and password in the URL. (For example, https://username:password@ipaddress). I created a bookmark in Safari using the second option (it is an SSL connection but Safari warns that it could be phishing - since it's my server that's OK). That said, the username and password (with the IP address) are now stored outside 1Password. Since the connection is secure, that seems to incrementally increase the exposure should someone get access to one of my devices. But my devices are secure, so it's a risk I'm OK with, for now.

    So now I use Safari, which bypasses (fills in) the http auth request, and other than the phishing warning, it works great.

  • Ben
    Ben
    edited January 2016
    Options

    Thanks for the update, @Nunuv Yurbiz. If you are comfortable with storing your credentials inside a bookmark, then by all means... but we would not necessarily recommend other customers follow suit. At least not without being fully apprised of the security risks.

    Currently neither Safari nor WKWebView (the Apple API we use to make 1Browser..., well, ... a browser) have any hooks to allow filling into HTTP auth requests, which is a separate but equally challenging issue.

    We'll continue to effort on this, but our primary focus is with the Safari extension as far as browsing on iOS goes. 1Browser is mostly a holdover from a time prior to extensions on iOS existing, and so I would not expect to see updates there in the immediate future.

    Thanks.

    Ben

  • AGAlumB
    AGAlumB
    1Password Alumni
    Options

    That said, the username and password (with the IP address) are now stored outside 1Password. Since the connection is secure, that seems to incrementally increase the exposure should someone get access to one of my devices. But my devices are secure, so it's a risk I'm OK with, for now.

    @Nunuv Yurbiz: This is a really clever solution, but it terrifies me. I'd forgotten about the old URL username:password argument, but it's important to note that an HTTPS connection does not protect this information; the URL (and your login credentials, as part of it) is sent in the clear over whatever connection you're using.

    If you're at home, this is visible to anyone on your local network and "just" your ISP in transit. On any other network, who can see the URL will depend on who controls the network and who else is using it. URLs are always sent in the clear before, during, and apart from a secure connection, since there's no other way to determine which page should be served — with one exception: if you use a VPN tunnel, the sites you visit will only be viewable to the VPN provider. I hope this helps clarify things. Knowing is half the battle. Secure practices are the other half. :sunglasses:

  • Nunuv Yurbiz
    Nunuv Yurbiz
    Community Member
    Options

    Oh, I see. Yeah, that's not good. Arrrgh.

  • Ben
    Ben
    Options

    I'm sorry that there isn't currently a more convenient solution here, Nunuv. As Apple continues to improve Safari and WKWebView we'll look for improvements in this area, and if there are changes we can make to make life easier we will certainly look into that.

    Ben

  • Nunuv Yurbiz
    Nunuv Yurbiz
    Community Member
    Options

    @bwoodruff

    our primary focus is with the Safari extension as far as browsing on iOS goes

    Can you do a minor update to make it so tapping on a URL inside 1Password by default opens it up in Safari?

  • Ben
    Ben
    Options

    @Nunuv Yurbiz

    If you press and hold on the URL you'll be given the option to open it in Safari. :)

    Hope that helps.

    Ben

  • Nunuv Yurbiz
    Nunuv Yurbiz
    Community Member
    edited March 2016
    Options

    @bwoodruff
    Yeah, I know but it's the "and hold [and select the option to open it in Safari]" part I'm hoping to avoid. So it would be great if opening in Safari was the default (i.e.., just tap the URL).

  • Ben
    Ben
    Options

    Thanks for the feedback. :)

    Ben

This discussion has been closed.