Security model for extension?

Hello and thank you so much for the work you've done on this extension. It's already making my workflow smoother! I'm interested in understanding/hearing a bit about the security model for the chrome extension. There is no external, helper application as there is for OS X and Windows and so I wonder about how sensitive data flows around in the browser. As a former user of other browser-based password managers (like Lastpass), I recall that the weakest links were often the extension/plugin. In those cases, inadequate segregation of trusted and untrusted code made for a large attack surface while handling sensitive data.

Any thoughts appreciated!
vale


1Password Version: Not Provided
Extension Version: 0.7.7
OS Version: Arch Linux
Sync Type: Not Provided

Comments

  • mkasumkasu

    I mean in the end it probably mostly depends on the implementation.

    A native component might even create a larger attack surface. LastPass has a (optional) native component, and in the latest security breach they even acknowledged that users with the binary component activated were "further susceptible to exploit"[1].

    I think the binary app is usually more a convenience thing used to provide more advanced features (fingerprint scanner, idle detection, etc.) and a better way to manage your data. All-in-all, just based on the number of breaches over the last couple of years I'd probably trust 1P more with my data than, let's say LP. Bugs are possible anywhere, but so far 1P does a great job I think.

    Despite that, it would certainly be interesting to get some insight about the security model.

    1: https://blog.lastpass.com/2017/03/important-security-updates-for-our-users.html/

  • valevale

    Indeed, bugs can occur anywhere ;) And I surely agree that 1P has done a better job than LP---this is why I shifted myself and my family to 1P. The question still stands, though (and I have looked over the lovely white paper[1] :) ).

    [1] https://1password.com/files/1Password for Teams White Paper.pdf

  • beyerbeyer

    Team Member
    edited July 2017

    Good morning, friends!

    I sincerely apologize as I replied to this while some of the team and I were at Gophercon. Unfortunately, the hotel WIFI (plus my VPN for added security) was so bad it didn't publish, so I found my reply as a draft this morning. :(

    I'd like to take a moment and welcome @vale to the 1Password for Chrome beta! I'm delighted to have you as a member of our "beta crew"! Based on your first question here, I can tell you're going to be an asset for us.

    I'm not the best person to answer this question, but I do want to share some information with you while we generate an official white paper or support article that goes in-depth on the security of 1Password for Chrome. If you know AgileBits well, you'll know security is our highest priority. We firmly believe in being open about our data formats and security models to help make them better.

    The Security White Paper you've already linked is a good reference to the security of the 1Password.com service. 1Password for Chrome uses the same reliable, secure, and exhaustively tested APIs we've designed for our other 1Password apps. Additionally, you sign in using the same sign-in page you had before (we aren't recreating the wheel here). Currently, we only cache your 1Password item overview (which doesn't include your passwords) and only in memory. If your computer is compromised, the attacker won't have access to your Master Password (which isn't saved) or your encrypted data. Some changes may be made to our caching, which is a good example of why we don't have an official security related document ready yet.

    Let's talk filling! The real security comes from the way we design all of our browser extensions, which have been and continue to be the most secure on the market. Here's just a short (and not complete) list of steps we take to combat many possible attacks:

    • We purposely avoid auto-filling passwords
    • We don't load code from remote sources
    • We don't use the evil innerHTML and eval
    • We allow the browser itself to parse URLs for us instead of using a fragile regex
    • We use a restrictive content security policy

    An additional benefit to 1Password for Chrome is we don't need to rely on WebSockets or Native Messaging and instead can load the data directly from 1Password.com. It's pretty neat, every time you view the Item details or fill an item we send you an encrypted blob for that item which is then decrypted (on your machine) and displayed/filled.

    Using the Chrome extension architecture, we can compartmentalize our scripts which mean the APIs we are using to fetch data from your account isn't being loaded into the web page you're visiting. This helps prevent malicious code from the website you're visiting or another extension from highjacking our connection and attempting to download items it shouldn't be.

    If you want to dig further into the security of Chrome extensions, the Chrome team has some resources on what other developers and we should do:

    At AgileBits we think and breathe security, and we have people like Jeffrey Goldberg (our Defender Against the Dark Arts) who is always making us all safer. However, we are going to take this one-step further by opening a private Bugcrowd program where select researchers will get the full source code and be able to offer advice and suggestions. This will be similar to our current Bugcrowd program but we strongly believe by providing the full source code our friends will find any issues before we go public.

    I'm going to wrap this up here, Dave and I talked for many hours last week on how 1Password for Chrome works so if you have specific questions please don't hesitate to ask.

    I hope you all have a great week. I'm in Boise watching my Sisters dog so I know I will. <3

    --
    Andrew Beyer (Ann Arbor, MI)
    Lifeline @ AgileBits

  • valevale

    Thank you for your thorough reply, @beyer! Looking forward to hearing more about this as the extension is developed.
    -vale

  • beyerbeyer

    Team Member

    @vale: You're very welcome! We will be sure to keep you updated. I think you'll love some of the changes we are working on.

    --
    Andrew Beyer (Ann Arbor, MI)
    Lifeline @ AgileBits

This discussion has been closed.