Security questions about switching to 1Password.com

ilyanep
ilyanep
Community Member

Hey team,

I'm currently using 1Password standalone with Dropbox Sync (been using it for like 3 years now and quite happy with it!) At the time I switched away from Lastpass because I liked the idea of controlling where the vault file was myself and also because I didn't necessarily trust them after they had suddenly sold themselves (water under the bridge, we don't need to dwell here).

Anyway, I do have to say I'm tempted to switch to the subscription/1Password.com model for a few reasons:
1. I frequently use a Linux partition and having a web interface would be a fair bit nicer than using 1Password for Windows 4 through Wine.
2. I'm often on a shared computer where I can't bring my vault to me nor install the 1Password app and would love to have access to my passwords there.

Obviously, my immediate concerns about switching to cloud are:
1. 1Password.com is a much more high-value attack vector than trying to find an exploit to Dropbox (the former is guaranteed to contain passwords, while it's unknown what the latter has).
2. The obvious thing about how cloud storage gives a bigger attack surface.
3. I still have the "Javascript Cryptography Considered Harmful" post from like 7 years ago rolling around in my head.

From doing some Googling and research, it seems like the biggest mitigators here are that your vault is stored encrypted in the cloud (in both cases, but 1Password.com uses some extra key) and that your master password (and the extra key) are never transmitted from your local computer. The third thing is probably mitigated by the fact that 1Password.com is delivered by TSL and it looks like the domain uses HSTS.

So my remaining questions are:
1. Is there some sort of code review or something where I can verify that my password is never transmitted away from my local computer? Ideally, I'd be able to verify that what's running in my browser is what has been verified at all points in time.
2. I read somewhere that 1Password.com sync does something that separately encrypts each item in the vault. What's the deal with that?
3. Have there been any external security audits conducted of the cloud storage? Have those audits included analysis of the server-side security (e.g. that there are no vulnerabilities that could cause 1Password.com to present an attacker's version of the Javascript that transmits the master password, which I'm more worried about than a compromise which leaks the vault itself, given the design of the vault).

(The threat model I'm worried about is some sort of widespread hack that targets the cloud service to steal our passwords to financial sites. I figure some sort of APT will always find a way to use Rowhammer or Spectre or other unknown vulnerabilities :lol: )

Thanks for reading and answering!


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

Comments

  • jpgoldberg
    jpgoldberg
    1Password Alumni

    Hi @ilyanep,

    Those are some very good questions. As you've noted, we have designed 1Password with the fact that data we hold would be a juicy target and so we have made a number of design decisions so that you are not harmed if data is stolen or tampered with on our servers. You are also correct that the web app poses issues, in particularly that it depends on the integrity of the connection for fetching the web client itself.

    Thomas Ptacek and I have had many discussions of this and other aspects of his largely on-target warnings about Javascript crypto delivered to the browser and executed this. Some of the points that he raised don't apply to us or don't apply any more (now that most browsers natively support most of WebCrypto). But the issue that it all depends on the integrity of the connection in fetching the web-app remains. As you note, we have done what we can, using HSTS and insisting on the strongest versions of TLS.

    External audits

    Code reviews and audits are important and useful but they do not protect users against deliberately malicious weaknesses and compromises. This is because there is no practical1 way to prove that the source code that has been reviewed is the same as the source code that is used to create the binary that is running on your machine. This, by the way, is even true of open source software unless you are compiling it yourself.

    So the value of code reviews and security audits is to us. They help us see whether there are places where we have made errors or where things can be improved. And we do ask outsiders to take a look at things from time to time. But those are always about relatively small segments of the code. Things like, "can you look at how we've implemented Encrypt-them-MAC to make sure we didn't mess up?" Because those reviewers did not perform an extensive review of the whole product, they cannot offer statement about the overall security.

    So the short answer, is that we've had plenty of external eyes on the code, but we don't have anything we can publicly cite or even prove that
    occurred. Again, these have been for us. But again, then the best a code review could do for you is to have someone say that version N.M of the source code doesn't appear to have anything nasty it.

    Operational security of hosted data

    Have there been any external security audits conducted of the cloud storage?

    Yes. We have completed stage 1 of SOC2 compliance exercise. Stage 1 roughly says "our procedures and practices are adequate and auditible. Stage 2 (not yet complete) is a check that we actually follow those procedures. Once that phase of the audit is complete and approved, we will let the world know.

    I should say, however, that while there are a lot of things that are required for "adequate" procedures, their overall security standards are generally lower than what we feel is needed for the kind of data that we hold. On the whole, the auditors don't distinguish between end-to-end encryption and designes in which the subject of the audit can decrypt customer data; so we didn't get "credit" for that.

    The way that SOC2 is most important for you is that we've had external auditors review are plans and systems to ensure that your data is available to you.

    So how can you trust 1Password?

    It's true that we cannot prove with absolute certainty that we aren’t shipping malicious 1Password clients. Just as Apple and Microsoft can’t prove with absolute certainty that they aren’t shipping backdoor-ed operating systems. But …

    But we can do things that in combination should give you a great deal of confidence that 1Password behaves as described. If, however, you really insist on absolute proof, then I presume you are using an operating system that you have compiled yourself. Otherwise, read one.

    1. We can (and do) publish 1Password’s behavior in gory detail. Much of that behavior can be verified by anyone (with the sufficient skills.
    2. We deliberately do not obfuscate the code and we leave debugging symbols in place, making it relatively easy for people to monitor its behavior.
    3. As all cryptography is client side, you can monitor your own network traffic to see that 1Password is only transmitting the sorts of data we claim it does.
    4. You can consider our incentives. We've been in business for more than 10 years and employ about 80 people. If anyone were to detect bad behavior, we would be out of business in an instant.
    5. We've got lots of people with lots of different backgrounds and from different countries (some of us are veterans of the Crypto Wars) with eyes on the code and the build process. It would be hard sneak malicious activity into the code without there being a substantial risk of being caught internally.

    So while it is not impossible for us to be evil (or be coerced into evil behavior), there would be a very substantial risk that such behavior would be detected. And the consequences of it being detected would be catastrophic for us, and pretty bad for whoever coerced us into being evil.

    Although some of the details have changed (and some in important ways), we wrote about this more than four years ago (September 2013) in 1Password and The Crypto Wars II. The same general idea holds. We’ve done what we can to make it difficult for us to get away with nefarious activities, and have tried to make as much as possible about 1Password’s behavior independently verifiable.

    I hope that this helps


    1. In some rate and highly critical situations, this kind of stuff is (or it least should) be done. For example, the software that is run on electronic voting machines be managed and distributed in a way where the relationship between the source code and the binary image is also audited. Typically this requires deterministic builds. But, as yet, deterministic builds are not practical for the way that most software is managed and distributed. ↩︎

  • ilyanep
    ilyanep
    Community Member

    That is very helpful. Thanks for your detailed response!

  • AGAlumB
    AGAlumB
    1Password Alumni

    Glad Goldberg was able to help. We're here if you have any other questions. Cheers! :)

  • Dana Leighton
    Dana Leighton
    Community Member

    Hello Agile Folks:

    Can you provide an update on your SOC progress? My employer requires SOC-2 and until you have it, they are requiring me to use LastPass. :(

  • Hi @Dana Leighton

    I'll have someone from our team who is familiar with the process get in touch with you. :)

    Thanks.

    Ben

  • BRig009
    BRig009
    Community Member

    Me too. Same question about soc2. Trying to buy for company... need to have certs.

  • Hi @BRig009,

    Please reach out to our business team at business@1password.com for information on any certifications that you require. They’ll be in the best position to assist with these types of inquiries. :)

    Thanks!

    Ben

This discussion has been closed.