Cloudbleed (for v4.x)

mia
mia
Community Member
edited February 2017 in 1Password 4 for Windows

Is it possible to integrate the list of Cloudbleed in 1Password 4.x like you guys did for heartbleed?

See pic: http://i.imgur.com/Ag0Flue.png

EDIT: Here's the full list of sites affected:
https://github.com/pirate/sites-using-cloudflare/blob/master/README.md


1Password Version: http://i.imgur.com/Ag0Flue.png
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

Comments

  • AGAlumB
    AGAlumB
    1Password Alumni

    @mia: Since Watchtower is part of our web infrastructure, it doesn't actually require an update to the apps. We've already added a number of sites that were affected by the CloudFlare vulnerability, and we're working to add more as we get confirmation. So you won't have do anything to benefit from updates there. Thanks for bringing this up! :)

  • Ben Howard
    Ben Howard
    Community Member

    Why can't you just add all of the sites listed on that github page? I, for one, would much rather be prompted to change any password I have connected to any site that may have been affected than to wait for anyone to go through some kind of vetting process. As it stands now, some of the ones listed in Notable sites section on that page aren't even presented in Watchtower (curse.com & related sites being the first I noticed).

    Why not just add them all?

  • Hi @Ben Howard,

    Because it is not a reliable list, even the page said so:

    This list contains all domains that use Cloudflare DNS, not just the Cloudflare proxy (the affected service that leaked data). It's a broad sweeping list that includes everything. Just because a domain is on the list does not mean the site is compromised, and sites may be compromised that do not appear on this list.

    We might as well mark all sites in your 1Password database because the entire Internet would be blacklisted by this list. Nearly four million domains were affected, but to what degree, no one knows.

  • Ben Howard
    Ben Howard
    Community Member

    That is fair.

    Just wishing all this stuff wasn't so time-consuming (or that there were standards in place whereby I could click a button and reset all passwords on every service I use...subtle feature request?!?)

  • Hi @Ben Howard,

    (or that there were standards in place whereby I could click a button and reset all passwords on every service I use...subtle feature request?!?)

    Oh buddy, how I wish this exists. Actually, 1Password wouldn't need to exist because you can have a simple app that just randomizes passwords every day based on a passphrase you choose, there wouldn't be any need for a password manager either. After all, password reuse is the biggest problem.

  • Ben Howard
    Ben Howard
    Community Member

    Someday...put it on the list for Internet v4.0.

    What about a feature (or simplified app) that does what this node.js script does?
    (I got it working but the people who don't understand the serious dangers of all this (my wife, mother, mother-in-law) would not be able to figure all this out.)

  • Hi @Ben Howard,

    We'll look into it but you are exposing all URLs in clear view and without analyzing what the code does, it is also risky.

This discussion has been closed.