Disable browser code signature verification [not supported]

vifi
vifi
Community Member
edited August 2019 in 1Password 4 for Windows

How can I disable browser code signature verification in windows client? The setting menu are completely different and has lots of less options than in macOS version.


1Password Version: Newest
Extension Version: Not Provided
OS Version: Win 10
Sync Type: Not Provided

Comments

  • Hi @vifi,

    Thanks for reporting this.

    1Password 6 for Windows is basically a new program, it will take some time for us to catch up to the 1Password 6 for macOS that has been around for more than 3-4 years.

    You cannot disable the code signature check at the moment, this is a security risk and we may not add this option. We may look into a different alternative to this but we don't have an ETA on this. The macOS app may have go this way as well.

  • mikeabel
    mikeabel
    Community Member

    Hi, i'm very disappointed that the option 'Verify browser code signature' is now missing (using vers. 6.8.2 on macosx). I understand that it is a security risk but the alternative is to send user data to google (use firefox for a different case)? I don't unterstand how a software should patronise me like that. Hope you change this behavior in comming versions.

  • MikeT
    edited October 2017

    Hi @mikeabel,

    I'm sorry you feel that way and we are trying to find a better solution for this. We take security of every input/out of 1Password very seriously.

    Just to be clear, we're not talking about just any unverified browsers. We're talking about any (real or fake) 1Password extension in any apps, including malware that could infiltrate 1Password like this. And yes, there is a good chance in the future, even verified code signatures could be compromised meaning that Firefox/Chrome could be compromised resulting into 1Password being compromised as well.

    Until we figure out a better solution than that global option to disable all protections into 1Password, we're not going to change this. We do understand it should be optional and up to you but at the same time, it is our responsibility to make sure the product does what it advertised, protect your data.

    Originally, we were going to look into adding this global setting like I suggested a while ago but new threats has been developed or evolved that has changed our minds for the moment and focus on a different solution.

  • Sebastian Tänzer
    Sebastian Tänzer
    Community Member

    I came here looking for a way to disable code signature verification, too. As a developer I'm using Chromium to test some things and lately because of an annoying mouse click bug on MacOS with the latest non-beta Chrome.

    1Password extension is not working in Chromium and there's no way to get this working from what I see.

    How do I get 1Password to work in Chromium?

  • Greg
    Greg
    1Password Alumni

    Hi there @Sebastian Tänzer,

    Could you please specify what platform are you using 1Password on, Mac or Windows? Thanks!

  • Sebastian Tänzer
    Sebastian Tänzer
    Community Member

    Hey Greg, thanks for the reply. I'm on MacOS High Sierra. Any way to use 1Password in Chromium (which is not signed). I'm aware of the security implications of this.

  • Greg
    Greg
    1Password Alumni

    Hi @Sebastian Tänzer,

    Thank you for the clarification! :+1:

    1Password's new messaging system (starting with 6.8 on Mac) requires that applications be codesigned in order to talk to it. This is generally a good thing, because it increases its security. As you understand security is very important to us. However, at the same time it means that some 3rd party developers will need to either start codesigning their apps, or they will not be able to talk to 1Password.

    At the moment 1Password cannot work with Chromium is that Chromium is not a codesigned application. We have some ideas for how we can allow browsers other than The Big Four that 1Password officially supports (Safari, Chrome, Opera, Firefox) or those that 1Password has blessed with code signature whitelisting to connect to 1Password, but I do not have anything specific to share at this point. It is not an easy task to solve and I hope for your understanding.

    I will let the the team know that Chromium is something you use daily. Sorry for the inconvenience in your workflow, and thanks for continuing to use 1Password!

    If you have any additional questions, please feel free to raise them. Thank you!

    Cheers,
    Greg

  • sarasani
    sarasani
    Community Member

    1Password's new messaging system (starting with 6.8 on Mac) requires that applications be codesigned in order to talk to it.

    @Greg Could you please tell me whether that means that I can disable code signature verification again after downgrading to 1password 6.7.x?

  • Hi @sarasani,

    You could but it is not recommended and it will stop working eventually.

    We will be removing WebSocket support in future 1Password extension updates, so even 6.7 will not work anymore without Native Messaging support.

  • zxmon21
    zxmon21
    Community Member

    Hi, I'm trying out the 1Password account on my corporate Windows 7 computer.

    My corp has installed Chrome as default browser, and disabled installation of any extensions (and even disabled saving passwords).

    I'm lucky to have admin rights, so I have installed Chromium, and use it as my everyday browser. It saves passwords to Google, but I'm aware that I'm using a bunch of compromised passwords.

    When I installed the 1Password app and Chromium plugin, 1Password refuses the connection attempt ("not code-signed").

    So it looks like I'm stuck between several people making decisions for me. All think they have security in mind. As a result I'm left unable to use a good solution like 1Password.

    Damn, that sucks.

    Please take your users needs seriously. There are situations (developers, me, others?) where e.g. Chromium on Windows is the only option. There's no need to shut us out...

  • AGAlumB
    AGAlumB
    1Password Alumni

    Not only do we want to avoid having 1Password sending sensitive data to just any app (which is what you're asking for, effectively), I'm also not sure we want to put ourselves in the position of helping you circumvent company restrictions. If it's their machine, it's their call, even if we disagree with it. How about your own?

  • As an FYI to all here, 1Password X will work in Chromium and is available across all platforms to anyone with a 1Password membership. Yes, this is the 1Password 4 for Windows category in the forum, and 1Password 4 only supports standalone vaults, but folks have hopped in here from all sorts of ecosystems so I figured it's worth mentioning. One of the many goals with 1Password X was to expand support to as many browsers as possible, niche, unsigned and otherwise and in the case of many Chromium-based browsers, it's a great option when the companion extension won't work in your browser of choice. :+1:

This discussion has been closed.