SSL Decryption Deployment
Hi Guys,
Hoping one of the 1PW security gods can help / advise.
I have a seperate guest account on my family account I use for work log ins. This has always worked for my use case and i've been comfortable doing so.
However, today I have been advised that the company is deploying a SSL Decryption mechanism which will automatically analyse web traffic and identify risks, I fully understand this is a pretty standard things in some work places and is an acceptable method to avoid malware and ransomware attacks as more and more are hiding within encrpted data packets.
My question is that I use a couple of apps that are personal on my machine. The 1Password Browser extension being one. I know that the app is E2EE so I would assume that this practise cannot actually expose any 1Password data at all?
I know that some websites that are not E2EE will allow data to be 'reviewed' but my concern is only with 1PW, Notesnook and Whatsapp. However as all are E2EE I assume my worries are misplaced. I am just after some guidence / reassurance really...
Help appreciated.
Z
1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Browser: Not Provided
Comments
-
Hello @Zaka7! 👋
Thanks for the question! It's indeed pretty common for corporate environments to install security appliances that can inspect TLS/SSL traffic, it's one of the ways that professional and sensitive environments protect their data from malicious attackers.
The items that you store in 1Password cannot be intercepted and viewed in-transit using TLS/SSL inspection. 1Password does not only rely on TLS but uses three layers of encryption that work independently:
- TLS Encryption.
- Secure Remote Password (SRP) authentication and session encryption.
- The core end-to-end 256-bit AES encryption which uses your account password and Secret Key to encrypt your data and then only decrypt that data locally once it arrives on your device.
Your 1Password data can't be viewed using TLS inspection because of this cryptographic architecture. Let me know if you have any questions. 🙂
-Dave
1 -
Thanks @Dave_1P
That’s great.
Does that extend to when stuff is autofilled? I’d assume that once filled it’s still safe but once I submit on a site it may be transmitted? Obviously if the website has set itself up properly this should remain safe too?
Are there any risks you’re aware of with this set up? Appreciating you can’t comment on the specifics of my company. But just in general.
Thanks again!
0 -
Once you've filled your login credentials (or other data) into a website then 1Password's role ends and it's up to the security of that particular website itself to securely handle and transmit the filled data. Most websites will just use TLS if they encrypt their traffic which can be viewed using TLS inspection if your employer uses that on your device.
Are there any risks you’re aware of with this set up? Appreciating you can’t comment on the specifics of my company. But just in general.
In my opinion, TLS inspection has both pros and cons. For security, there is a great argument to be made that TLS inspection can help protect employees. For example, a link to malware can be caught before an employee even clicks on it. But if that link is encrypted, and not visible to an employer's security appliances, then the undetected malicious link could launch an attack on that employee, device, or network.
As someone who is concerned with privacy, the announcement by an employer that they will begin to inspect all TLS traffic on work devices would likely lead me to silo my use of the device. For example, I'd use the work device strictly for work purposes but would do things like banking and checking my personal email on my own personal devices.
Your employer can likely provide more specific guidance, including information on the scope of the data that is being inspected, how long that data is stored (if it is), and who potentially has access to that data (usually a very limited group of trusted staff security specialists).
-Dave
0 -
Thanks @Dave_1P again.
I have asked questions around the retention of data and who can see what directly to them.
Your thoughts are similar to mine. I will continue to use anything that is E2EE only. And will trim down the login items in my work vault to sites I’m not bothered about access per se and do everything else on my personal devices and silo them as you say.
Thank you again!
0 -
Thanks for the questions and conversation! 🙂
-Dave
0 -
@Zaka7, You should also be careful about hidden VNC servers on your work machine. I used to work for a company that do not advertise the use of it and I saw co-workers watching other people stuff. Gladly I'm not there anymore. I also saw some, unplugging network cable and tethering mobile internet to Desktop to avoid this VNC server. After that, I have zero trust on corporate networks when using personal stuff on a corporate device.
0 -
@fernandog The business are very open with what they have and what they are implementing so I do trust that this isn't the case. That said, I never really did anything on a work PC that would put me or my information at risk from any kind of recording software anyway.
0
