OpenSSL Heartbleed Bug

lemonstre
lemonstre
Community Member

Is the new OpenSSL "Hearbleed Bug" a Security Thread for 1 Password User?

http://heartbleed.com/

Regards
Andreas

«1

Comments

  • khad
    khad
    1Password Alumni

    Good question, @lemonstre.

    1Password does not depend on SSL/TLS thus is not directly affected. However, there is more to the story as @jpgoldberg‌ outlines in our blog post from earlier today:

    Imagine no SSL encryption, it’s scary if you try

    1Password’s encryption remains safe, but there are implications for a vast number of sites you likely visit. Please read the full article and let us know if you have any specific follow up questions. We are always here to help!

  • benfdc
    benfdc
    Community Member

    Hmmm. Big 1Password sale ended on 4/4; news on Heartbleed broke 4/7. I suppose you will claim that this was merely a coincidence.

  • khad
    khad
    1Password Alumni

    If it was anything more we probably would have timed it better than that. ;)

  • benfdc
    benfdc
    Community Member

    I'm wondering what kinds of promotions we will see in the coming days from Agile and other vendors. If I am understanding the situation correctly, computer users are about to be hit with an unprecedented barrage of password change requests.

  • khad
    khad
    1Password Alumni
    edited April 2014

    If I am understanding the situation correctly, computer users are about to be hit with an unprecedented barrage of password change requests.

    We are hoping that is the case. Ideally, once an affected site has (1) updated to the patched version of OpenSSL and (2) updated their certificate they will force a password reset just like they would in response to a run-of-the-mill* password breach.

    I'm wondering what kinds of promotions we will see in the coming days from Agile and other vendors.

    We don’t normally pre-announce future sales, but we do announce them on Twitter, Facebook, and our blog.


    * It's sad that I can use that phrase to accurately describe password breaches in recent times.

  • drew212
    drew212
    Community Member

    The blog post about this vulnerability says that 1Password Master Passwords should be safe, with the exception of 1PasswordAnywhere if a malicious HTML file could have been inserted. One other possibility occurs to me:

    What if you've logged into 1Password through screen sharing, such as Back to My Mac, or encrypted VNC, or screen sharing over SSH tunneling. I'm not sure fun the encryption schemes used by these services are compromised, but if they were then your password could have be sniffed from the keyboard traffic to the machine whose screen was being shared. Wouldn't this be correct? I've certainly typed my master password when using Back to My Mac from one machine to another, so I will be changing my master password.

  • jpgoldberg
    jpgoldberg
    1Password Alumni
    edited April 2014

    Ah, That is a good point. One feature of 1Password is that you are only ever using it "locally" so that your Master Password never travels over the network in any form.

    But if you are using some sort of remote form of "desktop" access then your Master Password is traveling over the network. I do not believe that Back to My Mac would be affected, as it almost certainly doesn't use the OpenSSL libraries. The same is true with SSH tunnels: It's not built on OpenSSL.

  • benfdc
    benfdc
    Community Member
    edited April 2014

    I see in my email this morning a message from MacWorld touting a 60% discount on RoboForm. The timing might have nothing to do with Heartbleed, but somehow I think I will be seeing more of this sort of thing over the next few days.

    BTW, the ad’s headline: “One Password That Works Everywhere.”

    Hmmmmmm.

  • radioactive
    radioactive
    Community Member

    LastPass just offered a validation tool that checks the website's certificate and the last time you changed your password. If your password is older than the certificate update, it tells you to change.

    http://blog.lastpass.com/2014/04/lastpass-now-checks-if-your-sites-are.html

    Will you be offering something similar in a client update?

  • Pengman
    Pengman
    Community Member

    Does the Heartbleed bug impact my 1P passwords?

  • Superfandominatrix
    Superfandominatrix
    Community Member

    I agree with user radioactive, having a LastPass-style security audit of potential risk log ons would be really useful.

  • pbryanw
    pbryanw
    Community Member

    Yes, have just seen the Lastpass tool and it looks very useful. Something similar for 1Password customers would be great, or a web-page on your site which does the same thing (and which could be used for reference) would also be good.

  • khad
    khad
    1Password Alumni
    edited April 2014

    Will you be offering something similar [a validation tool that checks the website's certificate] in a client update?


    I agree … having a … security audit of potential risk log ons would be really useful.


    …a web-page on your site which does the same thing (and which could be used for reference) would also be good.

    Thank you for letting us know you are interested in this. We’re certainly looking into it. :)

    Does the Heartbleed bug impact my 1P passwords?

    From my initial reply above::

    1Password does not depend on SSL/TLS thus is not directly affected. However, there is more to the story as @jpgoldberg‌ outlines in our blog post from earlier today:

    Imagine no SSL encryption, it’s scary if you try

    1Password’s encryption remains safe, but there are implications for a vast number of sites you likely visit. Please read the full article and let us know if you have any specific follow up questions. We are always here to help!

  • snagitseven
    snagitseven
    Community Member

    I have 1Password 3 on my two Macs and on several iDevices. they are all auto synced via Dropbox. I read that 1PasswordAnyhere via Dropbox could be an issue. Other than the websites that themselves may be insecure, do I have to worry about my 1Password sync via Dropbox or are the two 1Password systems different and the auto sync is not an issue?

  • snagitseven
    snagitseven
    Community Member

    Also, now that Dropbox is supposedly fixed, should I change my Dropbox password and do I have to reset anything on my devices' 1Password apps?

  • khad
    khad
    1Password Alumni

    Dropbox syncing is fine. The issue described in the blog post and above only applies to 1PasswordAnywhere.

    Also, now that Dropbox is supposedly fixed, should I change my Dropbox password and do I have to reset anything on my devices' 1Password apps?

    AFAIK, Dropbox has not yet updated their certificate, so now is not the time to change your password there.

  • admdly
    admdly
    Community Member

    Dropbox are being a major disappointment on this issue. Kind of disappointed it's the only cross platform sync method for 1Password right now.

    --Adam

  • snagitseven
    snagitseven
    Community Member

    Thanks, khad. When Dropbox is fixed, after I change its pw, do I have to do anything with 1Password on any of my devices for the new pw or will it work as before w/no changes needed?

  • Anasha Cummings
    Anasha Cummings
    Community Member

    In light of this (and because I have been thinking about this feature request for a while):
    Would it be possible, for commonly used websites, to create a script that automatically changes my passwords periodically when logged into 1Password? I don't know these passwords anyway, (besides Command-), so it would be great if they could be periodically rotating 30-character strings managed entirely by 1Password.

    It would also be awesome if there could be an open structure for a password change page like example.com/1Pchange that other web developers could implement, which would just have forms for current username, current password, and new password, and would allow one to change a password without going through the whole login, go to change password page, reset password process.

    Obviously, there are a few passwords (dropbox and recovery email) which I do need to know so I wouldn't want this to be default, but it would be an awesome option to protect us even better from known or unknown password dumps.

  • lscline
    lscline
    Community Member

    Yes, a Heartbleed checker tool for my 1Password vaults would be very welcome. As it is, I'm considering exporting my data from 1Password and importing to LastPass, solely to use the checker they have developed...

  • grgz
    grgz
    Community Member

    And a lot of sites are getting their certs replaced using the original start dates, so you can't necessarily tell how old the cert is from just the dates. From the comments on that LastPass page:

    We're combining methods of checking, and are looking to fix the issue of false positives for the old dates being reissued.

  • MACMAD
    MACMAD
    Community Member

    What a mess! The biggest problem that I am running into is setting up a workflow to get all of my passwords changed, all 235 of them. Some sites are on the ball and others seem to be dragging their heals. I am working down my lists by first checking to see is the patch has been applied (http://filippo.io/Heartbleed/). Then I move to changing the password. What I have done to press on is to include a tag that I have either completed the process, or tag it for later, so I can go back to the site later if they do no pass the heart bleed test. Love those tags!

  • stoneteller
    stoneteller
    Community Member

    Khad -- What is the difference between "dropbox syncing" which you say is safe, and 1PasswordAnywhere? Also, please tell me specifically how stop syncing 1Password to Dropbox. There is no stop sync command that I can see in 1Password preferences, and I don't want to just delete agilebits keychaing from Dropbox without understanding the consequences.

  • Thanks for all the feedback and comments, guys!

    When Dropbox is fixed, after I change its pw, do I have to do anything with 1Password on any of my devices for the new pw or will it work as before w/no changes needed?

    1Password should still sync like normal after a Dropbox password change. Our authorization token will remain valid.

    What is the difference between "dropbox syncing" which you say is safe, and 1PasswordAnywhere?

    Dropbox syncing is still safe. 1PasswordAnywhere is an HTML file that can be accessed in your web browser to view your passwords from any computer. Only the use of 1PasswordAnywhere in a web browser was temporarily not recommended. But, it now appears that Dropbox has applied the patch for the OpenSSL bug and got a reissued SSL certificate, which means that after a password change it is safe to use 1PasswordAnywhere again anyway.

  • nopenotme
    nopenotme
    Community Member

    So if I've used 1PasswordAnywhere on DropBox, should I change my master password for 1Password?

  • Hi @nopenotme,

    We do not believe that any attacks on 1PasswordAnywhere took place, but because we can't rule it out, you may wish to change your Master Password. Definitely change your Dropbox password though.

  • Quantumpanda
    Quantumpanda
    Community Member

    I find it hard to believe that AgileBits would overlook this, but I'm not finding anything to answer this question: what's the Heartbleed status of the host server for these forums? Running "agilebits.com" and "discussions.agilebits.com" through both the LastPass checker and the filippo.io checker return different results between the primary domain and the subdomain. (I found this out because I was copying domains out of my 1Password vault, and the only AgileBits login I have is for these forums.)

    "Agilebits.com" returns as fixed on filippo.io, and with a cert date of 2014-04-10 on LastPass.com. "Discussions.agilebits.com", however returns very different information—LastPass.com reports an nginx server that may or may not be using a vulnerable version of OpenSSL, with a cert date of 2014-03-10, and filippo.io returns this error: "x509: certificate is valid for *.vanillaforums.com, vanillaforums.com, not discussions.agilebits.com". (Presumably vanillaforums.com is the actual host for your forums.)

    So, can anyone at AgileBits tell me if discussions.agilebits.com is vulnerable, was vulnerable but is now fixed, is waiting for a new cert, or what? Does the forum even use SSL for its login?

  • Jasper
    edited April 2014

    Hi @Quantumpanda,

    Our website (agilebits.com) has been fixed with the patched version of OpenSSL, and is using a newly issued SSL certificate.

    The forum (discussions.agilebits.com) does not use SSL (as you can see by looking at the URL, it's http), thus is not affected. With that said, we should be using SSL on the forum as well, and we're looking into it.

  • swiss68
    swiss68
    Community Member

    What about 1Password Chrome Extension? Is that the same as 1PasswordAnywhere, and you would therefore change the dropbox password either, or is the Chrome Extension - as the 1Password App - not affected by the Heartbleed Bug?
    Thanx AgileBits for the open and transparent communication regarding this issue ! Much better than other providers!

This discussion has been closed.