"Exception caught when connecting to helper" and "Could not connect on port…" system.log entries

Yeah, it's probably Little Snitch.

1Password manages the data exchange between itself and the browser extensions through WebSocket. This allows the 1Password background process to communicate with the browser extensions while still respecting the sandboxing rules enforced by modern web browsers. Although these appear as network connections, they are limited to your local machine. These connections are encrypted and authenticated, so they cannot be used to deliver information to any other processes beyond the extensions and the main 1Password application.

If the connections are blocked for any reason, the extension will not be able to connect to 1Password, and no data transfer can occur. The most common symptom of this problem is an Helper Not Connected error in the browser extension. The simplest solution is to ensure that local connections are not blocked on 127.0.0.1 by a proxy server or software firewall.

The specific ports that 1Password uses through its WebSocket connections are 6258, 10191, 14821, 24861, 25007, 38151, 46360, 49801, 55730, 59483, but it is much simpler to just allow all connections to 127.0.0.1 (localhost).

On second thought, Little Snitch shouldn't be blocking any local connections unless you configured it to do so. I don't believe its default configuration should interfere with 1Password's WebSocket communications. Have you changed something that would impede this?

Does the issue disappear if you quit Little Snitch? That would be a simple test to see if the issue is in Little Snitch or elsewhere.

We have a support article on configuring RequestPolicy. It sounds like you already know how to do so, but here are the step-by-step instructions:

How To: Configure the RequestPolicy Firefox Extension

If you would like to specifically limit access to just those localhost ports that the 1Password Helper listens on you can restrict to ports 6258, 10191, 14821, 24861, 25007, 38151, 46360, 49801, 55730 and 59483. (The 1Password Helper will first try using 6258, but if that is occupied by something else it will then try 10191, and so on. This will particularly come into play if you have more than one user on the same machine using 1Password.)

Note that a connection to localhost/127.0.0.1 is to your own machine only. 1Password does not make any connections to the the network beyond your machine, and this one is used so that 1Password in the browser can talk to the 1Password application on your Mac for syncing data.

There are many ways on the Mac for opening up interprocess communication (named pipe, unix socket, etc), but using a WebSocket on localhost is the only mechanism that complies with both the security requirements of browser extensions and of Apple's sandboxing rules.

With whatever mechanism we used, 1Password extension and the 1Password Helper mutually authenticate with each other to ensure that it can't be tricked into exchanging data with the wrong instance.

You can read more about all of the network connections that 1Password or its components make in this document:

http://help.agilebits.com/1Password3/outbound_connections.html

I hope that this helps clarify things. Again, by enabling Firefox to talk to WebSockets on your own computer, you aren't opening any floodgates. But if you do wish to specify particular ports you can do so using the list from above.

Cheers!

Hi Adam,

Done, thanks for your great suggestion, we appreciate it!