To protect your privacy: email us with billing or account questions instead of posting here.

Security of the 1password.com account creation process

Options
2»

Comments

  • jpgoldberg
    jpgoldberg
    1Password Alumni
    Options

    Hi @dtauerbach!

    You are spot on correct when you say

    [A] compromised server could send malicious Javascript which would just send back plaintext passwords to the server, even without the knowledge of the 1Password team (if an upstream CDN, say, is compromised).

    As long as we are delivering a client into a web browser, we have this problem. There are a couple of things we can do to make such attacks harder, but in general we are stuck with this problem as long as we have a sign in process within a web browser.

    I'd love to say that we have a convincing solution to this (and related problems). We have things that we have done (very strict TLS settings for example), and there are things that we can do (automate our own testing to see that what is delivered from the website is what we know it should be) along with expanded use of sub resource integrity. But these don't eliminate those avenues of attack, they just make the attacker have to work a bit harder.

    One specific concern we have about the sort of attack you describe is if the attack is directed at a particular IP address. We can test that when we fetch the web-client from the server we get what we expect. But if an attack of the sort you describe is targeted, it might deliver a malicious client to just a small range of IP addresses and only during a short period of time. We have no way to detect that. An analogous attack trying to deliver a malicious native client would require not only a compromise of the delivery host, but also of our code-signing process (as well as the additional complexity of creating a malicious native client versus changing a small bit of JavaScript).

    Ideally, we should have code signed native clients for everything, including the sign up process. And we are working in that direction. But it not only is this a process, it is a slow process. I would love to be able to promise some dates or quick action, but progress is going to take considerable time.

    I really really wish I had a nicer answer for you. You are asking the right questions, and you have to make your choice based on what is available now. Your concern is completely legitimate, but it is up to you to weigh the risks considering your own assessment of the threats against you and the attacks you realistically may face.

This discussion has been closed.