Waterfox installation error (untrusted source)

Is there any reason why I cannot freely install the firefox extension in a firefox/mozilla - based browser?

It is similar to installing chrome browser extension in a chromium-based browser, isn't it?

And the toast message said something about "see logs for more info" ?

The security updates of waterfox are in line with ESR 60.9 or so.


1Password Version: 7.3.712
Extension Version: 4.7.5.90
OS Version: win8.1 x64
Sync Type: 1p.com

Comments

  • Yulka1355
    Yulka1355
    Community Member
    edited September 2019

    Hi @4EverMaAT,

    1Paqssword 7 will not have the option to disable the code signature for unsupported browsers. If you want to use these browsers you can use 1Password X instead if you already are using the 1Password membership (https://support.1password.com/getting-started-1password-x/) It will work in either Firefox or Chromium forks on any OS platforms.

  • AGAlumB
    AGAlumB
    1Password Alumni
    edited September 2019

    @4EverMaAT: Indeed, we vet specific browsers to develop and test for, and the 1Password desktop apps verify the identity of those browsers before connecting and sending any information to them; otherwise any malicious browser/app would be able to connect to 1Password. 1Password X, on the other hand, runs entirely in the browser, so there is no risk of inter-app communication exploitation in that case. While we don't support Waterfox or other unofficial browser derivatives, if it works there that's great. I'm just not sure that it will given how far behind Waterfox has gotten, with regard to extension support.

  • AGAlumB
    AGAlumB
    1Password Alumni

    Thanks for the update! The tough thing is that Firefox has been making improvements and adding features for WebExtensions with each release, and we're taking advantage of those, so compatibility may break with derivatives of old versions as everything evolves. So you'll have the best luck the more up to date you can stay. Thank you for sharing your experience here! :)

  • AGAlumB
    AGAlumB
    1Password Alumni

    @4EverMaAT: I'm not sure I follow. You're signing into the 1Password website there, so there would be nothing stored locally on your computer for that (even if you could sign in). but I'm not having any trouble signing into 1Password.com here using Waterfox (and it was really fast), so it's something specific to how you have things setup there.

  • AGAlumB
    AGAlumB
    1Password Alumni

    which version of waterfox? is it the portable one 56.2.12?

    @4EverMaAT: I just downloaded it from the website here:

    https://www.waterfox.net

    Seems to be 56.2.14.

    I can open a tab within waterfox 56.2.14 and load 1p.com via https://start.1password.com/signin?l=en
    But if I do it via the 1pX browser extension, moz-extension://0548a315-3837-4c0a-aa7c-6c9eeb4b67ba/app/app.html#/page/welcome

    it doesn't work. It hangs.

    1Password X (Firefox) version 1.16.1

    This is what threw me off. I don't even see 1Password X in your screenshot above.

    edit: 1PX does work in WaterFox 68.0b1. It installs normally and then it logs in also via the extension no problem.

    I'm glad to hear that it's working as expected in the newer version. I couldn't tell you what the difference would be, but perhaps their development team would know the specific issues that the update is meant to address.

  • AGAlumB
    AGAlumB
    1Password Alumni

    @4EverMaAT: I'm not sure what the difference is between "installed version" and "portable version", as there was no installer with either (as with most things on the Mac, it's just a disk image from which you drag the app to the Applications folder to "install" it). They're both the same size, and I can see no difference between them in use.

    Signing into https://my.1password.com works just fine in both cases.

    But the Firefox Add-ons listing for 1Password X indicates clearly that it's not compatible with this browser because it's based on an out of date version of Firefox:

    This add-on requires a newer version of Firefox (at least version 60.0). You are using Firefox 57.0.

    I don't even have the option to install it. So I can't really speak to it working to any degree, not being able to try it.

  • AGAlumB
    AGAlumB
    1Password Alumni

    you are using mac version. I m using windows. More confusion :p

    @4EverMaAT: Oh man... Yep, good call: it was late. I was using my PC when we started this conversation, and I switch between them so much that I tool it for granted. Sorry about that. :lol:

    Anyway, you should be able to right-click where it says "add to firefox" and open the link in a new tab.

    Aha. Thank you. Okay, so, to get us on the same page here, when I manually copy the link to force it to install the extension, then try to sign into it, yes, I'm seeing the same thing you reported above: it isn't able to complete. So 1Password X doesn't work there on Windows or macOS.

    I think the key here is that they're telling you upfront that it's not going to work because the browser is out of date and therefore incompatible. Firefox 60 was released on May 9, 2018. We're not able to remain backward-compatible indefinitely because then we can't take advantage of improvements and new features in the extension frameworks and browser itself to make 1Password better. And I'm sure we'll need to raise the minimum requirement periodically going forward as well, in order to be able to adopt other new technologies. We make an effort to at least support the current Firefox ESR release (which is part of the reason that version 60 is supported: it was the ESR version until this summer, when it became 68).

    So, long story short, Waterfox isn't a browser we officially support, and unless it is updated to be (and stay) reasonably close to current with its Firefox parent, similar to other derivative browsers, 1Password won't even work there unofficially. Sorry I don't have better news for you, and also for the circuitous route to get to this answer, given my relative unfamiliarity with Waterfox. I'd recommend using one of the browsers we support:

    • Safari (macOS only)
    • Edge (Windows only)
    • Firefox
    • Chrome
    • Vivaldi
    • Opera
    • Brave

    Those are the only ones that the 1Password desktop apps will communicate with. It is unlikely that this will be expanded any time soon, but other browsers which maintain close compatibility with recent releases of Chrome and Firefox can run 1Password X. I am having difficulty comprehending the relationship between Waterfox and Firefox versioning, but maybe you have a better understanding of that.

  • AGAlumB
    AGAlumB
    1Password Alumni
    edited September 2019

    You should be able to run 1P7 browser extension 4.7.5.90 in Waterfox 68.0b1 . It is showing enabled in the browser. But the icon is greyed out. So this is a suggestion to add that browser compatibility.

    @4EverMaAT: As I mentioned above, we don't have plans to vet, develop, test for, and support additional browsers at this time.

    Like I have another extension Internet Download Manager. It didn't recognize WaterFox automatically. But I can manually navigate to the browser.exe and IDM will attempt to auto-install it. Now let's say that doesn't work. I can then manually add the extension file and it works (both Waterfox 56.2.14 and 68.0b1). Everything works as expected. If the browser is already Firefox-based or Chrome-based, I don't see why the 1p7 desktop app cannot communicate with it. Even if it means the user must manually add permission. I don't think it is correct for the 1p7 program to refuse the connection without the user's ability to manually override that. In other words, it is good that you flag a browser you think is not compatible. But then you should give the user the option to whitelist the executable.

    No. Those are two very, very different things you're talking about there. Let's not conflate them. I'm sorry for explaining this poorly, but it's not easy to express. I'll do my best. I am sure you're aware that 1Password is a very different piece of software to a download manager, so let's forget about that inapt comparison to avoid confusing things further. These are the two very different considerations involved here:

    • Minimum requirements are for technical compatibility. As you found, 1Password X does not work correctly with a browser release based off of Firefox 56, because it depends on technologies which were introduced in Firefox 60. Things will simply be broken there because it's outdated compared to what 1Password X needs. That's straightforward. Find a browser that you trust which has the ability to run 1Password X properly, and you're all set. Easy. :)

    My earlier point was that 1Password X would work fine in Waterfox anyway if it met a relatively low bar for compatibility (Firefox 60, as I write this). It sounds like an upcoming release may help in that regard. If they don't break something in the process of Waterfox-ing Firefox 68, you should be good to go with that.

    • Whitelisting is for security. In order for us to offer any assurance of security with 1Password connecting to 3rd party software (which is what a web browser is), we need to research not only its functionality with regard to security, but have a high level of trust in the organization that's producing it and their operational security, and their ability to maintain those (and the browser itself) over time.

    If that sounds demanding, that's because it is. It's a lot of work, and also a high level of trust needed, because by adding a code signature to our whitelist, we're saying "Any software that is signed with this is suitable for 1Password to connect and send sensitive information to". If a bad actor is able to use that digital signature to sign another piece of software -- say, malware -- 1Password will happily connect to it because it will be recognized, and that's the only way we have of verifying the source. Technically, in the case of malware signed using a well-known, trusted developer's digital certificate (this has happened), it is signed by that developer, whether that developer turned evil, made a mistake, or trusted the wrong person with their signature who then misused it. This is like someone forging your signature to cash checks drawn on your account, except a digital signature cannot be forged, and the effects can be much more costly and long-lasting.

    People tell us, "I like browser Y. Just add its signature. It's easy!" Everything that must be done leading up to adding the signature and after that is not at all easy though, and it cannot be taken back retroactively if it turns out to have been a bad call. We've been burned in the past when some niche browsers we liked simply stopped releasing updates. That exposed their users to risk due to lack of security patches, and also ours due to 1Password continuing to work with a now-insecure browser. And that's more of a negligent outcome rather than being malicious. Imagine if a signature 1Password recognized was misappropriated and used to sign malware targeting 1Password users. That's bad for us and for all of our customers -- even those not using the browser we added that signature for. This is why we do this for only a select number of browsers: it's less about "this browser is okay" than "we have full confidence in this developer to ship only trustworthy software and to safeguard their signature so that it isn't used by someone else in an untrustworthy fashion". Hopefully that helps make clearer where we're coming from with this.

    1pX 1.16.2 browser extension does work in Waterfox 68.0b1 ..... So that's a start at least.

    Indeed, that's good news. Hopefully they keep up so that 1Password X can continue to function there for you for a long time. :) :+1:

  • jpgoldberg
    jpgoldberg
    1Password Alumni

    Just to supplement @brenty's explanation for why we limit browsers, it's not just "trusting that the browser isn't malicious", but it is trusting that the browser provides the right security guarantees with respect to extensions. Your 1Password app needs to know that it is providing data only to the 1Password extension (and over a reasonably secure local channel). So we need to know that the browser enforces certain things about how extensions are identified. With 1Password X this becomes more important if you use the universal unlock mechanism, as that involves the native app transmitting a very high value secret to the browser extension. We need to know that it is going to the right place.

    So unfortunately adding a browser to our signature list is more than taking a quick look at it and saying "looks good to us". It means continually following their development and having a relationship with their security teams. So we are not saying we have any reason to distrust the browsers that we don't support. We are saying that we don't have the resources to commit to tracking their development around the security properties that we need to rely on.

This discussion has been closed.