Only sharing options are AirDrop or Print (email, message options restored: iOS v6.4.2, Mac v6.3.1)

2456710

Comments

  • PMii
    PMii
    Community Member

    @brenty
    You obviously missed a part of my message.
    Even if it was in plain text in the end, at least it was not in clear text, easily read by anyone.
    So, No, it isn't the same thing. No even close...

  • AGAlumB
    AGAlumB
    1Password Alumni

    Thanks for clarifying that. I'm sorry for misconstruing your point!

  • jayd
    jayd
    Community Member

    I have to agree with @mhbx and @PMii here. Although I understand AgileBits' need to not support an insecure feature, removing the quick sharing is causing users to start copy/paste sharing in clear text (not just plain text, as noted by PMii). If the argument is that AgileBits has to remove an insecure feature, then that logic dictates the "Print" option should have been removed too. Alas, it was not.

    Obfuscated plain text sharing (the old option) is far superior to copy/paste clear text sharing, which is what users are now doing since the removal of the old sharing options. The old sharing may not have been ideal, but by removing it, that has caused a new behavior in users. This new behavior is WAY more insecure than the old sharing.

    Please bring back the old sharing mechanisms. Add disclaimers or a preference checkbox if necessary, but please bring them back. Please bring it back before this new behavior of copy/paste clear text sharing becomes a habit with users.

    Additionally, to offer something new to the discussion, allow me to suggest a more secure implementation of the old sharing options. When a user chooses to share (say, via Message or whatever), prompt them to enter a secret key. Then, encrypt the shared item with that key when it is sent. On the receiving end, 1Password can detect the encrypted shared item and prompt the receiver to enter the secret key before it is added to the receiver's vault.

    With the above implementation, the item would be transmitted encrypted. Yes, the sharer may choose a weak key, but hey, at least it is encrypted. Yes, the sharer may also transmit the key itself, but at least that cuts the odds of hitting SMS in half. Regardless of any of these faults (which is on the sharer, not AgileBits), it would be FAR more secure than the new behavior of messaging in clear text.

    Please bring back the old sharing methods. Please bring them back soon to stop this new "share in clear text" behavior. Feel free to take them away again once you have improved the sharing to both be more secure AND not cause less secure user behaviors.

    I appreciate your efforts to have a robust and secure product, but please do not "nanny" your customers. We are grown ups. It is my responsibility to decide what is best for me, not yours. Security is never, no matter how hard you work, an absolute. There are always ways to circumvent security. You can never 100% protect someone from themselves.

    Thank you.

  • dougl
    dougl
    Community Member
    edited April 2016

    Count me as another customer who wants share by messages returned, though I agree that warnings need to be placed around it. And, before anyone accuses me of not knowing what I'm talking about, I'm a security architect, CISSP-ISSAP with the worlds largest security company.

    I'm speaking on secure thinking to a large audience on Friday. A key part of my message is that security is a tradeoff - versus privacy, liberty, usability, and cost. It's about risk, not threat. For what it's worth, I recommend your product as part of my stump speech.

    I use that feature all the time with my extended family. I fully understand the risks, but balance those against usability. I manage accounts for a dozen family members scattered across the world, and we are absolutely NOT going to use the family or team features in that situation. Sharing select ID's over a trusted, validated channel on a temporary basis (we delete the message chain on both ends after sharing) is a risk I'm willing to take. Storing my vault or passwords in the cloud on an ongoing basis is not.

    The single-click to add to 1Password is the feature that I'm interested in - it greatly simplifies my workflow with my elderly parents. It's one of the key ways that helps me have them use 1Password - without it, they'll go back to sticky notes and self-generated passwords. I rely on the bundle of URL, userID and password to make setting up accounts for them seamless. Trying to get them to manually create entries is, well, challenging.

    If this really was driven by security concerns (and I agree, they are non-zero), rather than marketing your other products, then let me give you some options.

    1) If you don't want the direct messages option, at least let us generate that one-click to add text in a local window, then we can copy/paste it into a message ourselves.

    2) Disable the feature by default, and when the preference is checked to enable it, put appropriate warnings in place.

    3) Encrypt the information with a password entered during link generation. That password can be shared out of band, and then prompt the recipient as it's imported back into 1P on their end.

    There are other solutions that don't involve pushing users towards more expensive services that have their own security tradeoffs.

  • Thanks for the feedback, @jayd and @dougl.

    Rick

  • jefflin
    jefflin
    Community Member

    Thanks for removing this feature. It was clearly insecure, and always weakened my argument about why people should use a password manager like 1Password. Teams or Family account is a great alternative too.

  • jpgoldberg
    jpgoldberg
    1Password Alumni

    This is a feature that I used all the time and I miss, but I have to emphatically disagree with @jayd's statement that

    Obfuscated plain text sharing (the old option) is far superior to copy/paste clear text sharing,

    That would only be true if the obfuscation created some barrier for the attacker. It does not. The attacker could even "discover" the issue accidentally. The risk that the feature poses is that it obscures things for the user but not for the attacker.

    When people send things in clear they make the decision to do so with some understanding of the risks. Their decision may or may not be wise, but at least the fact that the data is usable by anyone who intercepts it is clear. With the obfuscation we had, people make a decision to send things under an incorrect assumption about the nature of the security. That becomes dangerous.

    As I said, I hate to see this feature go. I used it frequently (although I was fully aware of the nature of the obfuscation). But it had to go. We just couldn't have people continue to behave as if something is encrypted which actually isn't.

    Cheers,
    -j

    –-
    Jeffrey Goldberg
    Chief Defender Against the Dark Arts @ AgileBits
    http://agilebits.com

  • TechDaddy
    TechDaddy
    Community Member

    It seems that the Share via Messages is no longer available - correct? If so, what is the best way to share a SINGLE 1Password item with someone when you are NOT near them?

    Thanks


    1Password Version: 6.4
    Extension Version: Not Provided
    OS Version: iOS 9.3.1
    Sync Type: Dropbox

  • AGKyle
    AGKyle
    1Password Alumni

    Hi @TechDaddy

    You're correct, this was removed because it wasn't as secure as we would have liked. Those URLs were obfuscated, encrypted with a shared key, so anyone with the application could have added that item if they had gotten their hands on it. We made the tough decision to remove it, despite there not being a replacement available.

    iMessage is certainly still secure enough to share data on so you could simply copy/paste the requisite data into an iMessage, but I wouldn't trust something like SMS necessarily. I link to this but be mindful that just because some of the services don't have full checks doesn't mean they aren't necessarily good, just be aware that depending on your needs you may want to use something with checkboxes in certain columns :) I use iMessage and Signal personally, depending on who I am talking to.

    It's certainly not convenient to do each field manually but we couldn't just whitelist things to say "only show sharing for these particular apps" so it was sort of an all or nothing approach. If we could've kept it around for some things like iMessage but removed it for things like Email we would've probably have given that some more thought.

    Sorry again for putting you in a situation where we removed something you used.

  • jayd
    jayd
    Community Member

    Thank you for chiming in, @jpgoldberg. You make an excellent point that I must concede. The old method of obfuscation "looked" like encryption to the casual user, and thus led them to believe it was. I will readily agree that wrongly-assumed encryption is quite dangerous.

    That being said, I still strongly believe there is a great need for this feature (or something functionally similar) to be brought back.

    A 1Password entry is far more than just a URL, username, and password. The fantastic robustness of 1Password enables a given entry to contain multiple URLs, notes, TOTPs, addresses, dates, attachments, [I could go on and on], and a myriad more. This is one of the things that makes 1Password so awesome and such a vital tool for many of us.

    All of that awesomeness also means that sharing an entry with copy/paste is a tremendous chore. Having the ability to easily bundle up an entire 1Password entry and share it with someone is a critical feature.

    Both @dougl and myself have suggested encrypting the share with a password/secret key and then decrypting it when it is added to the recipient's vault. This seems like a good approach, but I do fully understand that some things appear easier to implement than they are in reality. If that is not practical, then @dougl offers another excellent option (his point "1" above) of generating the bundled-up 1Password entry in a local (pop-up?) window which users can then copy/paste as they see fit.

    Please reconsider! The main point is there needs to be some way to share a complete 1Password entry, with all of its entries/attributes/awesomeness. There are options to encrypt (great), or put the burden of the actual share on the user (that works), or provide warnings (cool)... There are options better than completely ripping out this much-needed feature. Please reconsider!

    From a security standpoint, I wholeheartedly agree the previous implementation was bad. I applaud you and AgileBits for standing up for that. Sincerely, thank you.

    But although the implementation was bad, the feature itself was critical. Please fix the bad implementation, but do not kill the critical feature. There are options. Please reconsider.

    Jay

  • earroyo
    earroyo
    Community Member

    Sad to see that feature removed. Really came in handy. :(

  • Penelope Pitstop
    Penelope Pitstop
    Community Member

    So I just discovered that sharing via Messages has been removed. This thread has helped me understand why Agilebits have taken that decision. Glad I searched before starting a duplicate thread. ;)

    However, +1 for a new feature that allows us to share an individual item with another 1Password user just once in a secure way. The Teams and Families services are great, but inappropriate for this one-time sharing requirement.

    A significant technical challenge I'm sure, but Agilebits have shown themselves to be good at facing those over the years. Surely there must be a way to leverage the Teams/Families technology to allow this?

  • Building a product like 1Password is a constant balancing act between convenience and security. This feature was great on the convenience scale but not so great on the security scale, and as such had to be dumped.

    I'm sorry for the inconvenience. :(

    Ben

  • @Penelope Pitstop: absolutely there are ways of leveraging Teams/Families technology for this. There are some challenges there still, but things are significantly better setup to be able to do this kind of thing. For example, every Teams/Family user has public/private encryption keys created for them. We use those keypairs are used heavily already, and they could be used to send data to another user securely.

    The nice part about using keypairs is that you wouldn't need to have a shared secret like a password that you transmit some other way.

    Secure sharing is definitely something that's on our minds, and we've been working through the problems bit by bit.

    Rick

  • dougl
    dougl
    Community Member

    @rickfillion I think you just confirmed that the refusal to enable it, with appropriate warnings is partially driven by a desire to sell your other products, not just security.

    Now I could use export/import option and sending those files via messages as an alternative. But that's not available for mobile, so when I'm traveling (which invariably is when the problems happen), I'm totally out of luck.

    Teams/Family is not an option for my use case. I will absolutely not store my vault in the cloud. The concern is that there is an undiscovered defect in your code that allows vault decryption with much lower effort. Is that low probability? Sure - you guys know your stuff, but I do this for a living and know how hard it is to get completely right. So if that low probability event happens, it's a catestrophic impact, and far beyond what I'm willing to risk. That's way I was so vocal back when you killed the wifi sync option.

    A symmetric password is a straightforward solution to this problem. The complexity of public/private key pairs is not required.

    @jpgoldberg I agree that the obfuscation is misleading. So why not disable the export function too? 99% of users probably never look at the output at all. I guess I don't understand why a warning on that dialog is enough, but a warning on the share dialog isn't.

    If the risk you're addresing is that you're implying encryption, then fine, don't obfuscate it - just share plaintext XML. That eliminates the concern without removing a very useful feature.

  • jpgoldberg
    jpgoldberg
    1Password Alumni

    I've read the rationale and, frankly, I don't care. I know the risks and it's my choice to balance the risk against functionality.

    I'm glad that you know the risks. But the concern is that most people using it do not.

    Put a disclaimer in, have the user accept the risk, force users to input a code to access it, whatever.

    Thanks, @SecretSquirrel. I'm not ruling out doing something like that.

  • AssetBurned
    AssetBurned
    Community Member

    Hi,
    ok I admit I just signed up here just for this problem.

    I just wanted to introduce this feature to a friend of my and didn't recognised that my 1Password updated and removed this feature.

    While I understand that sharing via an unencrypted way or via an way where the recipient might not be the person you assume who he is, is a security risk.
    I do not understand the argument that other apps are allowing others to read the message, is a bit .... well strange. You also removed messaging apps that have an end to end encryption.
    Yes there is still the risk that you send it to the wrong person. And yes there is the risk that someone copies the link to another application (such as SMS).

    On the other hand you did not removed the export feature from the OS X application and there you have even unencrypted file formats. And what prevents me to take a screen shoot of the iOS app?

    So how about adding at least the apps that are listed by the EFF https://www.eff.org/de/node/82654 and passed the security part there?

    I agree with some people here that this coincidently looks a bit like a push towards the payed sharing services, even if it is really just a coincident.

    How about a different way. WhatsApp already showed a way how to make sure that the person you are talking about is really the one and that the encryption is not changed in between (simply said).
    1Password could have a similar function "I want to share this entry" then a menu pops up "Mr. Doe, Miss Jane ..." and each of them must be validated in an offline way (barcode for example) so the sharing option could then use an asymmetric way to encrypt the data in a way that Mr. Doe can open the information, but Miss Jane can not.
    Yes that would still not make it easier for people who don't see each other in real life and there would be ways to go around this... but it would allow sharing with some people and also through channels you think are insecure.

    Bottom line, removing a feature until a proper better replacement is available, is a bad PR idea.

    CU AssetBurned

  • bbrink
    bbrink
    Community Member

    This is a shame. First, I wish I'd have known and I'd have avoided the update as long as I possibly could. Second, email and manage aren't an option but Pinterest and Facebook messenger are??? Bull. I don't want the complications of a shared vault. More master passwords, more duplicity.

  • bbrink
    bbrink
    Community Member

    So why these options and not Mesaage?****

  • bbrink
    bbrink
    Community Member

    These. Sorry.

  • SawbonzDO
    SawbonzDO
    Community Member

    Sooooo, your solution is to take obfuscated, encrypted data that required the app and knowledge of what that data was away from us and leave us with copy and paste of plain text in iMessage? The cynic in me can't help but notice that this happens right as the subscription based "1Password for Families" that syncs these logins automatically arrives.... As such, you can imagine how I feel about this.

  • Ben
    Ben
    edited May 2016

    You're right: 1Password Families (or 1Password for Teams) is definitely the better way to do this.

    We'd only recommend sending via iMessage (regardless of this feature) if you've turned the fall back to SMS off.

    Ben

  • cjoshea
    cjoshea
    Community Member

    Wow, so I went from sending by email with limited security to having to do a screenshot of my username and password and send completely insecure. Seems like two steps back.

  • ManFromAustin
    ManFromAustin
    Community Member

    Really really disappointed

  • AssetBurned
    AssetBurned
    Community Member

    @bbrink I don't know about Pinterest, but I can not send any type of entries directly to Facebook messenger, even tho it is shown. I assume Pinterest will also bring up an error message if you try it.

  • jayd
    jayd
    Community Member

    Due to the sharing features being removed, I took a little time to set up a shared vault. In all fairness, I have to admit that it was not difficult and it seems to work quite well. My girlfriend and I now each have our independent primary vaults, plus one shared vault. Everything stays synchronized and there are no additional passwords to remember or enter (except the very first time when adding the shared vault). It is super easy to put items in the shared vault, they automatically show up on all the other proper devices, the transmission is fully encrypted, and the new "View All Vaults" feature makes it totally seamless when actually using 1Password. It is quite slick. Kudos to AgileBits for the shared vaults capability.

    Yes, it requires keeping your vault(s) in the cloud. They are encrypted, but that is still a weakness (and deal breaker for some). Yes, it took about an hour of work to sit down, create the shared vault, get it installed on all our devices, move all the shared items into it, and delete the duplicates from our primary vaults. It was not fun, but certainly not difficult - just grunt work. After the initial setup, there is no on-going maintenance or grunt work - everything just functions easily and effortlessly (and securely).

    I am not a guy to bring only complaints to the party; I like to bring options and answers too. For those folks sorely missing the sharing features, as I was, I strongly recommend checking out the shared vaults capability. It really does the trick nicely.

    I will not hop on the bitchy bashing bandwagon (really, folks), but I want to be clear here that I still believe AgileBits made the wrong decision to remove the Message/Mail sharing features. I still stand by what I have written in my posts above. Through my years of founding, growing, and selling vulnerability assessment and penetration testing companies, my experience says that removing easy sharing options will lead users to even worse behaviors.

    Thus, I would continue to respectfully ask AgileBits to reconsider their position. There are options for providing more secure sharing (several of which are noted in this thread). Please reconsider.

    Jay

This discussion has been closed.