Impact of KRACK on 1Password.com users (using WiFi)?

XIII
XIII
Community Member

Since we regularly discuss the impact of major leaks here: what is the impact of KRACK on 1Password.com users (using WiFi)?

https://www.krackattacks.com/


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

Comments

  • AlwaysSortaCurious
    AlwaysSortaCurious
    Community Member

    That would be interesting, especially since it is probably more pertinent to ask if the desktop and mobile apps tolerate a downgrade from HTTPS to HTTP (the basic transport encryption seems unaffected, it seems the real trick in it is in its ability to force downgrades). The fact that our details are encrypted before transport is probably a very good thing, but the loss of TLS because of a downgrade would be annoying (from the author, "Although websites or apps may use HTTPS as an additional layer of protection, we warn that this extra protection can (still) be bypassed in a worrying number of situations. For example, HTTPS was previously bypassed in non-browser software, in Apple's iOS and OS X, in Android apps, in Android apps again, in banking apps, and even in VPN apps.."

    It's always a game of cat and mouse, I wonder where our cat and mouse are? lol!

  • wkleem
    wkleem
    Community Member

    Using a VPN is a mitigating factor but there are just so many VPNs out there I won't know where to start.

  • AGAlumB
    AGAlumB
    1Password Alumni

    That would be interesting, especially since it is probably more pertinent to ask if the desktop and mobile apps tolerate a downgrade from HTTPS to HTTP (the basic transport encryption seems unaffected, it seems the real trick in it is in its ability to force downgrades).

    @AlwaysSortaCurious: Downgrades end in rejection. More on that below...

    The fact that our details are encrypted before transport is probably a very good thing, but the loss of TLS because of a downgrade would be annoying (from the author, "Although websites or apps may use HTTPS as an additional layer of protection, we warn that this extra protection can (still) be bypassed in a worrying number of situations. For example, HTTPS was previously bypassed in non-browser software, in Apple's iOS and OS X, in Android apps, in Android apps again, in banking apps, and even in VPN apps.."

    1Password is very intolerant of irregularities in the secure connection (some users have issues with this often due to "security" software or corporate policy). More on layers below...

    It's always a game of cat and mouse, I wonder where our cat and mouse are? lol!

    :lol: :+1:

    Since we regularly discuss the impact of major leaks here: what is the impact of KRACK on 1Password.com users (using WiFi)?

    @XIII: Certainly the belief that Wi-Fi is more secure than the internet is a bit erroneous, and this is just another example of that; it totally depends on the security of what you're using. And, fortunately, 1Password data is end-to-end encrypted, so 1Password simply doesn't depend on the sync service to protect your data. So while 1Password.com is more convenient and secure than what's possible with local vaults, 1Password users are not any worse off because of this — and updating devices will help anyway. iMore also has some great advice for those of us waiting on some vendors. Stay safe out there! :sunglasses: :+1:

    Using a VPN is a mitigating factor but there are just so many VPNs out there I won't know where to start.

    @wkleem: That's a good point. An earlier discussion had some recommendations and links to comparisons. :)

  • wkleem
    wkleem
    Community Member

    Apparently, from the time I spent looking into the matter (VPN), Duo, for which 1Password Teams is a MFA, has been known to break VPNs.

  • AGAlumB
    AGAlumB
    1Password Alumni

    @wkleem: As you can imagine, we use Duo and 1Password.com here too, and I haven't heard of anyone having issues. For my own part, I've used at least 3 different VPNs in a variety of locations and didn't have any issues with Duo there, apart from a bit of a delay at times getting the push notification. Definitely follow up with Duo if you're having trouble, as they'll know more than we do about how their service might interact with VPNs, but I thought I'd at least share my experience.

  • wkleem
    wkleem
    Community Member
    edited October 2017

    @brenty

    Thanks for the input. If you want to read further, here is something from Duo:

    https://help.duo.com/s/article/2051?language=en_US

    "We've received reports from customers that when PIA-VPN is installed on an iOS device, the device is unable to receive push notifications over WiFi. If you have PIA-VPN installed and need to use Push for authentications over WiFi, F-Secure Freedome is an alternative that has been confirmed to work with Push notifications regardless of cellular network settings. "

    Glad everything is working for you, and hopefully everyone else.

    Apparently, from the time I spent looking into the matter (VPN), Duo, for which 1Password Teams is a MFA, has been known to break VPNs.

    It's more apt to say the VPN breaks Duo? :)

  • XIII
    XIII
    Community Member

    I don't use it myself, but Wi-Fi sync of local vaults is also still safe?

  • AlwaysSortaCurious
    AlwaysSortaCurious
    Community Member

    @brenty @wkleem I use duo for other things, PIA breaks the push. Just discovered it. It has to do with the cer tificate not being recognized as valid by Duo. I'm not sure which certificate it's referring to as I'm sure there are few. Duo also breaks if Ips change in the middle of the conversation between its radius server (proxy) and it's cloud. it thinks that the conversation has been hijacked. If the conversation initiates from one IP but II connection then comes from another IP it breaks, like when behind a load balancer with round robin Nic cards.

    @XIII Imagine Wi-Fi is Wi-Fi whether it's to a local Source or not depends who's listening or trying to intercept your traffic. But I can't speak to what the fence is the older products have.

  • AGAlumB
    AGAlumB
    1Password Alumni

    It's more apt to say the VPN breaks Duo? :)

    @wkleem: Haha perhaps in some cases! :lol:

    I don't use it myself, but Wi-Fi sync of local vaults is also still safe?

    @XIII: Yes. I sort of covered that above, but I should have been more explicit. However, I would take precautions for pretty much anything else, unless you're certain that the data and connection are secured separately from WPA2.

    I use duo for other things, PIA breaks the push. Just discovered it. It has to do with the cer tificate not being recognized as valid by Duo. I'm not sure which certificate it's referring to as I'm sure there are few. Duo also breaks if Ips change in the middle of the conversation between its radius server (proxy) and it's cloud. it thinks that the conversation has been hijacked. If the conversation initiates from one IP but II connection then comes from another IP it breaks, like when behind a load balancer with round robin Nic cards.

    @AlwaysSortaCurious: That's good to know. I don't remember why since I've got so many other options, but I almost subscribed to their service recently. I've heard good things about them otherwise, but tat would be a dealbreaker for me. Makes senes though that that kind of setup could cause some issues.

  • wkleem
    wkleem
    Community Member
    edited October 2017

    That discussion on VPNs is now locked but nobody discussed Duo compatibility then. How likely is Duo - 1Password -VPN issue to manifest itself? Any recommendations?

    Wrt KRACK, which VPN mitigates it.

  • wkleem
    wkleem
    Community Member
    edited October 2017

    Apple's Airport Extreme and Time Capsules are unaffected by KRACK so it would appear safe to use their wifi. Patches for the latest iOS, macOS betas etc are being tested now and will be out when they are stable.

  • prime
    prime
    Community Member

    @wkleem I read from a few sources about the Apple routers and they said “unknown”. When I get home, I’ll try and look. With iOS, it gets me that Apple sent 3 bug fixes in 16 days, but can’t release this one now. This is a big issue, and if they have it, it should be released now.

  • prime
    prime
    Community Member

    @wkleem I can’t find the article said “not sure” but this says “don't seem be vulnerable to the exploit“. I’m sorry, “don’t seem” doesn’t make me all fuzzy inside.

  • AGAlumB
    AGAlumB
    1Password Alumni

    @prime: The confusing thing about this is that routers are unaffected in the strictest sense. This attack is against clients, so unless your router is operating as a client (e.g. in bridge mode*), that won't be an issue. However, there are a LOT of devices out there (especially IoT stuff...) that's going to take a while to get patched (and perhaps not at all). :(

    *From what I understand from the report, the lack of vulnerability in Apple routers is referring to operating in bridge mode. This is apparently due to them not following the spec strictly, and thus not being vulnerable to the same sort of attack that others are.

    That discussion on VPNs is now locked but nobody discussed Duo compatibility then. How likely is Duo - 1Password -VPN issue to manifest itself? Any recommendations?

    @wkleem: Indeed, you and AlwaysSortaCurious are the only reports I've seen of issues with Duo and VPNs, which is a bit surprising given many companies (which would tend to use 1Password Teams, and potentially Pro accounts with Duo integration) use VPNs. Perhaps there's something different about some consumer VPN setups. :unamused:

  • AGAlumB
    AGAlumB
    1Password Alumni

    I read from a few sources about the Apple routers and they said “unknown”. When I get home, I’ll try and look. With iOS, it gets me that Apple sent 3 bug fixes in 16 days, but can’t release this one now. This is a big issue, and if they have it, it should be released now.

    @prime: I missed this earlier. Good point. I do, however, feel like, compared to the relative insignificance of the previous updates, I'm okay with Apple taking more time to test this. Wi-Fi is critical. Sooner is better than later, but only if sooner doesn't make things worse. It is, however, available in the current public beta, so that's some consolation given that it's available to users, and that also it shouldn't be too long.

  • wkleem
    wkleem
    Community Member

    @brenty, I thought it best to highlight potential issues. I suppose it's all trial and error in choosing a suitable consumer VPN.

  • wkleem
    wkleem
    Community Member

    Further info from Ars. It is easier than the original report indicates:

    https://arstechnica.com/information-technology/2017/10/how-the-krack-attack-destroys-nearly-all-wi-fi-security/

  • prime
    prime
    Community Member
    edited October 2017

    The confusing thing about this is that routers are unaffected in the strictest sense.

    @brenty, then why do all of these routes have updates?
    https://www.windowscentral.com/vendors-who-have-patched-krack-wpa2-wi-fi-vulnerability

  • Ben
    Ben
    edited October 2017

    @prime Presumably because they have the ability to operate in bridge mode, and when in such a mode are affected. When in bridge mode they aren’t acting as routers (they aren’t doing any routing). The confusion comes from what the device may commonly be referred to generically and a network function having the same term. It may have the capability to be a router, but isn’t necessarily acting as one in any given network setup.

    Ben

  • prime
    prime
    Community Member

    Thanks @Ben
    So since a Mesh System isn’t a bridge, these types of routers shouldn’t be affected then?

  • I don't know the answer to that @prime, and I suspect it is going to depend largely on the mesh implementation. I don't believe there is a single standard for mesh that all vendors play by.

    Ben

  • XIII
    XIII
    Community Member

    What about routers supporting 802.11r, "fast BSS transition (FT)"?

    https://github.com/vanhoefm/krackattacks-test-ap-ft

    Or is that the same as “bridged mode”?

  • Bridged mode means the device is not doing routing or NAT. It seems this applies to most devices that are set up to operate under those conditions. But if you have a question about a specific device or configuration I'd suggest contacting the manufacturer of the device.

    Ben

  • Ben
    Ben
    edited October 2017

    @XIII this thread on Reddit seems to answer that question directly:

    https://www.reddit.com/r/apple/comments/76pnz8/wifi_wpa2_security_has_been_potentially_kracked/

    802.11r is affected and the recommendation proposed in that thread is to disable it.

    Supposedly, from what I've been able to find, Apple's networking devices (AirPort Extreme, Time Capsule, AirPort Express) don't do actual 802.11r...

    Ben

  • jpgoldberg
    jpgoldberg
    1Password Alumni

    Sorry for jumping in late, but I just wanted to make it clear that 1Password does not depend on the secrecy of the underlying transport layer.

    And because of this, 1Password is not impacted by KRACK.

    What KRACK means to most people

    Quite frankly, KRACK, while a big deal in many ways, is not a big deal in a world in which everyone is using HTTPS instead of HTTP. So had this been discovered five years ago, it would have been a bigger problem. But for the most part, if you are using encrypted and authenticated protocols (like HTTPS), then breaking the secrecy of a lower level in data transport is not an enormous problem.

    Just because it isn't an enormous problem doesn't mean that it isn't a real problem. For environments that have designed their security around the secrecy 802.11, there will be consequences. I hope that not too many organizations have done that.

    The other issue is traffic analysis. Suppose you are in a coffee shop visiting https://ISecretlyLoveNickelback.com. Now with an HTTPS connection the content of your traffic back and forth to them would still be encrypted, but now someone in the same coffee shop who has KRACK-ed your connection the the Access Point (AP) will be able to see that you are communicating with that site.

    Note, of course, the the legitimate operators of all of the portions of the network between you and the site hosting your secret shame already have the ability to do that. So as long as you are using HTTPS, then KRACK means that you are adding the people in reach of the local wifi network into the pool of people who can already see where traffic is going.

    What KRACK means to cryptographers and protocol designers

    KRACK is just fascinating. A protocol may be provably secure, but it turns out that even seemingly harmless additions to the protocol from what has been proven secure can make the whole thing crumble. There is nothing wrong with the security proof of the security of the four-way handshake that underlies WPA. Except that the proof doesn't model some teeny tiny extra things thrown in about recovering from faulty connections.

  • wkleem
    wkleem
    Community Member
    edited December 2017

    Apple has now posted firmware for their Time Capsules and Airport Extremes/ Express Base Stations.

    https://support.apple.com/HT208354

    https://support.apple.com/HT208258

  • Thanks, @wkleem. I updated the ones I’m responsible for. Glad to see they updated them, even though they’ve apparently disbanded the group that was working on them.

    Ben

  • wkleem
    wkleem
    Community Member
    edited December 2017

    Hi

    If anyone is using an older Mac OS X version, there is a tip I read in Macintouch that Airport Utility v5.6.1 is actually more full featured than the v6.3.1 version for the Mac. It will still update the routers, especially the older ones. Both are safe to run on El Capitan/Sierra apparently. There is a specially created Airport Utility v5.6.1 which can be found in Macintouch (external link).

    I don't think I have it anymore but will check again. May have to reinstall Lion or Snow Leopard in a separate partition. I do have Airport Utility v5.6.1 on Windows downloadable from the Apple Support Site.

  • @wkleem,

    It might be a little heavy handed, but you could install those old OSes in a VM a la Parallels or VMWare to achieve the same goal without having to partition a drive for it.

    Rudy

This discussion has been closed.