Security background for 6.3.4 extension authorization

Options
jpgoldberg
jpgoldberg
1Password Alumni
in Mac

As the release notes for version 6.3.4 say:

Today’s update brings a small change to how 1Password communicates with the 1Password extension in your web browser. Once you update to the latest version of our browser extension you will be prompted to verify 1Password’s connection to the extension in the form of a six-digit code. As long as the code displayed in your browser matches the one prompted by 1Password, you're a-okay to click Authorize.

And so you are all seeing (or should be seeing) prompts like

Why are we doing this?

When 1Password is unlocked, the 1Password browser extension (the thing operating in 1Password) is able to ask 1Password things like "tell me how to fill in the username and password for this page I'm on". And 1Password mini will give an answer that will include the user name and password for that page. So because 1Password (via mini) is willing to hand over your secrets to the browser extension, it needs to know that it is a real, bonafide 1Password browser extension that is asking.

We have lots of ways and tests and conditions to ensure that mini really is talking to a genuine 1Password extension. No single test that we have in place is completely reliable on its own, but in combination they get the job done. What you are seeing that we have added more checks and tests to the repertoire of mechanisms that mini and the browser extension use to verify each other. Unlike other checks this, this one is visible and requires user interaction.

Note that these are all mechanisms to defend against a threat running on your own machine. Please keep your systems up to date and be thoughtful about where you install software from. Those two things will dramatically reduce the chances that your own system is compromised. In principle, it is impossible for 1Password to defend against all local compromises of your system, but we can defend against some.

Why now?

It turns out that one of the checks we were using in 1Password for Windows wasn't working as expected on Windows (This was reported to us by Tavis Ormandy of Google's Project Zero in the beginning of August). Our fix for that is the mechanism you see which not only covers the very specific security issue we had, but also a wider family of potential issues. You can see the details in this discussion over in our windows forum. Although, 1Password for Mac didn't face the same specific issue, the new mechanism adds another layer of defense, and so after introducing this in Windows, we brought it to 1Password for Mac.

What it does

The effects on security of the new mechanism do a couple of things.

  1. The first (and visible one) is that the first time something wants to start to talk to mini, you must approve it.

    This would make it harder for someone to try to sneak a client past you. If you somehow installed malicious software that wanted to talk to 1Password mini and was able to get around our other checks, you would be notified.

  2. Once approved, each subsequent session is authenticated.

    When you first approve the browser extension, it and mini establish a shared secret (that is entirely separate from the six digit code). That secret is used when setting up new sessions for mini and the extension to prove to each other who they are.

  3. Authenticates each message back and forth.

    Each request from the extension to mini is is encrypted using authenticated encryption using a key that is created for the individual session. This means that if some process were to try to modify or inject a request into the communication, the false message would be detected and dropped.

What this doesn't do

One thing to make clear is that this particular new mechanism doesn't defend against an attacker who can read your files on your disk. The long term secret that mini and the extension stores is readable by anything with the power to read your disks. This is why this mechanism is just one of the many we use to make sure that mini and the extension are talking to the right parties. But it does defend against a malicious process running on your machine that is running as some other user or in a sufficiently sandboxed environment (so it can't read arbitrary files).

There are more details of this in the 1Password for Windows discussion I mentioned, but this should give you some sense of what this is all about.

I hope this helps.

This discussion has been closed.