1Password X permissions.

@brenty

Had a look at the Password1 X extension and was wondering why it needs so many permissions:

Read and change your bookmarks. The Mac and Windows versions of 1Password allow you to create browser bookmarks to your items. We haven't yet added this feature to 1Password X, but we intend to because it's a natural fit.
Manage your downloads. 1Password X has the ability to download page information if we request diagnostic information. These downloads are always user-initiated. We also plan to add the ability to export data and download your Emergency Kit without going to 1Password.com.
Manage your apps, extensions, and themes. This permission is used only to disable the classic 1Password browser extension if both are installed at the same time.

Thanks @Mitch -- https://discussions.agilebits.com/discussion/comment/437055/#Comment_437055

Privacy: Required to optionally set 1Password as your default password manager and disable browser autofill prompts
Downloads: Required to automatically download the Emergency Kit for your 1Password account and diagnostic information which we may request

Thanks @ Changelog writer. -- https://app-updates.agilebits.com/product_history/B5X#v20027

That will leave us with the following permissions:
Read your browsing history > For what?
Display notifications > What notifications?
Modify data you copy and paste > Why?
Communicate with cooperating native applications > Why?

Would love to know why these permissions are required, also I would recommend to add a sticky on this subforum with all the permission explained.


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

Comments

  • AGAlumB
    AGAlumB
    1Password Alumni

    @Newsuer22: Hey there! This can be a pretty deep topic, so I'm glad you started a new discussion. :)

    To start, I think it's helpful to keep in mind how Chrome permissions work. All of these permissions are not "required" for 1Password X to function...but with Chrome, it's all or nothing: we can't, as users, decline some permissions and allow others, getting just the functionality we want; and, similarly, as software developers, it's important to request the entitlements needed for all functionality desired in the extension upfront, otherwise there will be functionality "missing" from the user experience.

    I'll go into the specific things you're asking about here:

    Read your browsing history

    I liked this better when it was called "Read and change all your data on the websites you visit", because that's what it is. Without this, 1Password cannot do 90% of what you expect it to: open URLs, and save and fill login credentials and other information in your browser.

    Display notifications

    1Password X will notify you when it is updated, with links to what's new.

    Modify data you copy and paste

    Related to the first one, this allows 1Password to help you save and fill information in your browser.

    Communicate with cooperating native applications

    It isn't available today, but we'd really like 1Password X to work in conjunction with our desktop apps, the way our other extension can. ;)

    So, long story short, some permissions are not used currently, and others are used only in a limited fashion, but none of those things are even possible unless we request these...and it's much easier (and nicer, from a user experience perspective) to do that upfront than changing it later (since that causes the extension to be disabled until the user manually reviews and approves it, again).

    I hope this helps. Be sure to let me know if you have any other questions! :)

  • Newsuer22
    Newsuer22
    Community Member

    @brenty Hey, and thanks for answering. :)

    It isn't available today, but we'd really like 1Password X to work in conjunction with our desktop apps, the way our other extension can. ;)

    Isn't it a security risk to require permissions that aren't even needed yet?

    it's much easier (and nicer, from a user experience perspective) to do that upfront than changing it later (since that causes the extension to be disabled until the user manually reviews and approves it, again).

    Why not using Google Chrome optional permissions? This way the extensions won't be disabled if the update only adds optional permissions.
    https://developer.chrome.com/extensions/permissions
    It even would allow to disallow certain permissions that I personally would disable if given the chance like:

    Manage your downloads. = I already have the Emergency Kit (Shouldn't actually all have this before installing the Extensions anyway, directly after creating the account and Vault?) and for Diagnostic it could be activated when needed.
    Manage your apps, extensions, and themes. I can disable extensions on my own, no need for it.
    Display notifications Personally I don't care when it got updated or what changed. If I'm interested I can look it up anyway. :chuffed:
    Privacy Can change the settings myself for disabling autofill from chrome etc.
    and Communicate with cooperating native applications until it's actually used.

    I know you will go with the way the majority of users with this and I understand that. Just wanted to share my take on it.

    But wouldn't it make sense to minimize the required permissions for more security,privacy and of course for the better feeling?
    I mean I personally trust 1Password, but a new user would be more inclined to allow 2 permissions than a whole book of permissions.

  • AGAlumB
    AGAlumB
    1Password Alumni
    edited January 2019

    Isn't it a security risk to require permissions that aren't even needed yet?

    @Newsuer22: How so? What is the specific threat you're concerned about? Given the restrictions the browser places on extensions, and the very limited scope of even the things that are allowed, due to sandboxing, the scope is smaller to begin with. But I am interested to know what you have in mind. :)

    Why not using Google Chrome optional permissions?

    Support, UI, and overall usability suffer when people have to try to figure out all of this in order to even install and use 1Password. Requesting permissions upfront is a hurdle for people, but I think it's a fair tradeoff given the alternatives. And saying "this is what 1Password needs in order to work" is much more straightforward than requiring people to not only make a decision upfront but also remember that they've done so later on, and what options they chose, in order to adjust them. People would opt-out of some, and then later be baffled that 1Password was "broken" for the functionality that was disabled as a result. We're having this conversation because the way Chrome presents many of these is unclear, and if we do what you propose users would need to manage all of that more granularly. I don't doubt that some people would really like that (though we haven't really heard from them), but most people expect 1Password to just work with minimal fuss, not requiring them to figure out a bunch of browser esoterica, and that's part of what they pay us for. Not to mention there would be a much greater amount of testing and support required to deal with all of the combinations of different ones enabled/disabled (if my math is right, about 40,000 possibilities for the 8 permissions 1Password X requires currently -- yikes).

    Manage your downloads. = I already have the Emergency Kit (Shouldn't actually all have this before installing the Extensions anyway, directly after creating the account and Vault?) and for Diagnostic it could be activated when needed.

    It depends. Did you download it? What about someone who only uses 1Password X? We need to try to help as many people as we can -- especially for something as critical as not getting locked out of their 1Password account. And then how about Documents? It would be nice to be able to access those in 1Password X! Anyway, what is the problem you anticipate having due to the download permission for 1Password X?

    Manage your apps, extensions, and themes. I can disable extensions on my own, no need for it.

    Again, we need to consider people other than you. A lot of folks have installed the 1Password desktop extension, and having both enabled can cause a lot of problems for them. I don't think we can call it a win if we change this to help you, but it causes problems for thousands of others. What is the difficulty you anticipate from 1Password X having this permission?

    Display notifications Personally I don't care when it got updated or what changed. If I'm interested I can look it up anyway. :chuffed:

    Privacy Can change the settings myself for disabling autofill from chrome etc.

    It sounds like that works for you, but I can tell you that a lot of people ask us for information on 1Password X updates even after having seen the notification. I direct people to the release notes a lot, so if anything we need to make the notification clearer so people realize they can click right on it for more details. While I appreciate that you may not want notifications yourself, they can be disabled in 1Password X Settings, so I don't believe there's any harm done by this.

    and Communicate with cooperating native applications until it's actually used.

    Thanks for the feedback. But given this ship has sailed and integration with the desktop apps is our number one feature request, I don't think we'll be changing this. I'm also curious, what is the problem this permission causes you -- especially given it is not even being used yet?

    I know you will go with the way the majority of users with this and I understand that. Just wanted to share my take on it.

    Absolutely! Thank you for taking the time to share your thoughts on all of this. I'm sorry to have to disagree with you on so many points, but it does sound like you appreciate that we need to be thinking of all 1Password users when we make these decisions. Nothing is set in stone though, and I'd very much like to better understand the challenges you're having (or anticipate having) due to the way we have permissions setup currently. I'm sure that the way the browsers handle this will continue to evolve over time, and regardless there may be room for improvement in 1Password X specifically.

    But wouldn't it make sense to minimize the required permissions for more security,privacy and of course for the better feeling?

    I mean I personally trust 1Password, but a new user would be more inclined to allow 2 permissions than a whole book of permissions.

    You're right in principle with regard to privacy and security, as far as minimizing risk. And you're also right to question the permissions you give to 1Password or any other software you install. But I do think it's important to evaluate this in the context of the actual risks involved, which are much, much fewer with a browser extension than with native software. Put another way, if you are comfortable installing a 1Password app on your device (which can do so much more with data across the OS, being free from the browser sandbox), I think there's good reason to also trust the extension. After all, we apply the same security model to all of our software, and test it thoroughly to make sure that it works correctly to secure -- and not destroy, like it could -- people's data (including our own!) And, apart from our own efforts, independent security researchers also pick 1Password apart to verify that it works the way we say it does and find any issues that we might need to address.

    Anyway, I'm sure you see why I suggested starting a new thread. :lol: Let me know what you think! ;)

    ref: web/support.1password.com#1781

  • Newsuer22
    Newsuer22
    Community Member

    Given the restrictions the browser places on extensions, and the very limited scope of even the things that are allowed, due to sandboxing, the scope is smaller to begin with.

    Thank you for answering so fast and thoroughly @brenty

    I had nothing specific in mind, but sandboxes are there to be broken out of it. :D
    There are possibles to break out of sandboxes on windows too.
    I the way I see it, the more permissions allowed the more possible, that the exploit "need" that one permission that is allowed.
    Correct me if I'm wrong, but nothing is "secure" in that way. Given the time there will always be hacks, exploits, bypasses etc.

    People would opt-out of some, and then later be baffled that 1Password was "broken" for the functionality that was disabled as a result.

    True, didn't think of that.

    It depends. Did you download it? What about someone who only uses 1Password X?

    Of course I did, and printed it too ;)
    Can you register for a new account on the extension?
    But either way I don't know why anyone would download the extension and THEN create an account.

    Again, we need to consider people other than you.

    Really? :(.
    But for real you're right, also I don't have any problems with it, as long you're not starting to disable other extensions than the ones from
    1Password. :D

    While I appreciate that you may not want notifications yourself, they can be disabled in 1Password X Settings,

    Thanks, didn't know that, but the permissions is still allowed.

    but it does sound like you appreciate that we need to be thinking of all 1Password users when we make these decisions.

    ^
    That's the most important thing when anyone offers a product. I often find myself denying specific things when taking in the majority of customers. No customer can be made 100% happy, if they have feature requests or design changes that will affect others too.

    Put another way, if you are comfortable installing a 1Password app on your device (which can do so much more with data across the OS, being free from the browser sandbox), I think there's good reason to also trust the extension.

    I trust the extensions and the app, but I want also to point out that I have an interactive firewall active, so if the app want to connect to the internet, I can deny it.
    The extension on the other end connects through chrome, which I allowed all outbound connection for, as it's a pain in the *** to allow hundreds of single connections to web servers.

    But of course you're right an app could do more damage.
    Even just deleting important files or encrypting the HDD would be devastating.
    At that point:
    People who are reading this and don't have a backup, BACKUP your important files or even better the whole HDD/SSD

    To summarize it up, the reason I would love to have less permissions allowed or optional ones, is the more the bigger is the attack surface, when an exploit or bypass is found for the sandbox.
    But like I said maybe I'm not correct about this, I didn't read into how the sandbox from Chrome works.
    Also that wouldn't be a 1Password specific problem, but it would be one.

    Anyway, I'm sure you see why I suggested starting a new thread.

    Yes :D

  • AGAlumB
    AGAlumB
    1Password Alumni

    I had nothing specific in mind, but sandboxes are there to be broken out of it. :D There are possibles to break out of sandboxes on windows too. I the way I see it, the more permissions allowed the more possible, that the exploit "need" that one permission that is allowed. Correct me if I'm wrong, but nothing is "secure" in that way. Given the time there will always be hacks, exploits, bypasses etc.

    @Newsuer22: I won't correct you. You are absolutely right. :) What I will say though is the permissions the 1Password browser extension gets only even work in the browser context and would not be useful or dangerous if a sandbox issue is found in Chrome, for example.

    Can you register for a new account on the extension?

    Technically no, but the 1Password extension will direct you to sign into an account if you don't have one setup...and from there you can create one. :)

    But either way I don't know why anyone would download the extension and THEN create an account.

    Well, from a 1Password perspective I agree. But if you think about it, most apps work that way: you just go install them and use them. So I do understand why people might start by downloading the 1Password extension in their browser. It isn't ideal, but, as I mentioned above, there is a path that can be taken from there to sign up.

    But for real you're right, also I don't have any problems with it, as long you're not starting to disable other extensions than the ones from 1Password. :D

    Agreed 100%. We won't do that. We'd hate that ourselves, and, as a practical matter, we'd become very unpopular very quickly if we betrayed the trust people put in 1Password. :(

    That's the most important thing when anyone offers a product. I often find myself denying specific things when taking in the majority of customers. No customer can be made 100% happy, if they have feature requests or design changes that will affect others too.

    Yeah, it's tough. Certainly we'd like to make everyone happy...but when different people want opposite things (I'm not coming up with a good example at the moment, but there are plenty) it means that we can't do that. We have to choose, so we put security first, convenience a close second, and then do whatever we can to help the greatest number of people with both.

    But of course you're right an app could do more damage. Even just deleting important files or encrypting the HDD would be devastating.

    Absolutely. It's one thing if we made people angry by doing something like disabling their extensions, but if we did something that made them lose data it's game over.

    People who are reading this and don't have a backup, BACKUP your important files or even better the whole HDD/SSD

    Amen!

    To summarize it up, the reason I would love to have less permissions allowed or optional ones, is the more the bigger is the attack surface, when an exploit or bypass is found for the sandbox. But like I said maybe I'm not correct about this, I didn't read into how the sandbox from Chrome works. Also that wouldn't be a 1Password specific problem, but it would be one.

    Thanks for not only the summary, but also such a great discussion! We don't have any plans currently to make the kinds of changes you're asking for, but we'll continue to evaluate how we do this. If it becomes feasible to offer more flexibility in this area without making compromises in usability, that would be cool. Cheers! :)

This discussion has been closed.