Open sourcing 1Password [Was: Security Question]

cezann3cezann3
edited April 2014 in Mac

What if someone hacks into your server and distributes a compromized version of 1Password via auto-update that transfers all passwords and databases to the attacker? How can I protecty myself against an attack like that apart from Little Snitch?

Wouldn’t it make sense to make your project open source so that people can compile everything themselves and can have a look at the changes in the code before doing so?

Comments

  • MeganMegan 1Password Alumni

    Hi @cezann3‌,

    Thanks for the question! I'm glad to hear that you're thinking carefully about your security - that's what we like to see here :)

    I've passed your question along to our security guru, @jpgoldberg‌, as he is a lot more qualified to answer than I am. Thanks for your patience!

  • jpgoldbergjpgoldberg Agile Customer Care

    Team Member

    Hello @cezann3‌!

    There are some security virtues of an open source system that we can't fully achieve given the way our business works, but as you pointed out, you can monitor network traffic to ensure that 1Password isn't sending data off somewhere, and much (though not all) of what we say about how 1Password works is independently verifiable. Some of these are outlined in http://blog.agilebits.com/2013/09/06/1password-and-the-crypto-wars/

    We absolutely recognize the security benefits of a fully open source model, and we aspire to those benefits that we can achieve within our closed source business.

    In practice open-source software is often subject to the same attack

    I'm not trying to diss the security benefits of OSS, but may I ask how much of the open-source software that you run do you compile yourself after checking the digital signatures on the source? Unless people are checking the source themselves and then compiling, they are vulnerable to exactly the same attack you described as a threat to 1Password users.

    It should also be noted that with the exception of 1Password on Android, 1Password runs on closed source operating systems (although much of OS X is open). So even if you examine 1Password source and verify that there are no backdoors in it, you don't know whether the operating system isn't grabbing your Master Password. Again, I'm not saying that it is pointless to want open source software on closed source operating systems, but I'm trying to say that the security gains of doing so are not as great as they might otherwise appear.

    Would a code review be useful?

    On a slightly related matter, I'd like to ask you whether you would find a formal external review of 1Password useful even if there is no way to prove that the reviewed code corresponds to the binary that you run.

    We are often asked why haven't done formal code reviews, and our answer has been that given the time and expense of such a thing, it would only be worth it if we could prove that the reviewed code is the genuine source of what gets distributed. In the absence of such proof, we aren't sure that a formal review would be useful. (We have solicited outside experts look at our cryptographic routines to make sure that we aren't making any blunders, but because they didn't do full reviews, they don't wish to be cited as "reviewers").

    I hope this helps.

  • If you're not going to open source this, then, yes, an external code review would be very good. I would recommend @avdi who did the review for SpiderOak: http://devblog.avdi.org/2010/11/22/spideroak-review/

  • sjksjk oversoul

    Team Member

    Thanks for your feedback and suggestion, @hexmode.

  • +1 for a formal code review, and a security audit. It's a checkbox that a some larger formalized IT structures need to be able to check in order to be your customers.

  • jpgoldbergjpgoldberg Agile Customer Care

    Team Member

    Noted. Thanks.

    Any suggestions on how we could demonstrated that the reviewed code is the actual source for what is delivered would be very welcome. My feeling, so far, has been that until that piece is in place, a code review would be more for us (and certainly a valuable thing) than something that would provide the assurance that people are seeking when they ask for one.

  • Another approach you could take would be to allow access to the source code for any licensed user. The source doesn't need to be open properly, with an OSS license, but if you provide the source code to users who've already purchased a 1Password license, you'd not have to worry about losing any business.

  • jpgoldbergjpgoldberg Agile Customer Care

    Team Member

    That is also a useful suggestion, @rtlong‌.

    There is one place where we make use of some obfuscations, so we would need to work out a way to work around that in any kind of review.

    The big question remains as to whether a code review would be useful if we can't also find a way to prove that the distributed software is actually from the reviewed code?

This discussion has been closed.