Bravo for including situations such as eBay's into Watchtower. I know this is what you had in mind when you build the service out the way you did.
I'm concerned though that Watchtower could become a case of the boy who cried wolf: according to the Watchtower web site, eBay's got a new certificate that's good for only a few weeks. A similar situation with Google: they got a new certificate and seemingly for no other reason popped back up in my Watchtower listing… and their new certificate is only good for a few months. Google had a new problem/concern/hack? — that would be news to me. I didn't know that getting a replacement certificate was a sign of a site weakness at all, but instead something that happens all the time. Will sites getting new certificates for no other reason than expiring ones become a regular thing to see in the Watchtower listing? If so, I think we'll become numbed by the "noise" and not spot sites there that truly are in need of a password reset.
Please tell us more about what factors and actions would cause a site to appear in the listing, and what we can do to stay focused on the prize: keeping safe on those sites without unnecessary work.
I just wanted to let you know that I've asked @jpgoldberg to pop in here to offer his thoughts. He can answer your questions a lot better than I could.
I'm not trying to "pile on", but as evidence confirming my fear that this is getting unwieldy I found items in the Watchtower list today for even more sites that have recently renewed/changed their certificates: www.healthcare.gov, ifttt.com and www.mycokerewards.com. Changing my passwords on those sites again isn't necessary at all (from a security standpoint) as far as I can tell, yet there they are vying for my attention in a prominent place in the application.
I know that I could turn off Watchtower since I have already dealt with Heartbleed changes. That seems to be too aggressive, as I want to know about new site issues where my password isn't safe any longer.
I hope there's some middle ground here where Watchtower won't be causing more work than it is worth and we stop looking to it at all.
Hi Megan - are we going to hear from jpgoldberg?
Sorry for the delay. It's been super busy around here with the launch of 1Password 4 for Android, the team being at WWDC, and version 4.2 of the extension being released even before all that. No excuses, but I hope you can forgive us for the delay. I've pinged @jpgoldberg about this again, as I suspect it fell through the cracks with all the goings-on lately.
Hi, Marty and mw.
I'm not @jpgoldberg of course, but I can tell you that we have definitely seen this problem in Watchtower and will be working to resolve it. Watchtower was a super fast response to Heartbleed, so we're taking time now to rebuild it to be better and more versatile.
Given the potential I see in it, I want Watchtower to be the best it can be, as well. If you can either tell us why certificate renewals somehow constitute an issue we should be concerned with day-to-day, or have Watchtower not be concerned with them if we shouldn't be... that will be what we need.
It may not be the highest in the team's priority list, but the sooner this "rebuild" can be completed the less we'll have to ignore these stories about a wolf.
Indeed. You're absolutely correct, Marty. I think @jpgoldberg is pretty swamped at the moment, so I wanted to share a bit more (partially from him).
It sounds like the main issue you're seeing is that Watchtower does not currently keep track of historical data for certificate change dates. Google/Gmail updated certificates on May 22. They were updated before Heartbleed was publicly known, updated again on May 7 and then updated on May 22. Watchtower only sees the most recent update, and we're working to improve how this is handled in an update. As I'm sure you can imagine, I don't have a time frame but it is definitely on the list.
The goal is absolutely to have all wolf stories verified and accurate.
One of the huge difficulties with Heartbleed advice is that there are so many uncertainties in drawing conclusions from the information we could readily test. But in addition to that, as we see with the Google case, Watchtower certainly could be smarter than it actually is.
Indeed, there are loads of ways that it could be made substantially smarter. We actually have historical data of a scan of 10000 websites on April 8 that could be integrated in to help better identify things that "were vulnerable" but now fixed. We also have gigabytes of data of certificate fingerprints from February 2014 and before that can be used to identify certificates that were rekeyed even if their "valid from" dates remained the same.
But our development focus on Watchtower is toward the future, and away from Heartbleed. The kind of database we need to build and maintain for Heartbleed is very different than the kind of database we need to build and maintain for providing the most helpful advice and user experience.
Of course one (much needed) feature for both is the ability for an individual to mark something "clear". Now, all you can do is change your password for the site within 1Password and then change it back again. This is something that we need to provide better support for.
Thanks for catching your breath from WWDC, etc. and weighing in, @jpgoldberg.
One of my initial wonderings remains unanswered: as it is currently implemented, Watchtower has recently listed sites that appear to have simply gone through "normal" certificate renewals. My question: is that kind of event anything that we should ever be concerned about from a security point of view? Or was this certificate date test just an end to a means specific to Watchtower's handling of Heartbleed that continues to be treated as something suspicious in nature—even though it isn't?
I'd prefer to not need a way to "clear" items at all if there isn't a risk to begin with.
As always you ask questions that actually go fairly deep. The short answer is that sites replace certificates all of the time, and in general it should not be considered an indication of any problem. It's routine, and signifies little.
In the weeks following Heartbleed a replaced certificate is taken to mean replacing a potentially compromised certificate. But outside of the context of Heartbleed, replacing compromised certificates only one of many reasons why a certificate might be replaced.
In the other direction, a replaced certificate can be part of an attack. If we look at the MITM attack against Iranians talking to Google a few years ago, the attackers (presumably the government of Iran) acquired a valid, but bogus certificate for gmail. It was first discovered because the Chrome browser actually hardcodes a list of Google certificates instead of trusting the whole certificate trust mechanism.
The overwhelming majority of certificate replacements will be innocuous. Some might be to replace a potentially compromised certificate. Some might even be part of an attack by a network operator who was able to obtain a bogus certificate. Even if we were to make Watchtower much much smarter, I doubt we could build up heuristics that would be able to distinguish among those. So once we move past Heartbleed, I expect that we will not be looking at certificate replacement times.
Awesome explanation and reenforcement of my own understanding about certificate renewals, @jpgoldberg.
There's a reason you are called the "Defender Against the Dark Arts". ^:)^
I think the ability to dismiss notifications would be nice. Like Google for instance. I think the end user should be able to go in, click edit, and dismiss or change their password if they deem fit.
Thanks so much for adding your feedback here! We're considering this option, and I'd be happy to add your vote to the feature request in our issue tracker.