Why does 1password still install to the user’s local application directory?

ArjenvT
ArjenvT
Community Member

I'm interested in 1password, mostly because of the automation options via the connect server.

So I started reading and reading, including security audit reports. In the last security audit handled by cure53, there is a 'high' described as follows:

1PW-18-003 WP2: Windows malware can trivially backdoor .html and .js (High)

This security audit took place end of 2021. At that time, 1 password commented the following:

[...] 1Password wants to get those trade-offs just right before they roll out a fix.

Another solution mentioned in the security audit report, is the use of an .msi, which actually installs in a much more secure location.

Almost 7 months later, I can see this issue is still not fixed in the normal installer. Neither a .msi available for 1password 8. In this community I can find questions asking for this .msi since november 2021.

I'm very curious why this "high" issue is still not fixed and why the workaround of the .msi isn't still available. Mostly, because backdooring of 1password 8 on Windows is so trivial, it's even described in detail in the public report.

What am I missing here?


1Password Version: 8
Extension Version: Not Provided
OS Version: Not Provided
Browser:_ Not Provided
Referrer: forum-search:cure53

Comments

  • ArjenvT
    ArjenvT
    Community Member

    For anyone interested, the security audit report can be found here:
    https://bucket.agilebits.com/security/Cure53-1PW18-report.pdf

  • PeterG_1P
    edited July 2022

    Hi @ArjenvT, thanks for these questions. 👋

    Since some of these pertain to the security design of 1Password, I'm going to loop in our security specialists. You'll either be hearing from them directly here, or I'll pass along the information they've provided once I've had a conversation with them (whichever comes first).

    In the meantime, I can say that an MSI installer is indeed coming. I can't share much in the way of details until the release happens, but as you've noted we've been working on this for some time and we understand it's important to provide this. This is a priority for us and we've been putting the time into it accordingly. It's on the way.

    Thanks for your patience, and I'll hope to have more for you soon.

    ref: dev/core/core#5597

  • ArjenvT
    ArjenvT
    Community Member

    Hey @PeterG_1P - over 3 months have passed and I didn't get any update.
    Any news on this topic?

  • Hello @ArjenvT,

    Thanks for your message and I'm for the delay in response here. I've reached out to the security team for an update to your original inquiry.

    Software installed to a protected directory requires user interaction to install updates so we install to a non-protected directory to ensure we can keep our software updated automatically without user interaction. There is obviously a security trade off in that decision, which is called out in the referenced pentest report. As a result of that report, we have created new installers (MSI) that can be used by enterprise clients to install software in protected directories while also allowing them to manage security updates in their own time. We are working on a similar solution for our non-enterprise customers, which we hope to have available in 2023 but we do not have an exact deadlines at this moment.

    In the meantime, should this apply and you'd like to try out an MSI, send an email message addressed to support+windows@1password.com and we'd be happy to help look into this further with you.

    Have a great day!

  • ArjenvT
    ArjenvT
    Community Member

    Thanks for the update.

    In all honesty, it does sound a bit strange, but there are so many applications using trusted/protected installation locations and still offer acceptable update notifications like: "hey, there is an update, you should download this".

    One of these applications is notepad++.

    Another thing is an important downside of using the .msi, which is you apparently do not get notified of updates in the first place, which I think makes this option pretty unusable for the average home user in the first place. It would really help to at least get a simple check if the running version is actually the latest version available.

    All together, I just can't understand why and how you guys came to this decision-making. It's either fragile and risky (local attack) with auto-updates, or it's protected without updates and notifications to update. Another thing is how you're handling and delaying a high risk finding of a security audit "somewhere" in your backlog. I'm expecting something different from a company offering "secure" products.

    Enough said. Have a great day yourself :)

  • Hello again @ArjenvT - you're most welcome!

    Do let us know if you have any other questions and please keep an eye open for updates on this front, in the future. 😀

  • Mousit
    Mousit
    Community Member

    @ag_mike_d

    "...we install to a non-protected directory to ensure we can keep our software updated automatically without user interaction..."

    This makes me spasm. This can be disabled, yes? I'm still on 1P7 (which asks to update) for a variety of reasons but my god this would keep me off 1P8 forever. I absolutely do not want software to "update automatically without interaction". EVER. I want to evaluate, and then update on my decision and schedule.

  • Hello @Mousit,

    Thanks for your message. I'm sorry for any confusion caused by my earlier message. This was referring to 1Password .MSI installs to a protected directory where automatic updates are not possible. In those cases, this leaves it to those IT teams to manage updates as needed.

    The usual 1Password 8 installs, at a user's discretion, allow automatic updates to be disabled: Settings (Ctrl + Comma) > Advanced > Install automatic updates

    For more information about what's involved with our automatic update process, I'll leave that support guide below:

    Please let us know if you have any other questions. We'd be happy to help.

  • Mousit
    Mousit
    Community Member

    @ag_mike_d

    Sorry that was also a harsher message than I really intended. :) I'm just very against automatic updates, especially unattended ones. I like to be aware of software changes, and what those changes actually are before they're applied--I really appreciate 1P7 Mac version in particular for its pop-up about an update being available, with that pop-up window also displaying the detailed changelog. 1P7 Windows simply says an update is ready and doesn't offer any actual details other than version number.

    Also I usually like to wait a little on installation (unless it's a major security update), just to see how reports shake out because bad updates dooooo sometimes occur, however rarely.

    Anyway, good to know 1P8 keeps the option to turn off automatic updates. Thanks!

  • Tertius3
    Tertius3
    Community Member

    @Mousit Automatic updates can be disabled in v8, but they are no big deal and no real risk. I use the nightly update channel and literally every day a new update is available. 1Password will update on app restart and asks for restart once it detects an update.

    In the one year of nightly channel usage and daily update, there was never a version that crashed or had broken functionality that prevented me from using 1Password and accessing my passwords. What 1Password delivers as nightly and unstable is actually more stable than releases of many other software.

    I usually install updates of all kind of apps the day they are released. If there is a change I don't like, I have the choice of eternally postponing and keep an obsolete app experience, or to adapt as fast as possible and stay current. I choose to adapt and stay current. That was a conscious decision. From my experience from the last 10 years with this behavior of mine, updates that appear to be bad at first sight usually turn out as improvement in the long run, if you adapt your workflow and actually use changed functionality instead of working around it.
    So either I use the current version of any software, or I don't use the software (any more).

  • Hello again @Mousit - Thanks for your reply and no worries at all!

    When using 1Password 8 with automatic updates disabled, Settings (Ctrl + Comma) > About contains a link to our release notes page so you can review new versions before you decide to click Check for updates to proceed with any new updates that may be current.

    Have a great day!

  • Charlzey
    Charlzey
    Community Member

    Any additional info or progress on this issue?

  • Hi @Charlzey,

    Thanks for your message and interest here about the ability to install 1Password a user selected destination for our non-enterprise users.

    I have no additional news to share aside from what was shared in my earlier message. I'd like suggest watching 👀 for updates like this in our release notes!

  • Charlzey
    Charlzey
    Community Member

    Hi @ag_mike_d, any news on when there will be an official MSI?

    > "As a result of that report, we have created new installers (MSI) that can be used by enterprise clients to install software in protected directories while also allowing them to manage security updates in their own time. We are working on a similar solution for our non-enterprise customers, which we hope to have available in 2023 but we do not have an exact deadlines at this moment."

  • Hello @Charlzey,

    Thanks for your question. Details related to the MSI can be found here, Deploy 1Password for Mac and Windows.

    The message you've quoted there is related to non-enterprise customers. We have no further details to share yet about similar solutions as of yet.

    Thanks for your patience.

This discussion has been closed.