Dropbox full access [may be re-evaluated in the future]

edited November 2015 in Lounge

Hi

I've read https://support.1password.com/full-dropbox-access/, which unfortunately might be paraphrased as "It's too fiddly for us - but you can trust us anyway".

I can see no reason why the following shouldn't be possible:

1) If you're concerned about legacy file locations, and want full access to be default - fine (well, acceptable at least). But why not have a new option for people that care about this to have the 1password files in a particular place within Dropbox, and for only that folder to be available.
2) On the iOS client to have server side Dropbox sync even if you have the Dropbox app installed.

You can make the argument one must still trust the 1Password desktop app - after all not only can it access your whole Dropbox, it could access your entire computer. However, at least one can monitor file accesses of the process itself.

If I give you server side access to my whole Dropbox folder, what happens if someone steals your dropbox client API key? They can access every single one of your customer's entire Dropbox accounts that have enabled Dropbox sync!

Thanks

Marcos


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

Comments

  • brentybrenty

    Team Member

    But why not have a new option for people that care about this to have the 1password files in a particular place within Dropbox, and for only that folder to be available.

    @marcosscriven: It's certainly something we can consider going forward. However, making sweeping changes like that in the middle of a release cycle can cause a lot of problems. And ultimately keeping both options would increase confusion as well, so it isn't something we'd do lightly.

    You can make the argument one must still trust the 1Password desktop app - after all not only can it access your whole Dropbox, it could access your entire computer. However, at least one can monitor file accesses of the process itself.

    All apps you install can do this. Not just 1Password. That's simply the paradigm we all have to live with on the desktop. 1Password is simply writing to the filesystem, whether you sync with Dropbox or not.

    If I give you server side access to my whole Dropbox folder, what happens if someone steals your dropbox client API key? They can access every single one of your customer's entire Dropbox accounts that have enabled Dropbox sync!

    I guess my point is that, in your proposed scenario, us changing the access 1Password is asking for only affects the mobile apps, because again, on the desktop, 1Password is just writing to the filesystem like any other app. It has 'full access' there anyway.

    We'll continue evaluating this as we develop new versions of 1Password though, so I'd appreciate any other thoughts you have! :)

This discussion has been closed.