Where is the extension data file?

CarlCarl Just Me
edited December 2011 in 1Password 3 – 6 for Mac
As I understand it ... (feel free to correct)

the data file is now sandboxed and thus the extension cannot read directly from the agilekeychain like it could in past...

it therefore creates it own database.

Questions:

1. Where is the extension database stored? (i.e. what is the filename and folder)

2. The Curious George in me wonders.... If the extension cannot read the data file then how can it actually generate its own database file from the original data?

Can you speak more to how this exactly works?

Thanks

Comments

  • khadkhad Social Choreographer

    Team Member
    edited December 2011
    This is a great question — or, rather, set of questions — Carl!

    The sandboxing of browsers (along with the sandboxing of 1Password 3.9) mean that the browser extensions and the main application cannot use the same data directly. Instead 1PasswordAgent (or 1Password Helper in 3.9) is used to synchronize data between the browsers and the 1Password Application.

    1Password manages the data exchange between itself and the browser extensions through WebSocket. This allows the 1Password background process to communicate with the browser extensions while still respecting the sandboxing rules enforced by modern web browsers. Although these appear as network connections, they are limited to your local machine. These connections are encrypted and authenticated, so they cannot be used to deliver information to any other processes beyond the extensions and the main 1Password application.

    The specific ports that 1Password uses through its WebSocket connections are:
    6258, 10191, 14821, 24861, 25007, 38151, 46360, 49801, 55730, 59483
    


    Within the browser the data is encrypted and stored in an SQLite data file.

    Safari: [font=courier new,courier,monospace]~/Library/Safari/Databases[/font]
    Firefox: [font=courier new,courier,monospace]~/Library/Application Support/Firefox/Profiles/OnePassword.sqlite[/font]
    Chrome: [font=courier new,courier,monospace]~/Library/Application Support/Google/Chrome/Default/databases/chrome-extension_gkndfifopckmhdkohjeoljlbfnjhekfg_0[/font]

    You can find all this information in a 1Password Diagnostics Report if you want to generate one for yourself and take a look.

    The database itself will be an SQLite file which you can inspect if you are familiar with tools like sqlite3. If you examine the database, you will find that each particular item is encrypted separately. As with our main application data format, each item is encrypted separately. That is, we stick to the principle of never decrypting more information at any one time than is needed at anyone time. This means that decrypted data never just hang out in browser memory or in swap files.

    There is also something very clever going on in these files. We wanted to keep everything encrypted, or at least concealed, including the URL of the item. At the same time, we need to be able to find out which items in thedatabase match a particular page, without having to decrypt everything in search for matches. This involves creating a set of cryptographic hashes of the domain in the Locations which can be searched without decrypting. The "overview" information is then decrypted for matches, and only when a user selects the particular item is the full item, with the site password, decrypted.

    Jeff has previously specifically pointed this out because a year ago, he didn't believe that we could manage to have location data encrypted and still have usable site matching in the browser. What I have learned is that Dave and Roustem can do things that Jeff once considered impossible. :)

    A question that is likely on your mind is: Does this make your 1Password data vulnerable to a browser compromise? Roughly speaking, 1Password is not significantly more vulnerable to a browser compromise than before with the old Scripting Additions mechanism. If something were able to hijack the way that the browser talked to the 1Password data it could sniff and retrieve the data once a user has unlocked the data.

    But the same kinds of things that made 1Password resistant to this kind of attack apply to 1Password today. The details are different, but ultimately it comes down to the fact that stuff injected into a browser window can't get at certain other components. What's different today is that the actual security architecture that we are relying on is better understood and explicit. Scripting Additions was always a hack. It happened to effectively have the kind of sandboxing that we needed, but with Safari 5.1 using a proper extension framework, that kind of sandboxing is there by design.

    You have always trusted your browser with your 1Password data. The difference now is that a copy of the data is stored in the browser's data storage area instead of your browser reaching across to 1Password's storage area.

    Thanks for asking about this. Please let me know if you have any other questions.

    Cheers,
  • CarlCarl Just Me
    khad wrote:

    This is a great question — or, rather, set of questions — Carl!

    ...

    Thanks for asking about this. Please let me know if you have any other questions.

    Cheers,


    Thanks for the great response.

    Should I be seeing 2 database files?


    [email protected] 1 Carl Carl 2125824 Dec 12 13:40 0000000000000001.db
    com.apple.quarantine 38

    [email protected] 1 Carl Carl 2152448 Oct 12 23:44 0000000000000002.db
    com.apple.quarantine 38

    It looks like #2 hasn't been touched in awhile.





    Also, you may want to update the link you give for the diagnostics:

    http://help.agilebits.com/1Password3/diagnostics_report.html

    as it doesn't appear to have the info about needing to download and run the 1Password Troubleshooting app for MAS installs.

    However, this one covers it fine:

    http://support.agilebits.com/kb/troubleshooting/create-a-diagnostics-report-to-help-agilebits-help-you
  • khadkhad Social Choreographer

    Team Member
    Thanks for the great response.

    No problem at all. I'm glad I could help. :)

    Regarding your duplicate database files, I would suggest removing the extension, quitting 1Password and Safari, moving ~/Library/Safari/Databases to the trash, and then reinstall the extension.

    …it doesn't appear to have the info about needing to download and run the 1Password Troubleshooting app for MAS installs.

    We're working to consolidate some documentation, but this bit from the aforelinked section of the User Guide works just fine for MAS installations:
    3. Download and run a network copy of the Diagnostics Report tool. Using your browser, please download a small standalone tool from our site to run a network copy of the Diagnostics Report procedure.
  • CarlCarl Just Me
    khad wrote:

    No problem at all. I'm glad I could help. :)

    Regarding your duplicate database files, I would suggest removing the extension, quitting 1Password and Safari, moving ~/Library/Safari/Databases to the trash, and then reinstall the extension.




    Did that and now I have:

    0000000000000002.db and 0000000000000005.db

    :)
This discussion has been closed.