To protect your privacy: email us with billing or account questions instead of posting here.

Suggestion: Alternate Ports for *.1Password.com

Options
dmwilson1990
dmwilson1990
Community Member
in Memberships

To the best of my knowledge my.1Password.com is only accessible over port 443. In my work environment they have an https proxy that only runs on port 443, breaks open the traffic, and re-signs the cert to make it appear trusted. Now they can see all https content and I'm not very comfortable opening my vault knowing some IT guy is "looking" over my shoulder and seeing the decrypted contents. A simple workaround is to use literally any other port and the proxy wont inspect the traffic. Would it be possible to have my.1password.com listen on some alternate ports as well? Thanks!

1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

Comments

  • Ben
    Ben
    Options

    Hi @dmwilson1990,

    Thanks for taking the time to write in. This has brought up some really interesting discussion internally. At this point I’m going to file an issue for further consideration regarding having the 1Password service available on an alternate port. I can’t make any guarantees what direction that will go at this point. A couple of things I will say:

    1. If you’ve already created the account (i.e. you aren’t being Man-in-the-Middle’d during account creation) there is another layer of protection between you and IT beyond TLS. That would not prevent IT from being intentionally malicious, though, as they could potentially serve you a page that appears to be from 1Password.com but is instead actually from IT. They could use this to gather your 1Password credentials. Definitely not good, but that assumes that IT is malicious instead of just looking out for the company’s best interests.
    2. It may be possible to solve this problem today, but it would require some technical know how and we’d only be able to offer very limited guidance/support. What I’m referring to here is setting up a remote server running SSH that does port re-mapping. So, for example, when you access https://my-remote-server.tld:444 SSH running on my-remote-server.tld re-maps the connection to https://1password.com:443. If it sounds like I’m speaking Greek here then let’s skip this, but if this is something you think sounds reasonable we may be able to offer some additional pointers. :)

    Ben

    ref: b5-4507

  • dmwilson1990
    dmwilson1990
    Community Member
    Options

    @Ben glad I could spark a lovely internal debate and really appreciate you taking the time to consider the suggestion.

    1. I created the account on my home network so there's no way they were able to compromise that additional layer of protection. It's highly unlikely the cybersecurity group here is going to be intentionally malicious. To be perfectly honest I'm surprised the entire domain isn't blocked as they tend to rule with an iron fist.
    2. This one made me laugh.....I may have occasionally done this in the past on a limited set of domains I filtered using a PAC file. Some sites/services I had a legitimate need for work were blocked and it was faster than battling the political process of getting the DoD to unblock it. That being said...I got a nastygram once saying their IPS/IDS/DPI system detected an SSH connection over an alternate port and to immediately stop. So that's not really an option. :(
  • Ben
    Ben
    Options

    Understood. :)

    Ben

This discussion has been closed.