Different Watchtower/Heartbleed results between Mac & Windows

Dr. Loomis
Dr. Loomis
Community Member

I have 1Password 5.3 (Mac App Store) installed in OS X 10.10.3 and 1Password 4.3.1.560 installed in the Windows 7 Boot Camp partition of the same Mac.

I sync my vault via Dropbox, and it's syncing properly between the two OSes.

Anyway, I noticed something weird: in the Mac app, Watchtower shows no vulnerable logins. In the Windows app, however, it shows 6 Watchtower vulnerabilities and 2 Heartbleed vulnerabilities.

That seems pretty weird. Why do the two apps have different criteria and/or databases that report different things on the same vault?

Comments

  • Andrew_AG
    Andrew_AG
    1Password Alumni

    I recently had somebody email me with a similar issue that I had to run by one of our devs, and he replied with this information, which I suspect might clear things up (but let us know if it doesn't):

    For the domains in question, is there a subdomain in the URL?

    If so, I suspect the issue lies in a subtle difference in the way 1Password for Mac and Windows query Watchtower for vulnerability information.

    The Mac first checks the full domain with all subdomains to see if there is an entry in the Watchtower database. If there is no entry, it falls back to checking just the main domain.

    For example:
    launchpad.37signals.com was never vulnerable to Heartbleed, but the 37signals.com was.

    http://watchtower.agilebits.com/check?h=launchpad.37signals.com&port=443
    http://watchtower.agilebits.com/check?h=37signals.com&port=443

    So, on my Mac, my login with URL https://launchpad.37signals.com/campfire/signin does not show as being vulnerable in Watchtower. This same login on my PC shows as being vulnerable. I believe the plan is to update Windows with the same logic in the future.

  • Dr. Loomis
    Dr. Loomis
    Community Member

    So, in short, does that mean that the Windows results are false positives, or that the Mac is missing legitimate threats?

  • Andrew_AG
    Andrew_AG
    1Password Alumni

    It would be the Windows results that are false positives. I'm told we are looking into making the Windows Watchtower code closer to the Mac Watchtower code, but I can't say for certain when that will be.

This discussion has been closed.