Chrome 71.0.3578.98 suddenly not working with 1password [7.2.617 update is out]

kegobeerkegobeer
edited December 2018 in Windows

Earlier today the 1Password extension was working perfectly in Chrome. I came back to my computer a few minutes ago and suddenly the extension says I need to install the desktop app. The Firefox and Edge extensions are working perfectly. Same thing happened on another of my computers. I rebooted, removed the extension, etc - but it didn't help.

Anyone else have this just happen?


1Password Version: 7.2.581
Extension Version: 4.7.3.90
OS Version: Win 10 x64
Sync Type: Not Provided

«1

Comments

  • Yes. Running Chrome 71.0.3578.98 on Windows 10. A few hours ago, the 1Password extension stopped working. When I start Chrome, I see an error message that says:

    Browser connection refused
    1Password refused connection from untrusted source

    Same as you, I tried rebooting, uninstalling/reinstalling the extension, etc. Nothing helped. Seems to be working fine with Firefox 64.0. Very frustrating.

  • Same here.

    Disappointing as I'm evaluating 1Password as a potential replacement to LastPass but I don't like that browser integration for 1Password breaks so often.

  • nakagronakagro
    edited December 2018

    Looking at the 1Password logs it seems like it's a untrusted cert issue for Chrome itself? Not 1Password.
    An expired certificate from Symantec?

    <tr class=e><td>E</td><td title='2018-12-17 00:32:37'>14570ms</td><td title=''>ThreadId(7)</td><td>1Password::api:1802            ...    14571ms ... Refusing helper connection from &quot;C:\Program Files (x86)\Google\Chrome\Application\chrome.exe&quot;, because of untrusted certificate.</td></tr>
    <tr class=w><td>W</td><td title='2018-12-17 00:32:37'>14578ms</td><td title=''>ThreadId(7)</td><td>1Password::api:1796            ...    14579ms ... failed to build certificate chain for [Version]
      V3
    [Subject]
      CN=Google Inc, O=Google Inc, L=Mountain View, S=California, C=US
      Simple Name: Google Inc
      DNS Name: Google Inc
    [Issuer]
      CN=Symantec Class 3 SHA256 Code Signing CA, OU=Symantec Trust Network, O=Symantec Corporation, C=US
      Simple Name: Symantec Class 3 SHA256 Code Signing CA
      DNS Name: Symantec Class 3 SHA256 Code Signing CA
    [Serial Number]
      2A9C21ACAAA63A3C58A7B9322BEE948D
    [Not Before]
      16/12/2015 11:00:00 AM
    [Not After]
      17/12/2018 10:59:59 AM
    
  • crommcromm
    edited December 2018

    Just got the same error message - Running 7.3.612 with Chrome 71.0.3578.98

  • Same here.

    Also, if I click "Show console" from within 1Password, I see many errors that say: Refusing helper connection from "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe", because of untrusted certificate.

  • Looking in the logs, it appears that it is due to the fact that the Digital Signature used to sign the Chrome Executable (chrome.exe) expired. As far as Windows is concerned, the signature is still valid because authenticode is concerned with whether the signature was valid at the time of signing, not whether it would be valid now. 1Password seems to be concerned with whether it is valid as of right now (actively checking dates perhaps?) and so when the signature lapses, 1Password stops allowing the signature.

    Not sure there is much to do except wait for Google to release another version of Chrome with an updated Digital Signature or for 1Password to change the way in which they detect valid signatures, which may be more engineering than it is worth.

    <tr class=e><td>E</td><td title='2018-12-17 00:29:27'>1367665ms</td><td title=''>ThreadId(5)</td><td>1Password::api:1802            │  1367669ms │ Refusing helper connection from &quot;C:\Program Files (x86)\Google\Chrome\Application\chrome.exe&quot;, because of untrusted certificate.</td></tr>
    <tr class=w><td>W</td><td title='2018-12-17 00:29:28'>1367677ms</td><td title=''>ThreadId(5)</td><td>1Password::api:1796            │  1367681ms │ failed to build certificate chain for [Version]
      V3
    
    [Subject]
      CN=Google Inc, O=Google Inc, L=Mountain View, S=California, C=US
      Simple Name: Google Inc
      DNS Name: Google Inc
    [Issuer]
      CN=Symantec Class 3 SHA256 Code Signing CA, OU=Symantec Trust Network, O=Symantec Corporation, C=US
      Simple Name: Symantec Class 3 SHA256 Code Signing CA
      DNS Name: Symantec Class 3 SHA256 Code Signing CA
    [Serial Number]
      2A9C21ACAAA63A3C58A7B9322BEE948D
    [Not Before]
      12/15/2015 5:00:00 PM
    [Not After]
      12/16/2018 4:59:59 PM
    [Thumbprint]
      5A9272CE76A9415A4A3A5002A2589A049312AA40
    [Signature Algorithm]
      sha256RSA(1.2.840.113549.1.1.11)
    
  • My 1Password desktop client is suddenly refusing to allow the chrome 1 password extension to connect claiming its an untrusted source.

    Google Chrome Version: 71.0.3578.98 (Stable Channel)

    I also have Firefox Quantum V64.0 installed and that is working with 1Password and the extension ok as of now.

    My 1password client some how got switched to the beta channel. I did uninstall it and reinstall the latest stable build but the issue remains.

    Any idea whats going on and when we can expect a fix?

  • Well, if the way they detect valid signatures is different from the way Windows does it, then doesn't that mean the way they're doing it is wrong, and they really should fix it?

  • Is there a known fix for this or will 1Pass send out an update to patch this?

  • Check the other two top threads. Looks like an expired certificate causing the issue.

  • SergeyTheAgileSergeyTheAgile

    Team Member
    edited December 2018

    Hi everyone, Chrome is signed by the new issuer now, current version of 1Password will reject it. An update is being prepared. Sorry for the trouble.

    P.S. new issuer for beta chrome, stable chrome has expired certificate :(

  • Confirmed. omg i thought it was just me. Driving me crazy trying to figure this out!

  • Thanks for the update!

  • MikeTMikeT Agile Samurai

    Team Member
    edited December 2018

    [Updated for clarification]

    Hey guys,

    We're working on it. The problem is that Google has let their signing certificate for Chrome expired today, which invalidates the entire chain of certificate, which trips our certificate check and we reject it.

    We had a fix internally to support the new signing certificate in Chrome 72 Beta but Chrome 71 stable does not have this new certificate just yet, which means our internal fix won't work at all. We are figuring out a temporary solution for the expired signing certificate to allow it until they release another update with the the updated signing key certificate.

  • Is there any ETA on when the new update will be out? Started getting error "Browser connection refused" when I updated chrome to Version 72.0.3626.17 (Official Build) beta (64-bit).

  • MikeTMikeT Agile Samurai

    Team Member

    Within the hour, we're testing an internal build to make sure it goes well and we'll have it out for everyone.

  • WOW, how much longer until we get an update? This is really unacceptable.

  • MikeTMikeT Agile Samurai

    Team Member
    edited December 2018

    @toobs, please understand that Chrome has an expired signing certificate, which invalidates the entire chain of certificate that Windows tell us is not trusted anymore. Google could've updated Chrome with a new signing certificate that we can trust right away but they didn't and we have to come up with a different solution to trust an expired signing certificate which isn't something we want to do.

  • MikeTMikeT Agile Samurai

    Team Member
    edited December 2018

    Hi guys,

    We've just shipped 7.2.617 update now, it explicitly whitelist the specific expired signing certificate in Chrome 71 stable and it also supports the new Google LLC certificate from Chrome 72 beta build.

    There's a good chance Google may ship a different signing certificate tomorrow of which it may not be the same as the one they're using for Chrome 72 beta. This could mean that 1Password may reject it as well until we'll do another quick update.

    In this update, we've also updated our signing certificate for 1Password that we started using in 1Password 7.3 beta builds a few weeks ago but this may cause some false positives with certain anti-malware solution where they need to add our new signing certificate.

  • What about those of us on the 7.3 beta channel?

  • kevwilkevwil Junior Member

    I'm shocked Chrome would be signed by a Symantec cert. Was the Chrome build chain hacked? /s

  • Awesome people who are using 1Password beta will get an update tomorrow morning, with a bunch of improvements. We just need a bit more time to finish preflight checklist.

  • Ok, thanks Sergey!

  • The new update works for me. Thanks.

  • @MikeT - As Barenstark noted above, Google didn't actually violate certificate principles by letting the cert expire, so 1Password ought to be able to handle this situation. The spec for codesigning essentially says:
    If the codesigned exe is NOT countersigned by a valid timestamping cert, then the codesigning cert must be in its validity window to be valid.
    But if the exe IS countersigned by a valid timestamping cert, and this happened within the validity period of the codesigning cert, then the codesign IS valid for as long as the TIMESTAMPING cert is valid.
    Chrome was timestamped while its codesign cert was valid, so it should be considered valid until the timestamp expires in 2027.
    This is the purpose of timestamping - it allows apps to have decade-long validity periods without needing to issue long-duration codesign certs.

  • MikeTMikeT Agile Samurai

    Team Member
    edited December 2018

    [Updated for clarification]

    Hi @RogerD,

    We didn't say they did violate the spec or security principles but for our security policy, we require the entire chain of certificates to be valid in order to be whitelisted in our current implementation. Right now, an expired signing certificate can invalidate that entire chain in our implementation using .NET APIs.

  • Reading @RogerD and @MikeT, it sounds like the 1Password "security policy" doesn't accept certificates that Windows itself will. This doesn't seem wise. I ran into timestamping while trying to figure this out myself.

    If 1Password is checking certificates for Windows executables, it might be best to use the same rules that Windows uses, or else you risk these sorts of issues.

  • MikeTMikeT Agile Samurai

    Team Member
    edited December 2018

    Just to be clear, @darktygur, Window is returning the certificate as invalid.

    This is not our error, this is us asking Windows to validate the chain, this is what get returned to us when we use the .NET APIs, which factors in the time verification as well.

    failed to build certificate chain for [Version]
      V3
    
    [Subject]
      CN=Google Inc, O=Google Inc, L=Mountain View, S=California, C=US
      Simple Name: Google Inc
      DNS Name: Google Inc
    [Issuer]
      CN=Symantec Class 3 SHA256 Code Signing CA, OU=Symantec Trust Network, O=Symantec Corporation, C=US
      Simple Name: Symantec Class 3 SHA256 Code Signing CA
      DNS Name: Symantec Class 3 SHA256 Code Signing CA
    [Serial Number]
      2A9C21ACAAA63A3C58A7B9322BEE948D
    [Not Before]
      12/15/2015 5:00:00 PM
    [Not After]
      12/16/2018 4:59:59 PM
    [Thumbprint]
      5A9272CE76A9415A4A3A5002A2589A049312AA40
    [Signature Algorithm]
      sha256RSA(1.2.840.113549.1.1.11)
    

Leave a Comment

BoldItalicStrikethroughOrdered listUnordered list
Emoji
Image
Align leftAlign centerAlign rightToggle HTML viewToggle full pageToggle lights
Drop image/file