Preview linked PDF attachment inside 1Password

Hello, would it be possible to implement this feature request:

Can we please have 1Password preview PDF files within 1Password itself? Out of security reasons, I do not want to have to download and save the PDF on my computer to view the file. Very often I have forgotten to delete the PDF and that's how secure information is leaked out.

Thanks!


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

Comments

  • brentybrenty

    Team Member

    It certainly would be nice, but what you're asking for has big problems and probably won't happen. We'd need to either:

    1. Write our own viewers for a wide variety of file types (potentially more secure, but infeasible)
    2. Add 3rd party code for viewing file formats to 1Password (somewhat secure since the files could still stay in 1Password, but also risky since it would be someone else's code)
    3. Utilize 1st or 3rd party viewers to display inline (maybe feasible, but then the files would still need to be decrypted in order for external software to process them -- thus negating your request)

    That sounds dire, but I think it's important to put this in perspective: if your machine is compromised, the rest doesn't matter. Data isn't going to get magically "leaked out"; you'd either need to "leak" it yourself, or get your system into a state where something/someone else could. So long as you're practicing good security hygiene and being mindful of these things, as it seems you are, the practical risks are fairly minimal.

  • @brenty

    Regarding 2: There is numerous open-source code that could be re-used, so you could also inspect the code for security issues. It could be be most basic PDF viewer ever supporting only the common types and simplest PDF format (i.e unencrypted PDF, etc). That way, I completely avoid having to save the PDF somewhere on my machine, which is what I absolutely want to avoid.

    Have a look yourself, you already have a PNG previewer. Attach a PNG and you'll see that the PNG can be previewed. Extend that code, and allow simple PDFs to be previewed too.

    My machine is generally secure. My request is pretty clear though: All data within 1Password remains within 1Password. When 1Password's vault is locked, all the data is locked up.

    In the current scenario, that would mean a stray PDF is still out there, somewhere on the machine.

  • bundtkatebundtkate

    Team Member

    @msxtj: It's not that we're completely and totally opposed to something like this by any means, we just don't have a method that we're happy with. The image previewer uses existing .NET resources, but for PDFs Windows uses Edge as its viewer – not something we can integrate into 1Password. Even auditing someone else's code is a significant project and one that may end up fruitless if it's not up to security standards. Right now, we don't have any specific plans for PDF previews, so we can't (and won't) promise it will happen, even if it is something we all would like to see on day.

  • brentybrenty

    Team Member
    edited November 2018

    Regarding 2: There is numerous open-source code that could be re-used, so you could also inspect the code for security issues. It could be be most basic PDF viewer ever supporting only the common types and simplest PDF format (i.e unencrypted PDF, etc). That way, I completely avoid having to save the PDF somewhere on my machine, which is what I absolutely want to avoid.

    @msxtj: No. Open source code is not infallible. And as you can imagine issues in even popular (as an understatement) packages like Apache, OpenSSL, GlibC, MySQL, and the Linux kernel can go unnoticed because vetting someone else's code is both difficult and time-consuming, and it's easy to overlook things. So essentially you're volunteering us to employ additional developers tasked solely with doing ongoing code reviews of other people's software for a relatively small convenience gain: viewing within 1Password itself. That doesn't seem at all reasonable at this time, but we'll continue to evaluate things as time goes on.

    On the flipside, it's trivial for you to secure-erase free space on your machine after saving a file locally to view. If you believe you are at risk of your machine being broken into and device encryption being circumvented, I suggest you do that, as it's totally possible today.

    Have a look yourself, you already have a PNG previewer. Attach a PNG and you'll see that the PNG can be previewed. Extend that code, and allow simple PDFs to be previewed too.

    No. We don't. That's #3: a Windows feature. If Microsoft adds a similar capability for PDFs, we'll probably use that.

    My machine is generally secure. My request is pretty clear though: All data within 1Password remains within 1Password. When 1Password's vault is locked, all the data is locked up. In the current scenario, that would mean a stray PDF is still out there, somewhere on the machine.

    I understand. But while you may not like my answer, I think it was pretty clear as well. If you have any questions, I'll be happy to answer them.

  • I'd like to second msxtJ's proposal. Although I do understand your concerns, there's another reason for me: convienience. Most of the times I just want to look something up quickly, so having to save, open and erase securely a pdf on a PC is a bit tedious.
    How come you've managed to integrate a pdf-reader on iOS then?

  • brentybrenty

    Team Member

    Convenience is important, but security should not be a slave to it. If we can find a way to offer something like this in the future securely though (as I mentioned above, having an OS-level viewer framework helps in the case of images) I'm sure we will. :)

Leave a Comment

BoldItalicStrikethroughOrdered listUnordered list
Emoji
Image
Align leftAlign centerAlign rightToggle HTML viewToggle full pageToggle lights
Drop image/file