1Password mini.app Needs FW to Allow Incoming Connections?
I was reviewing the security settings on my Mac Pro and discovered 1Password mini.app was set to allow incoming connections through the built-in Mac firewall.
Could this be necessary...or wise?
I deleted it from the exceptions list and then set the Mac firewall to block all incoming connections. So far, I don't see any problems from not allowing inbound connections to it.
My standard config process is to set this firewall to block all incoming connection attempts. I'm 95% positive I did that originally, don't know if I somehow overlooked doing it this time. But I also don't remember any 1Password config that asked or requires this external access.
Maybe I've been breeched?
Any way this could be valid?
1Password Version: 5.3 (530029)
_Extension Version: Not Provided
_OS Version:10.10.4
_Sync Type: None
Comments
-
The only reason I can think of for the incoming connection would be so you can use rich icons, which a delivered from a remote server. Those are optional, so you should be fine as long as you aren't needing those.
But I'm not a developer, so you probably want an answer from someone with a bit more expertise about what's under the hood.
0 -
If you're syncing your 1Password data with other devices you would have 1Password mini allowing incoming connections.
0 -
You may find this knowledge base article helpful:
Why is 1Password trying to connect to some random website?
Stephen
0 -
Thanks everyone, but I don't think I have an acceptable explanation yet...
hawkmoth,
The use of rich icons shouldn't require uninvited random access by unidentified internet strangers into my private home computer and password application. I'm thinking the issue is something else, but it was worth pondering.JWeaver,
I had the same thought as you and should have noted in my issue write-up that I confirmed none of my devices are syncing or attempting to sync. So good hypothesis, but doesn't seem to be the case here.Stephen_c,
Although the article you linked me to is for OUTBOUND connections, I read it anyway to see if it had anything regarding my issue which is INBOUND (uninvited) connections being allowed to my 1password app. I didn't see anything about inbound.Megan,
Per the above, I don't think I have an answer yet.
Am I under-caffeinated and just not seeing an obvious answer?The core function of a firewall is to prevent uninvited INBOUND connections to my computer. the firewall allows my outbound traffic and allows inbound responses to my outbound traffic. But if something or someone attempts to connect to me NOT in response to my outbound traffic...they're blocked from connecting to me.
Exceptions are sometimes needed for legit external entities to connect to a computer, and require a firewall rule exception to allow it.
So my question remains, why does 1password mini.app need to allow uninvited internet access to my most confidential information?
I don't believe it's for updates, because that's an OUTBOUND function...check for updates, performed periodically.
0 -
Hi @SVdave,
It is important that you are able to trust the app that you are choosing to keep your most confidential information in, so I'll do what I can to reassure you here that nothing uninvited or untoward is happening here. :)
1Password doesn't have any control over the configuration of the OS X firewall. The firewall permissions that you see for 1Password would have been set by the operating system when you installed the app. When you install the app, OS X will look at the tasks that 1Password needs to perform (such as collecting the optional rich icons, checking for updates, and performing a Wi-Fi sync with your iOS or Android devices) and grant permissions based on those tasks. I believe that this is done automatically for all appropriately signed apps.
If you don't plan on using Wi-Fi sync, you can leave your settings as is (blocking all incoming connections) and 1Password will continue to function just fine. If you do decide to sync 1Password using Wi-Fi, you will need to allow those inbound connections.
I hope this answers your questions, but we're here if there's anything else you'd like to know!
0 -
Megan,
Are you saying that 1Password isn't responsible for an inbound port being opened on my Mac's internal firewall, allowing connection to it via the internet?I have 1Password on my MacBook also...and there isn't an open port on that firewall.
Why would it open a port I didn't authorize on my Mac, but not on my MacBook?
Although user error or oversight is always the top possibility, I'm extraordinarily careful (normally). Please let your engineers know about my issue. I believe one of the two following possibilities to be what happened...
- 1Password opened the port in my firewall without asking me if that's okay.
- 1Password asked me if it was okay, but didn't make it clear what it was going to do (or I guarantee I would have said NO).
Just FYI, I love this software and have great respect for it and the quality of your organization. This issue gives me pause, but doesn't change that long standing opinion that you are part of a first class organization with a quality product.
0 -
Hi @SVdave,
It is not possible for any software to accept incoming connections without your invention if you have the firewall set to block all incoming ports by default, only the authorized user can authorized the traffic coming in. However, you said you turned this on after you found out. There's an exception to this if you don't have this option enabled, did you have Automatically allow signed software to receive incoming connections enabled in your Firewall settings? If yes, that might've been why it was added without the prompt for your permission first, 1Password is a signed software and OS X will allow it automatically without any prompts. The prompts are not handled by 1Password, it is handled by OS X. If you had this turned off, OS X would have to prompt for your permission to authorize the connections inbound to 1Password and any other software, regardless of their code signatures.
If it was possible for any app to open ports and receive incoming connections then the firewall would be rendered moot because that is just an illusion of security with no actual benefits. That is not to say we're taking advantage of this, we only open ports for specific reasons.
As Megan mentioned, 1Password mini will accept incoming connections from 1Password on your iOS or Android devices soon for syncing your 1Password data via the local network only. However, this requires you to enable the Wi-Fi sync first and once both devices are connected, it will require you to pair both with a secret code to make sure only the authorized 1Password app is connected.
You said you don't sync any of your stuff. Keep in mind that the Firewall is a static filter, it does not remove rules when apps are not using open ports. Which means, if you accidentally enabled Wi-Fi sync once or something like that, OS X will add it as an approved rule and it will stay there forever.
In addition, I would recommend checking out Little Snitch as a firewall to look at what traffic is coming in and out, so you can get a better idea of what's happening as OS X is very limited in this situation. You might have a better feeling when seeing that 1Password is only accepting a local network connection rather than the Internet.
0 -
Megan,
That's surprising to me, because all of the sync controls and ability to sync are within the main app, not the mini app in my browser.So the main app performs wifi sync via my browser and 1password mini.app?
You're correct that I fiddled with wifi sync to my iPhone a couple months ago. That's probably when/how a hole got punched in my firewall.
0 -
MikeT said: "did you have Automatically allow signed software to receive incoming connections enabled in your Firewall settings? If yes, that might've been why it was added without the prompt for your permission first, 1Password is a signed software and OS X will allow it automatically without any prompts."
BINGO!!!
Thanks Mike, you nailed it!
Yes, it turns out that's exactly what happened.
Everything makes sense now, I'm happy again.Prior to you mentioning this, I wasn't fully conscious of that settings ramifications.
0
