Little Snitch and 1Password connections to cloudfront

Hello.

I use Little Snitch on my computers and there is an issue with how 1Password makes connections to (I assume) load custom icons. It appears that 1Password (or at least 1Password mini) makes a connection to some_random_string.cloudfront.net:443 to load these icons. Because the string is random I can't allow it to specific hostnames, but allowing connections to the entire cloudfront domain wouldn't be good either because Random Bad Guy could setup a server with them as well. Given how sensitive the information in 1Password is I think it would be a major security improvement if it only had to connect to specific, known hostnames so that if somehow the computer is hacked I can know that 1password can't be used to exfiltrate my passwords.

Comments

  • khadkhad Social Choreographer

    Team Member
    edited September 2014

    From 1Password and Your Privacy:

    There is a peculiarity of how some firewall software, Little Snitch in particular, may report these connections. Little Snitch’s Connection Inspector will display “all names currently known to resolve to one of the IP addresses of the server.” [§3.2 of Little Snitch 3 – Documentation (iBooks, PDF)].

    Given how the Cloud Front content distribution network operates, the particular cloudfront.net subdomains do not correspond to a unique IP address. Nor is an individual IP address limited to a single cloudfront subdomain. For example, one of the IP addresses associated with d13itkw33a7sus.cloudfront.net is 54.230.49.141. That same IP address may also be associated with some other cloudfront subdomain entirely unconnected to AgileBits. That IP address may also be associated with something like example.com.

    The upshot of this interaction between Cloud Front domain names, IP address, and Little Snitch’s reporting habits is that Little Snitch erroneously reports 1Password attempting to connect to example.com in that example.

    For now, you could disable Rich Icons (View > Show Rich Icons), but I've asked our Chief Defender Against the Dark Arts to weigh in here as well.

  • jpgoldbergjpgoldberg Agile Customer Care

    Team Member

    Hi @cgiard!

    Although the strings are "random" for the CloudFront domain names we use, they are fixed. They don't change. As @khad‌ pointed out, they are all listed in 1Password and Your Privacy. So the good news is that you can explicitly whitelist.

    The bad news, as Khad also pointed out, is that given the way the actual IP addresses for these shift about as part of Amazon's load balancing, you will probably still see peculiar warnings from Little Snitch given the way that Little Snitch reports domain names.

This discussion has been closed.