Impact of KRACK on 1Password.com users (using WiFi)?

Since we regularly discuss the impact of major leaks here: what is the impact of KRACK on 1Password.com users (using WiFi)?

https://www.krackattacks.com/


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

Comments

  • That would be interesting, especially since it is probably more pertinent to ask if the desktop and mobile apps tolerate a downgrade from HTTPS to HTTP (the basic transport encryption seems unaffected, it seems the real trick in it is in its ability to force downgrades). The fact that our details are encrypted before transport is probably a very good thing, but the loss of TLS because of a downgrade would be annoying (from the author, "Although websites or apps may use HTTPS as an additional layer of protection, we warn that this extra protection can (still) be bypassed in a worrying number of situations. For example, HTTPS was previously bypassed in non-browser software, in Apple's iOS and OS X, in Android apps, in Android apps again, in banking apps, and even in VPN apps.."

    It's always a game of cat and mouse, I wonder where our cat and mouse are? lol!

  • brentybrenty

    Team Member

    That would be interesting, especially since it is probably more pertinent to ask if the desktop and mobile apps tolerate a downgrade from HTTPS to HTTP (the basic transport encryption seems unaffected, it seems the real trick in it is in its ability to force downgrades).

    @AlwaysSortaCurious: Downgrades end in rejection. More on that below...

    The fact that our details are encrypted before transport is probably a very good thing, but the loss of TLS because of a downgrade would be annoying (from the author, "Although websites or apps may use HTTPS as an additional layer of protection, we warn that this extra protection can (still) be bypassed in a worrying number of situations. For example, HTTPS was previously bypassed in non-browser software, in Apple's iOS and OS X, in Android apps, in Android apps again, in banking apps, and even in VPN apps.."

    1Password is very intolerant of irregularities in the secure connection (some users have issues with this often due to "security" software or corporate policy). More on layers below...

    It's always a game of cat and mouse, I wonder where our cat and mouse are? lol!

    :lol: :+1:

    Since we regularly discuss the impact of major leaks here: what is the impact of KRACK on 1Password.com users (using WiFi)?

    @XIII: Certainly the belief that Wi-Fi is more secure than the internet is a bit erroneous, and this is just another example of that; it totally depends on the security of what you're using. And, fortunately, 1Password data is end-to-end encrypted, so 1Password simply doesn't depend on the sync service to protect your data. So while 1Password.com is more convenient and secure than what's possible with local vaults, 1Password users are not any worse off because of this — and updating devices will help anyway. iMore also has some great advice for those of us waiting on some vendors. Stay safe out there! :sunglasses: :+1:

    Using a VPN is a mitigating factor but there are just so many VPNs out there I won't know where to start.

    @wkleem: That's a good point. An earlier discussion had some recommendations and links to comparisons. :)

  • brentybrenty

    Team Member

    @wkleem: As you can imagine, we use Duo and 1Password.com here too, and I haven't heard of anyone having issues. For my own part, I've used at least 3 different VPNs in a variety of locations and didn't have any issues with Duo there, apart from a bit of a delay at times getting the push notification. Definitely follow up with Duo if you're having trouble, as they'll know more than we do about how their service might interact with VPNs, but I thought I'd at least share my experience.

  • I don't use it myself, but Wi-Fi sync of local vaults is also still safe?

  • @brenty @wkleem I use duo for other things, PIA breaks the push. Just discovered it. It has to do with the cer tificate not being recognized as valid by Duo. I'm not sure which certificate it's referring to as I'm sure there are few. Duo also breaks if Ips change in the middle of the conversation between its radius server (proxy) and it's cloud. it thinks that the conversation has been hijacked. If the conversation initiates from one IP but II connection then comes from another IP it breaks, like when behind a load balancer with round robin Nic cards.

    @XIII Imagine Wi-Fi is Wi-Fi whether it's to a local Source or not depends who's listening or trying to intercept your traffic. But I can't speak to what the fence is the older products have.

  • brentybrenty

    Team Member

    It's more apt to say the VPN breaks Duo? :)

    @wkleem: Haha perhaps in some cases! :lol:

    I don't use it myself, but Wi-Fi sync of local vaults is also still safe?

    @XIII: Yes. I sort of covered that above, but I should have been more explicit. However, I would take precautions for pretty much anything else, unless you're certain that the data and connection are secured separately from WPA2.

    I use duo for other things, PIA breaks the push. Just discovered it. It has to do with the cer tificate not being recognized as valid by Duo. I'm not sure which certificate it's referring to as I'm sure there are few. Duo also breaks if Ips change in the middle of the conversation between its radius server (proxy) and it's cloud. it thinks that the conversation has been hijacked. If the conversation initiates from one IP but II connection then comes from another IP it breaks, like when behind a load balancer with round robin Nic cards.

    @AlwaysSortaCurious: That's good to know. I don't remember why since I've got so many other options, but I almost subscribed to their service recently. I've heard good things about them otherwise, but tat would be a dealbreaker for me. Makes senes though that that kind of setup could cause some issues.

  • @wkleem I read from a few sources about the Apple routers and they said “unknown”. When I get home, I’ll try and look. With iOS, it gets me that Apple sent 3 bug fixes in 16 days, but can’t release this one now. This is a big issue, and if they have it, it should be released now.

  • @wkleem I can’t find the article said “not sure” but this says “don't seem be vulnerable to the exploit“. I’m sorry, “don’t seem” doesn’t make me all fuzzy inside.

  • brentybrenty

    Team Member

    @prime: The confusing thing about this is that routers are unaffected in the strictest sense. This attack is against clients, so unless your router is operating as a client (e.g. in bridge mode*), that won't be an issue. However, there are a LOT of devices out there (especially IoT stuff...) that's going to take a while to get patched (and perhaps not at all). :(

    *From what I understand from the report, the lack of vulnerability in Apple routers is referring to operating in bridge mode. This is apparently due to them not following the spec strictly, and thus not being vulnerable to the same sort of attack that others are.

    That discussion on VPNs is now locked but nobody discussed Duo compatibility then. How likely is Duo - 1Password -VPN issue to manifest itself? Any recommendations?

    @wkleem: Indeed, you and AlwaysSortaCurious are the only reports I've seen of issues with Duo and VPNs, which is a bit surprising given many companies (which would tend to use 1Password Teams, and potentially Pro accounts with Duo integration) use VPNs. Perhaps there's something different about some consumer VPN setups. :unamused:

  • brentybrenty

    Team Member

    I read from a few sources about the Apple routers and they said “unknown”. When I get home, I’ll try and look. With iOS, it gets me that Apple sent 3 bug fixes in 16 days, but can’t release this one now. This is a big issue, and if they have it, it should be released now.

    @prime: I missed this earlier. Good point. I do, however, feel like, compared to the relative insignificance of the previous updates, I'm okay with Apple taking more time to test this. Wi-Fi is critical. Sooner is better than later, but only if sooner doesn't make things worse. It is, however, available in the current public beta, so that's some consolation given that it's available to users, and that also it shouldn't be too long.

  • primeprime
    edited October 2017

    The confusing thing about this is that routers are unaffected in the strictest sense.

    @brenty, then why do all of these routes have updates?
    https://www.windowscentral.com/vendors-who-have-patched-krack-wpa2-wi-fi-vulnerability

  • BenBen AWS Team

    Team Member
    edited October 2017

    @prime Presumably because they have the ability to operate in bridge mode, and when in such a mode are affected. When in bridge mode they aren’t acting as routers (they aren’t doing any routing). The confusion comes from what the device may commonly be referred to generically and a network function having the same term. It may have the capability to be a router, but isn’t necessarily acting as one in any given network setup.

    Ben

  • Thanks @Ben
    So since a Mesh System isn’t a bridge, these types of routers shouldn’t be affected then?

  • BenBen AWS Team

    Team Member

    I don't know the answer to that @prime, and I suspect it is going to depend largely on the mesh implementation. I don't believe there is a single standard for mesh that all vendors play by.

    Ben

  • What about routers supporting 802.11r, "fast BSS transition (FT)"?

    https://github.com/vanhoefm/krackattacks-test-ap-ft

    Or is that the same as “bridged mode”?

  • BenBen AWS Team

    Team Member

    Bridged mode means the device is not doing routing or NAT. It seems this applies to most devices that are set up to operate under those conditions. But if you have a question about a specific device or configuration I'd suggest contacting the manufacturer of the device.

    Ben

  • BenBen AWS Team

    Team Member
    edited October 2017

    @XIII this thread on Reddit seems to answer that question directly:

    https://www.reddit.com/r/apple/comments/76pnz8/wifi_wpa2_security_has_been_potentially_kracked/

    802.11r is affected and the recommendation proposed in that thread is to disable it.

    Supposedly, from what I've been able to find, Apple's networking devices (AirPort Extreme, Time Capsule, AirPort Express) don't do actual 802.11r...

    Ben

  • jpgoldbergjpgoldberg Agile Customer Care

    Team Member

    Sorry for jumping in late, but I just wanted to make it clear that 1Password does not depend on the secrecy of the underlying transport layer.

    And because of this, 1Password is not impacted by KRACK.

    What KRACK means to most people

    Quite frankly, KRACK, while a big deal in many ways, is not a big deal in a world in which everyone is using HTTPS instead of HTTP. So had this been discovered five years ago, it would have been a bigger problem. But for the most part, if you are using encrypted and authenticated protocols (like HTTPS), then breaking the secrecy of a lower level in data transport is not an enormous problem.

    Just because it isn't an enormous problem doesn't mean that it isn't a real problem. For environments that have designed their security around the secrecy 802.11, there will be consequences. I hope that not too many organizations have done that.

    The other issue is traffic analysis. Suppose you are in a coffee shop visiting https://ISecretlyLoveNickelback.com. Now with an HTTPS connection the content of your traffic back and forth to them would still be encrypted, but now someone in the same coffee shop who has KRACK-ed your connection the the Access Point (AP) will be able to see that you are communicating with that site.

    Note, of course, the the legitimate operators of all of the portions of the network between you and the site hosting your secret shame already have the ability to do that. So as long as you are using HTTPS, then KRACK means that you are adding the people in reach of the local wifi network into the pool of people who can already see where traffic is going.

    What KRACK means to cryptographers and protocol designers

    KRACK is just fascinating. A protocol may be provably secure, but it turns out that even seemingly harmless additions to the protocol from what has been proven secure can make the whole thing crumble. There is nothing wrong with the security proof of the security of the four-way handshake that underlies WPA. Except that the proof doesn't model some teeny tiny extra things thrown in about recovering from faulty connections.

  • BenBen AWS Team

    Team Member

    Thanks, @wkleem. I updated the ones I’m responsible for. Glad to see they updated them, even though they’ve apparently disbanded the group that was working on them.

    Ben

  • rudyrudy

    Team Member

    @wkleem,

    It might be a little heavy handed, but you could install those old OSes in a VM a la Parallels or VMWare to achieve the same goal without having to partition a drive for it.

    Rudy

Leave a Comment

BoldItalicStrikethroughOrdered listUnordered list
Emoji
Image
Align leftAlign centerAlign rightToggle HTML viewToggle full pageToggle lights
Drop image/file