What risks may exist, living with TLS decrypting proxy?

@shingo: It's a good question, with an interesting answer. In short, a person-in-the-middle capable of decrypting all of your TLS communications breaks the fundamental security of the internet. generally speaking, that puts you in the uncomfortable position of not being able to trust that you're communicating with who you think you are, and that everything you do over the internet which relies on TLS for end-to-end privacy and security is in question.

Fortunately, 1Password doesn't rely on TLS alone for its security. We're really strict about that, because if TLS is broken, you're gonna have problems. But your 1Password data being exposed in transit isn't one of them:

Three layers of encryption keeps you safe when SSL/TLS fails

1Password data is always encrypted and decrypted locally, so at the lowest "layer", your data is protected even if someone steals your device. On top of that, we use Secure Remote Password protocol to avoid you ever needing to transmit your credentials, and in order for us to avoid having them, which would be a huge liability for us and our customers:

Developers: How we use SRP, and you can too

On top of all of that should also be TLS, which the modern internet is built on. But the unfortunate reality is that many institutions nowadays, both public and private, don't respect individual privacy, so we don't rely on that alone.

So, to answer your specific questions directly,

Is the my master password conveyed in clear text over TLS tunnel?

No, not by 1Password, never. However, I will say that you should be careful where you enter it. Someone with the ability to insert themselves in all of your communications -- whether that be an employer or an attacker -- could play all kinds of games, and either maliciously or through negligence capture what you enter into websites and do pretty much anything with it. So take care to only enter your Master Password into an app (including and especially the one that runs in your browser) after verifying that it is from 1Password, not something someone else has foisted on you.

Are my meta information entries (e.g. site names, login IDs, secure notes, etc..) conveyed in clear text over TLS tunnel?

No, not by 1Password as part of your data in it, as all of that is encrypted. But any time you request any URL over the network, it would be visible to those inserting themselves into your internet communications.

Are my passwords conveyed in clear text over TLS tunnel?

No, not by 1Password. But in the vast majority of cases, when you enter a password to sign into a website, it is protected only by TLS. So when TLS is compromised, the password is effectively "in the clear" for the person-in-the-middle. Again, not an issue for things inside 1Password, but you should be aware that once it is used outside of 1Password, 1Password can't protect it. While you may personally trust your company and/or others involved, customers also trusted major antivirus vendors computer manufacturers who ended up logging and exposing customer information in a similar fashion. Even accidentally, the consequences are the same.

Kind of depressing, but knowledge is power. I hope this helps. Please let me know if you have any other questions.

@shingo: You're very welcome! And thanks for bearing with my long-winded answer. Indeed, since others will likely view this discussion I want to be sure I don't gloss things over and cause confusion, as it's a complex issue. It's simpler, in a sense, in the context of 1Password; but I wouldn't want to give anyone the impression that 1Password can protect against other, external factors inherent in that kind of a scenario, which nevertheless have an impact on our overall security. Cheers!