Feature Request: A Server

Let me start by saying that I am fine with paying an ongoing subscription to you folks. As a former coder myself, I understand the need for a regular stream of income, so this message has nothing to do with how I pay for the program. However, like some others, putting my security data, no matter how securely, on a server controlled by another company just gives me the willies. So here's my feature request:

Sell me a server. Let me run the server on my own network. Allow all of the clients (Mac, Win, iOS, Android) to point to this local server. Personally, I'd want a server I could run on the macOS server that I have, but I could imagine folks also wanting a Win server and a Linux server.

This allows me to control my own data. I can do my own backups. I can control my own enterprise. And on top of that, I can sync between my assorted Mac and Win machines, which I can't currently do with WiFi sync; I can stop using the (unsupported) file sharing method.

I'd pay pretty good money (by subscription, if you like) for a server I can run on my own. Please.


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

Comments

  • BenBen AWS Team

    Team Member

    Hi @resnick,

    Thanks for taking the time to write in with this feedback. Currently, we’re focused on making our hosted version of 1Password the very best it can be. We may revisit the topic of self-hosting in the future, but for most folks running an instance of the 1Password service on their own hardware is not going to be feasible, even for fairly large corporations. There are a lot of services that go into running the 1Password service including database servers, DNS servers, web front-end servers, caching servers, application and notification servers, etc. Not to mention the network infrastructure is fairly complex.

    Now of course part of that is because the 1Password service is designed to handle a large number of customers, and an isolated installation likely wouldn't have the same requirements, and so some of that could be scaled back. But it would be a huge undertaking for us to offer something like that, and as such it isn't likely to happen in the near future (or for home users).

    That said, our 1Password Teams sales team would definitely be interested to hear if this is something you're interested in. Please drop them a line to [email protected] if you are.

    If you're looking for something a little less intense, but also significantly less feature rich, the WLAN server may help:

    How to use the WLAN server - 1Password Support

    This does not check all of the boxes you mentioned, as it is only designed to allow 1 computer to sync with 1 or more mobile devices, but it may be sufficient until another solution is available. This can be used in conjunction with folder sync to bring mobile devices into the loop, as folder sync generally doesn't allow for mobile device sync.

    Ben

  • Hi.

    I'm sorry if this is not entirely in the context. And I'm also sorry it is not happy/positive as most of the posts here. But that is while the core software is awesome, the path you set forward in handling subscriptions and syncing alienated me (and I guess a few others) from what else is close to perfect.

    So first a reply to this post: There doesn't have to be a special server. Just a good way to hook to cloud services which the user/company owns and can decide the credentials. Like https+WebDAV. Or you know, other protocols/services that just already exist. Because (if) your containers are secure, (than) the service itself always is even if exposed. Riiiight?

    And since ... I'm just about to leave for good from 1password, here is my rant/context/farewell. I hope this is okay.

    1. I have / had licenses for all paid versions on mac and windows. I would have paid for each new version, but that did not seem to be necessary. Why did you pass this chance? Because:

    2. You new price advertising might be "industry standard" - but is in my opinion still fishy. 2.99 ... billed annually is 35.88 for a years software rent. I feel like you think I am an idiot if you feed it like this to me. I have not clicked behind the trial if there is a higher price for real monthly payments.
      Now I know the pro-arguments for that model: More platforms, cloud, etc. etc. - But you know what?
      Having a license of a quality software to "own" is - was for me one qualifying argument around 1password. A one time purchase means I have control over my earned money. And yes, you have to earn my investment for the next version - but why fear that? Given your good core software that is actually not a problem it would seem.

    3. I read a lot recently about 1Password and its cloud/subscription over at Y-Hacker News. My Gist: Security specialised/aware people don't like any cloud based approach for password managers - no matter how convenient or how theoretically secure it is - it feels like putting lipstick on a pig. I know you think different because else you would see the problem from their/our/my view-point.
      Hint: I never ever want my data - no matter how encrypted - to leave my domain. And you are just about to take that away slowly.

    4. I consider myself a multiplicator. I don't know how typical I am - or if I really qualify. I bought the (old) mac pro because extension and customizations matters to me. I get asked or recommend password managers to their friends, colleagues and students. So, when you push into a new payment model with an approach the suggests cloud over local services ... well ... time for a change.

    You lost me for now. To the fresh competition with that one feature I always wanted naively (and hacked myself for 1password with scripts): Sync Web DAV over https. Because that means I can set up a connection either only working at home, at work or globally to sync my password data just in my "domain". Yes, that is most likely pro stuff, a 1% feature. But: Maybe 10% soon. Because I bet more and more people get a QNAP, Synology, FreeNAS or whatever private cloud - people get more and more sensitive where to store what matters.

    So now I recommend to people a private cloud setup with the gasp free version of the password manager of your competition (yeah, you must be desperate that they give their desktop software "away "... but I pay for their mobile version). That private cloud also solves more than just the password problem - nice!

    I would return to 1password the moment you give me/your users more storage choices to choose from including at least WebDAV with https + local vaults for all platforms. I would hate to be billed in intervals, but I can make compromises. Just not for storage.

    TL;DR: Instead of holding my breath for unlikely choices for 1passwords future, your competition won me over by having a no nonsense pricing and sane sync feature which gives me full control where my data is stored for now and the future. And it was cheaper, but that did not matter.

    (Note: English ist not my first language, there will be bad spelling all over. sigh)

  • resnickresnick
    edited July 2017

    Hi @Ben , thanks for your reply. I am using the WLAN server right now, but it has two major shortcomings:

    1. It doesn't work Mac-to-Mac. I've got it running for my iPad and my Android phone, but if I could point my second Mac to it, that would remove the need to do the folder sync.
    2. It doesn't allow off-network access. The machine on which I run the WLAN server has a hostname and an public IP address. Since I'm on the road a lot, I would love to be able to point to my devices to a host rather than do Bonjour discovery. My machine even has a real certificate, so it can do TLS, which would of course be a good thing.

    So if you see no real hope in the near future for a full-fledged server, a WLAN client for the Mac (and for Windows, to be fair :) ), and a config option so that I can use it off of the LAN, would be great. Consider that two feature requests.

  • brentybrenty

    Team Member

    @resnick: Since the 1Password desktop apps act as a server and the mobile apps clients, there just isn't any logic there for computers to sync with each other, or to negotiate who should be the client and who should be the server. It's not something we currently have plans of implementing since folder sync allows people to use nearly any tool to sync data between computers. This simply isn't possible with the mobile apps, so it was important to set things up this way so they could sync device-to-device.

    As far as "off network access", I didn't quite get what you meant at first, and admittedly there's no good term for this. But it sounds like you just want to be able to sync your data via WLAN server with a computer at home even when you're away. While I think that seems diametrically opposed to the spirit of your request and efforts to not sync your 1Password data over the internet (regardless of the fact that it is end-to-end encrypted, I know some folks have done this via VPN. And of course you could run your own VPN server to connect to at home as well. Just a thought.

    I think a "1Password.com personal server" (the name I just made up) is a really cool idea, and maybe we'll be able to do something like that down the road. But this would very much be a niche feature, and we have a lot of other work to do in the present and near term that will benefit a much larger number of users (for example, browser compatibility, which nearly all 1Password users depend on). It's something we can consider in the future though.

  • brentybrenty

    Team Member

    @kappuchino: I'm sorry if you feel that way. That isn't our intention. While we're not going to be able to make 1Password all things to all people, we do make an effort to make it accessible for as many folks as possible to secure their digital lives. I can't promise you any unreleased features, as even if we were clandestinely planning on adding something like this, not everything we work on gets a release (more on that below).

    But keep in mind that while we're not going to be able to add everything you want, we're absolutely not taking away the setup you already have. So while it's certainly your prerogative, I can't say that it makes sense to me to abandon something that works for you. You can continue to use local vaults and sync them yourself, and I know a lot of folks come up with some really interesting ways of doing so to suit their own needs. We're just not going to be able to offer everything, so we try to focus on the solutions that will do the most good for the greatest number of people. Currently, self-hosting is not at the top of that list.

    WebDAV in particular is, unfortunately, a terrible fit for 1Password and while there are very few things we'll rule out entirely, it's something we pursued previously and it was a dead end. And that's to say nothing of the fact that WebDAV is not an acceptable solution for the vast majority of users. So we won't be going that route. It's something that a lot of work went into and I can pretty much guarantee you that we won't be revisiting that in the future.

    Unfortunately you cannot own software. I understand that there's a preference to pay once, and that that can feel like ownership, but that simply isn't the case. You can buy a car, fix it yourself, add some options, maintain it, and later resell it to get some money to put into a new car. And while you can continue to make use of it, you can't fix, improve, renovate, or resell your old software. It's just not the same thing. These days most people expect that software like this works seamlessly across all their devices and is constantly updated, and frankly this is incredibly important when it comes to something we use to protect our most important data. Additionally, the vast majority of 1Password users depend on browser integration to get things done on a daily basis, and that's a constantly changing landscape as well. So, given the expectations of most of our customers (who overwhelmingly requested these features in the first place), 1Password.com is a subscription service, rather than a one-time payment which won't sustain the ongoing work across all areas — security, features, browsers, and compatibility — that are expected.

    Ultimately the only way you can keep all of your data truly "within your domain" is to not be on the internet. And that's not a common use case for 1Password, which is focused heavily on managing and filling online account credentials, so it isn't one we really design for. The standalone 1Password apps have features that support that already, so there's no need to reinvent the wheel. I wouldn't recommend WebDAV, but an enterprising user could get that working with 1Password since local vaults and folder sync are already available.

    Our pricing is pretty no nonsense as well, and storage is only a small part of what it includes. As they say, "you get what you pay for", and we're pretty upfront about the costs and what's included: world class security, convenience, design, and support. Obviously we'd prefer that you use 1Password — and, especially if you've already paid for it, I think that makes logical sense to continue to do so, as there's no additional cost for that — but it's absolutely okay if another tool is a better fit for your needs right now. We'd rather you use a competitor's product than nothing at all. Stay safe out there.

  • @brenty: Seems to me that negotiating who is the client and who is the server is pretty obvious: If I turn on "Run a WLAN server from this Mac" in the WLAN server settings, I'm the server; if I choose (the future) "Sync Primary vault with WLAN Server" from the Sync settings, I'm the client. I'm not clear on why there would need to be a "negotiation", unless you let them turn on both settings at once. And as for folder sync, yes, it works, but (a) you specifically say it's not supported to work on network disks (even an Apple File Server mount), which makes me a bit nervous; (b) it requires me to mount the remote disk when I'm on the road instead of just having 1Password make its connection when needed; and (c) there's no way to have 1Password not be very upset when that disk isn't mounted. WLAN client support seems like a simple feature.

    Now, as far as being able to specify an address for the WLAN server so I can access it "off network", a couple of things:

    1) You say, "I think that seems diametrically opposed to the spirit of your request and efforts to not sync your 1Password data over the internet". That has never been my concern, and I think perhaps this is why discussions about the new server-based model have been so difficult. While allowing my vault to traverse the net certainly opens an attack surface, it is a fleeting one and requires a man-in-the-middle (i.e., online) attack. What I'm concerned about is 1Password keeping my vault and everyone else's vaults on their centralized server. That results in a big giant attack surface for a potential attacker. If someone does succeed in penetrating your server, they have access to everyone's vaults and then can mount an offline attack on them. That's a much more disturbing scenario. And sure, having my personal WLAN server accessible from the Internet is also an attack surface that lends itself to an offline attack if penetrated, but my personal server is a pretty small target for an attacker. So this is not, for me, essentially about syncing over the network. It's about agileBits storing my information.

    2) You also say, "I know some folks have done this via VPN. And of course you could run your own VPN server to connect to at home as well. Just a thought." I do have my own VPN server, and I'm connected to it with my iPad, but the iPad doesn't see the WLAN server. This is not surprising, since AFAICT, you're using Bonjour to create the WLAN server, and Bonjour does not traverse VPNs. I don't know how other folks have done this via VPN. What I want is a way to configure the WLAN server by specifying a domain name or IP address. That should be easy to provide as a UI option (even if it had to appear in some advanced config place).

    If you gave me domain-name or IP-address config for the WLAN server and gave me a WLAN client for the desktop version, that would be the "personal server" you're talking about. I don't think it's a heavy lift. I'm happy to beta-test. ;)

  • resnickresnick
    edited July 2017

    I thought I had posted this before, but it seems to have disappeared. Trying again:

    @brenty: First with regard to desktop WLAN syncing, you say "there just isn't any logic there for computers to sync with each other, or to negotiate who should be the client and who should be the server." I'm not sure what sort of negotiating you're thinking of: If I check, "Run a WLAN server from this Mac", then I'm a server. If I say "Sync Primary vault with [WLAN Sync]" (presuming the future option), then I'm a client. I guess you have to check to make sure I don't have both turned on, but there's no negotiating AFAICT. As for folder sync, I'm happy to use it (and do), but it makes be a bit worried because (a) you specifically say that doing so over a network volume (even an AFS volume) is not supported; (b) it means that I have to keep the volume mounted when I'm off network instead of just having 1Password connect when it needs to; and (c) 1Password does like to complain vociferously and hang for periods of time when the volume isn't there instead of just silently failing. So having the desktop WLAN client would make me much happier and get me halfway to my goal.

    Now, a couple of things on the "off-network access" bit:

    1) You say, "I think that seems diametrically opposed to the spirit of your request and efforts to not sync your 1Password data over the internet". That has never been my position, and if that's how you and others have been interpreting it, I can see how the discussion keeps going sideways. It is certainly true that having my 1Password data going (encrypted) over the Internet is an attack surface, but to take advantage of it requires a man-in-the-middle (i.e., online) attack, and a targeted attack at me to accomplish it. That's not my big concern. My big concern is someone attacking agileBits, a much more productive target, where a successful attacker would be able to get data (albeit encrypted) for all of your customers and then can proceed to mount an offline attack attempting to break the crypto. Offline attacks are the more significant attack surface and much more worrisome to me. (Again, an attacker could do the same if they were targeting me specifically, but I'm a much smaller target and more difficult to find.)

    2) You also say, "I know some folks have done this via VPN. And of course you could run your own VPN server to connect to at home as well." I do in fact run a VPN, but I cannot get this to work. (I've just tried it on my iPad, connected to my VPN, attempting to connect to my WLAN server.) As far as I can tell, this is because you are using Bonjour to discover the server, and Bonjour does not traverse a VPN (or any non-local network), at least in its current form. If you've heard of folks that have made this work, I'd love to hear about it. Maybe they're doing something like running a VPN in bridge mode.

    Really, all I want is the ability to enter a domain name or IP address instead of doing the Bonjour discovery. With that, and the desktop WLAN client, you'd pretty much have the "personal server" you're talking about, and that would make me pretty happy. It's a very small amount of UI to write, and the network code should be (AFAICT) reusing what you've already got. Yes, it's a bit nichy, but I can probably line up a bunch of people who would be happy to lend their support. I'm happy to beta test. ;)

  • brentybrenty

    Team Member

    @resnick: Sorry for misunderstanding your intentions for using local sync. WLAN server is designed as a local sync option, and this is why most folks use it, so we don't have any plans to make it internet addressable — and that also would mean you'd have to have 1Password listening on a WAN port, which means we're back to "another attack surface" as you mentioned as well.

    What I meant earlier is that the desktop apps literally only have WLAN server sync logic and no code to act as clients. And with the WLAN server disabled, 1Password doesn't broadcast to establish a sync connection on the local network.

    What I'm concerned about is 1Password keeping my vault and everyone else's vaults on their centralized server. That results in a big giant attack surface for a potential attacker. If someone does succeed in penetrating your server, they have access to everyone's vaults and then can mount an offline attack on them. That's a much more disturbing scenario.

    I couldn't agree more. This was our first concern when we even started thinking about 1Password.com. We don't want to be in a position to allow anyone to get access to 1Password users' data — which of course includes our own as well. If we were storing people's data in the clear, encrypting it ourselves, or storing the keys to decrypt it, that would be a risk, regardless of the lengths we go to to secure the server itself. But fortunately 1Password.com doesn't depend on an attacker not getting the database. We do everything in our power to prevent that, but assume that they will, which helps us defend against more likely attacks — which brings us to you.

    There's a lot more detail in our security white paper, but fundamentally,

    1. Your 1Password data is encrypted locally on your device before it is transmitted.
    2. The server receives only encrypted data.
    3. Your Master Password is never transmitted.

    You might think I'm talking about 1Password.com specifically there, but that's the case with WLAN server as well — the only difference being that 1Password.com data is also encrypted using the 128-bit randomly generated Secret Key, which is also never transmitted to us. So there's an additional layer of security there which isn't available WLAN server specifically and local vaults in general.

    And sure, having my personal WLAN server accessible from the Internet is also an attack surface that lends itself to an offline attack if penetrated, but my personal server is a pretty small target for an attacker.

    Since even then an attacker will need to get your Master Password from you, it would be easier for them to get the data from you as well. Regardless of how passionate you are about security, you have to sleep; and 1Password.com is continuously monitored and tested both by us and by independent security researchers to find and address any issues, so if someone want to get your data it will be easier for them to go through you. And with a local vault, they can perform a brute force attack against your Master Password. That isn't to say local vaults are insecure (and PBKDF2 helps defend against these attacks), but this just isn't something that can be done with a captured 1Password.com vault, even if the user has a weak Master Password.

    Suffice to say, if someone gains access to our servers and dumps the full database, they still don't have what they need to decrypt it, as each individual user alone has the keys to their data. So an attacker won't have that and can't get it from AgileBits. If that weren't the case, we wouldn't be comfortable offering or using 1Password.com either.

    Ultimately, 1Password.com is our focus right now for these and many other reasons, and even if that weren't the case, WLAN server is not something we'd be able to prioritize, since, as illustrated by this discussion, there isn't even a single use case that we'd need to take into account...and any work we do there will only benefit a small number of users, even if we're able to satisfy all of the various WLAN server use cases. This may change in the future, but based on our interactions with customers over more than a decade I'm not sure I'd bet on that. Most folks just want to secure their digital lives without having to fiddle with sync settings and server configuration; and so far the only way we can offer the convenience users demand without sacrificing security is with 1Password.com. And since that allows us to help the most people, that's what we're focused on today.

  • BenBen AWS Team

    Team Member

    I don't think it's a heavy lift. I'm happy to beta-test. ;)

    Heh. Heavy is relative.

    I don't know how other folks have done this via VPN.

    They use a Bonjour Service Proxy.

    :)

    Ben

This discussion has been closed.