Rich Icons now in 1Password
Comments
-
So I figure that cloudfront can tabulate all the icons fetched by one ip address and thereby know the sites that address has logins for.
Or they can watch for fetches for one icon and compile a list of IPs with logins for that site.
0 -
@stevefal: IP addresses are not personally identifiable (even location-matching often is inaccurate), and 1Password isn't collecting or transmitting identifiers that would make you or I stand out, to connect one image request to another. So that covers "Or they can watch for fetches for one icon and compile a list of IPs with logins for that site." But can you elaborate on what you mean by "cloudfront can tabulate all the icons fetched by one ip address and thereby know the sites that address has logins for"? 1Password isn't sending login URLs to fetch images, only requests for the URLs of the images itself — no different than when your browser requests any file over HTTPS.
0 -
@brenty: Regarding: "IP addresses are not personally identifiable (even location-matching often is inaccurate), and 1Password isn't collecting or transmitting identifiers that would make you or I stand out, to connect one image request to another. So that covers 'Or they can watch for fetches for one icon and compile a list of IPs with logins for that site.' "
Despite the attempt to minimize the forensic value of IP addresses, I take this as confirmation that Cloudfront can collect a list of IPs that have a login (proxied by icon URL) to a particular 3rd party service. So for example, if a marketing firm or government agency ordered "all IP addresses that fetch the icon for site XYZ" Cloudfront could provide that, assuming they derived the icon URL associated with the site.
To elaborate on tabulation, assuming the effort to derive a table of 3rd party services associated with each icon URL, Cloudfront could log all icon fetches for a given IP, and translate those to the 3rd party services for which the IP has a login. E.g., "every site whose icon was fetched by IP x.x.x.x", or "every site whose icon was fetched, for each IP that fetched icons".
0 -
Hi @stevefal,
Yes, technically, anyone who can sniff your traffic and anyone who can breach or lawfully order CloudFront to send in any relevant traffic data from your computer can get a list of all sites you've requested the Rich Icons for.
If you want to protect your privacy, unfortunately, Rich Icons must be turned off in 1Password.
0 -
@MikeT, thanks, that was the genesis of my original question. Whereas https://support.1password.com/privacy-rich-icons/ explains in depth how "we" can't collect certain information, it ignores the fact that Cloudfront can collect it, in bulk.
"We cannot lose, use, or abuse information that we don’t have. Nor do we have to worry about protecting sensitive data if we never have that data to protect."
Cloudfront's ability to exploit the data for commercial gain, or a sneaky employee or attacker doing so is being neglected, as though Agilebit's CDN provider is not part of the "we" that the customer need not fear. "We", the company(s) that implement the 1Password solution, do have the data.
"One thing to keep in mind when you make your decision is that someone in a position to capture information from your use of Rich Icons is almost certainly in a position to capture what websites you visit (including when you do so) without enabling Rich Icons. But we think the choice should ultimately be up to you."
Like the "anyone who can sniff your traffic" point, this quote diverts from the fact that Cloudfront is easily situated to exploit the information. This is not about a spook with a wiretap.
I think the article is disingenuous in that, contrary to its soothing intent, the feature does make the core information available, in bulk, to Cloudfront and Agilebits, presumably on request. Rather than to evade this fact, I think that the article should make it clear that all of a user's login sites can be derived and associated with their IP address, by means of the rich icon feature.
Much as you said, "If you want to protect your privacy, unfortunately, Rich Icons must be turned off in 1Password."
I also think that the feature should be off by default, and the user notified of the risk, with confirmation, before it is ever turned on.
Why am I going to all this trouble? After reinstalling on Aug 13, I noticed I suddenly had rich icons. No idea how it happened as I always assumed the feature was a privacy gap. But at that point I suspected it had already leaked my information. So I jumped on this thread to confirm my suspicion. I did not expect to debate the vulnerability, just to confirm it or learn otherwise.
Now that it's confirmed, I think it should be clearly acknowledged, and with better protections implemented.
0 -
Hi @Stevefal,
I've filed a new bug report to replicate the welcome setup that the macOS version of 1Password have where on the initial install, it offer the options to turn on including Rich Icons, Watchtower and other security features along with links to offer more information on these said features. This will address the privacy concerns by ensuring the users are aware of what's turned or off before anything happens.
Thank you for your feedback, it is very helpful.
0 -
Thanks. Fyi, in my case, I was installing over an existing installation. I don't know if that affects the installation experience. I don't recall any questions or words or warning. It was possibly only an update. What I know for sure is that rich icons was suddenly on without my touching it.
In either case, I also think a protection should exist post-install, to prevent unintended vulnerability by the same user or another user. If 1Password can be used and configured by another account on the same machine, that's post-install.
Anyway, thanks again.
0 -
Hi @stevefal,
There is no welcome setup in 1Password 6 for Windows at the moment, we're still working on implementing the rest of the missing features and polishing the existing features on the way. Right now, Rich Icons is definitely enabled by default without advance knowledge.
The app settings are stored within your 1Password database, so reinstalling wouldn't require setting up 1Password again. Each separate user would have to go through the same setup on the first install once this is implemented.
If 1Password can be used and configured by another account on the same machine, that's post-install.
It cannot, it is installed to your local profile directory. Your system has to be compromised fully in order for anyone to get access to your 1Password database files. If there is another administrator on your computer, than encryption wouldn't matter as said administrator could just install a silent key logger into your profile and get access to your master password to gain access to everything.
0 -
@stevefal: I also wanted to apologize for misunderstanding earlier. Since we don't have any control over what others do, our focus at AgileBits is making sure that we don't collect or store information that could be used to harm 1Password users' privacy (including our own). However, you're right that OS and other software vendors, ISPs and other services, and anyone who is given or gains access to your devices and/or networks can be a weak link here. As such, disabling Rich Icons is the only way to avoid those external risks. I appreciate you taking the time to give us this feedback! We'll see if we can make this reality clearer to users.
0 -
I just installed 1Password for Android on a new phone, and synced using WLAN sync. Lo and behold, rich icons appeared again. The Android version ignored my preference to forgo rich icons, and neither the installation nor import processes offered any choice on the matter. I was able to turn it off after the fact, but it already happened.
Were these rich icons fetched from your CDN by the Android app, or were they cached copies already in my vault?
0 -
@stevefal: It's a good question, because they're so often confused. While it sounds like you're referring to Rich Icons, it's possible that you're not, so I'll explain custom icons as well.
Rich Icons are stored on our server expressly so that the 1Password apps have high quality icons that can be fetched to match our Logins and make them easier to recognize at a glance. These are not user data, and therefore not stored in your vault, so they will need to be downloaded by the app on each device to be present. This is all done anonymously, and you can find more details about this in our knowledgebase:
How 1Password protects your privacy when downloading icons
However, this is often confused with custom icons (currently in beta, in version 6.8 of the new Windows app), which you can add yourself when editing an item, are stored in your vault and sync'd to and from other devices. So, even with Rich Icons disabled, if you've added some nice icons yourself, you'll see those show up, which can throw you off if you're not expecting that.
I hope this helps. Be sure to let me know if you have any other questions! :)
0 -
I am referring to rich icons. I brought up the issue because it speaks to the same privacy vulnerability we have been discussing earlier in the thread. The Android app does not warn the user that their entire set of logins is being obtusely communicated to Agilebit's CDN before if just goes and does it.
This is a therefore a request that Agilebits make rich icons an opt-in feature in all instances, including a warning that admits it's possible for your CDN, or you via your CDN, to compile a user's login sites by IP address.
0 -
Thanks for clarifying. As referenced above:
Obviously, in order to connect to a server (and receive a response), they'll have to know the IP address to reach you at. But there's nothing preventing you from using a VPN. I do, and other 1Password users mention it often as well. But again, IP addresses are not personally identifiable (unless you are one of the few who own one, in which case you'd be aware), and while I don't think it's a great user experience to stick checkboxes in users' faces right off the bat during setup, it's certainly something we can consider. Maybe it's something we could have an option for at the account level. Thanks for the feedback!
0
