Browser plugin security?

Apologies but is there a release history anywhere of the browser plugins for 1password?

Trying to come up with some kind of "position" on whether we'd want people using the browser plugin with Teams as in our experience most password manager issues seem to have been around browser plugins/extensions.


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

Comments

  • brentybrenty

    Team Member

    @musicwallaby: Ohhh you're good. I can't say I recall this coming up before here, but you raise an excellent point. First, the release notes:

    https://app-updates.agilebits.com/product_history/OPX4

    As a more general answer, 1Password hasn't faced the sorts of issues you're describing since the extension does not store data; it only receives it on demand from the native app communicating with it.

    However, one potentially confusing thing is that because our browser integration is app-centric, most of the "brains" reside there, and so changes affecting browser integration often show up in the apps' release notes:

    https://app-updates.agilebits.com/

    By way of example, there was a vulnerability in our implementation about this time last year which we addressed in an update. Login story short, it was never found being exploited "in the wild", but it could have been possible for one user on the same machine to connect to the 1Password app of another through WebSockets. This was addressed by having the user authenticate the browser connection, but now that has been obviated by automatic authentication built into Native Messaging.

    But getting to the real question, using the browser extension is more secure than the alternatives: unlike 1Password's filling mechanism, manually typing and/or copy/paste do not bypass the keyboard and clipboard, so having 1Password fill makes many attacks more difficult or infeasible. And ultimately someone is more likely to use weak passwords and/or reuse them if they have to deal with them mechanically.

    I hope this helps. Be sure to let me know if you have any other questions! :)

  • jxpx777jxpx777 Code Wrangler 1Password Alumni

    I've been meaning to write up something more permanent and official than blog comments and forum posts about this topic because it's a question that comes up from time to time. (Thanks for the reminder!) For now, I'll content myself with making just a couple points.

    In addition to the limited amount of information that the extension has access to and avoiding the system clipboard like @Brenty mentioned, the extension also plays an important role in phishing protection for username and password filling by making sure that the page you're filling on matches the URL that you've told 1Password the particular username and password are for. If it doesn't, the extension does not allow the filling to continue.

    Beyond those technical benefits, it's hard to overstate just how important convenience is to facilitating secure behavior. It's so much easier to use the extension to fill strong, unique passwords than even to re-use passwords that security becomes a default state rather than something the user has to go out of their way to seek.

    I hope that helps. Let us know if you have other questions or concerns about the extension. :)

    --
    Jamie Phelps
    Code Wrangler @ AgileBits
    Fort Worth, Texas

  • @bentry and @jxpx777 thank you very much.

    I'd like to emphasise I'm not asking so many questions just to be a pain. I've just purchased a personal subscription because I can see you guys take things seriously and do things well.

    I'm mostly doing homework around how comfortable I would be standing in front of a very cynical (rightfully so in many cases) team of people pushing that we move from an on-premise password manager to 1Password for Teams.

    Just trying to do my homework around possible questions :)

  • Hi @musicwallaby,

    Completely understandable. It sounds like maybe we should reach out to you via email so we can help answer any questions for such proposal, is that something you might find helpful?

  • @littlebobbytables (things I never thought I'd type) thanks but for the moment that's the lot - just got to get on with sorting a trial now and then try to get everyone on board :)

  • LarsLars Junior Member

    Team Member
    edited February 2018

    @musicwallaby -- Perhaps I missed it if you were already pointed in this direction in an earlier conversation, but if you've not yet had a chance to review it, our security white paper is the most-comprehensive dive into the security measures we take in 1Password Teams (and 1Password accounts in general). We're of course more than happy to answer any continued questions (presuming we CAN answer them, of course), but that's perhaps the best place to start from. Thanks for starting up your trial subscription, and keep us in the loop, especially if you have questions! :)

  • Password managers running as password extensions have been criticized for their inherent vulnerabilities -- specifically, they inject code in the browser which could be accessed by rogue scripts.

    I understand that 1Password's extension is "thin," and unlike LastPass no data is saved in the extension. On the one hand, I understand this improves security. On the other hand, since the 1Password extension has access to the 1Password app that does store the password, a script that compromises the extension would also gain this access.

    Could you explain the vulnerabilities the 1Password extension still shares with other browser extensions, and which vulnerabilities it does not share? If you could point me to the relevant sections in the white paper, that would also be great (I searched "extension" and didn't come up with anything).

    Thanks so much for any help!

  • The key vulnerability from any extension is the same vulnerability regardless of whether you use 1Password or not, that almost all extensions require the ability to read and write to the page. If it can read then it can view what you type into fields.

    The extension doesn't have access to the app, it's merely allowed to describe the open page and then perform the steps supplied in a script by 1Password where those steps are pre-agreed fill commands, not anything as dangerous as instructing the extension to perform arbitrary instructions in JavaScript. A request for the URL of the open page only happens in the sandboxed global space of the extension and the entire UI (User Interface) and user interaction is contained inside the application and invisible to the extension. The injected portion of the extension really only exists to respond to a request to describe the page and then to process the supplied script.

    If you're looking for answers to more specific questions it would probably help if you can point to the specific criticisms that you would like addressed.

This discussion has been closed.