Concerned about Tavis Ormandy statement

UdhayanithiG
UdhayanithiG
Community Member
edited June 2021 in Lounge

Hi

I have recently gone through an article by Tavis Ormandy https://lock.cmpxchg8b.com/passmgrs.html.
I'm a bit scared now after seeing so many vulnerabilities on password managers. I'm confused now or I have trapped by password manager companies marketing stuff. Is there any way to fix these issues or it already fixed?

Waiting for the reply.

Comments

  • Hi @UdhayanithiG

    I'm sorry for any scare. Our Chief Defender Against the Dark Arts, Jeff Goldberg, has written a response to those concerned after reading Tavis's post, here:
    https://reddit.com/r/1Password/comments/ntbf2m/tavis_ormandy_on_password_managers/h0sqhku/

    If you have any follow-up questions after reading we'd be happy to help. Please let us know.

    Ben

  • UdhayanithiG
    UdhayanithiG
    Community Member

    @Ben I'm happy to see that. But the mentioned vulnerabilities can comprise my credentials? I'm bit worried because it comes from a notable person.

  • @UdhayanithiG

    I'd be happy to ask our security team to provide additional clarification on the situation. Could you please elaborate on what specifically you're concerned about which is not addressed in the above linked post?

    Thanks!

    Ben

  • UdhayanithiG
    UdhayanithiG
    Community Member

    Okay, The article itself too technical for me and I can easily get wrong. But I know a liitle bit about sandbox. So Tavis in the article told, it will affect sandbox performance. Does it true for 1Password?

  • jpgoldberg
    jpgoldberg
    1Password Alumni

    @UdhayanithiG

    But the mentioned vulnerabilities can comprise my credentials? I'm bit worried because it comes from a notable person.

    What he is doing is providing a list of things that password managers need to watch out for, and noting that failure to do so can lead to very serious vulnerabilities. We are, and have been, aware of all of those concerns for a very long time and have designed 1Password with those in mind.

    He (implicitly) makes a very valuable point. Attackers are not going to go after the strongest point of a system (which should be the encryption if it is done right). Attackers will attack elsewhere, including the kinds of things that he lists. And so a good password manager will have to design the product to defend against such attacks. We do.

    He is not claiming that we are vulnerable, only that we (and others) have a number of fronts that we need to defend against. But I can understand why someone might think otherwise from the way he presented things.

  • UdhayanithiG
    UdhayanithiG
    Community Member

    @jpgoldberg thanks for the clarification.

  • berto
    berto
    Community Member

    Greetings,

    I learned about this blog post [1] regarding password managers, and wanted to get the 1Password team's thoughts around the arguments made in the post.

    Primarily, I'm curious to learn how 1Password mitigates against IPC attacks and whether 1P's design breaks the browser's sandboxing model.

    Thank you,
    -Roberto.

    [1] https://lock.cmpxchg8b.com/passmgrs.html


    1Password Version: Not Provided
    Extension Version: Not Provided
    OS Version: Not Provided
    Sync Type: Not Provided

  • MerryBit
    MerryBit
    Community Member

    Official statement from 1Password can be found in this thread:

    https://1password.community/discussion/121383/concerned-about-tavis-ormandy-statement

  • 1pwuser31547
    1pwuser31547
    Community Member

    Can someone explain how one can defend against a redress attack, client side? It seems this is largely a server side problem.

    Does this attack work equally well against manually entered credentials or ones that are auto filled by a browser password manger?
    If so then I don’t understand why this attack was discussed in reference to password manger extensions.

  • jpgoldberg
    jpgoldberg
    1Password Alumni

    Can someone explain how one can defend against a redress attack, client side? It seems this is largely a server side problem.

    We check the origin that that browser tells us both at the time the user asks the extension to fill and at the time the extension actually fills. I can't recall when we first started doing this, but it was a very long time ago.

    As I suggested in that reddit comment (please read it if you haven't already) it good for Tavis to point out things beyond the cryptography that password managers need to consider in making it secure, but we have well been aware of all of these.

    Does this attack work equally well against manually entered credentials or ones that are auto filled by a browser password manger?

    Well spotted, @1pwuser31547!

    As described in Tavis' article and what he points to it works equally well, but there can be a variant of it that is designed to fool password managers is to switch the origin between the time of searching and filling.

    If so then I don’t understand why this attack was discussed in reference to password manger extensions.

    I presume that he is talking about the variant I mentioned.

  • 1pwuser31547
    1pwuser31547
    Community Member

    Thank you for the follow up. Very much appreciated.

  • ag_ana
    ag_ana
    1Password Alumni

    On behalf of jpgoldberg, you are welcome @1pwuser31547 :+1: :)

This discussion has been closed.