'The Browser Crypto Chicken and Egg Problem' by security researcher Password or private keys, and sends these keys back to 1Password’s Would be possible for 1Password to modify the client-side code servedīy 1Password’s servers, such that the code captures the user’s master If an attacker were to gain access to 1Password’s servers, etc.), it However, with regard to 1Password’s web app, it would seem that ifġPassword were to ‘go rogue’ (or if 1Password were to be coerced, or The position of learning your Master Password or your cryptographic Also, your whitepaper atĬlaim on page 2, where it reads, ‘Server ignorance - We are never in On I sent the following email to 1Password Support, I’m emailing you today with a question for This is because of the infamous browser crypto chicken-and-egg problem.ġPassword acknowledges this. And not only would you be vulnerable to this type of attack when you create your account – but, you would be vulnerable to this type of attack any time you login in to your account through 1Password’s web interface. Me now to decrypt my data, or am I missing something? If the 1Password website were somehow already compromised when IĬreated an account, couldn't an attacker have the info they need from But, it might be safer than your current scheme, so what to do with this info is still in your court. The current scheme allows government oversite and access by hackers and can not be trusted. Samsung/Knox is the only trusted platform for most banks). Generating an asymmetric key on your trusted device (say, your phone) and sharing one half of it with 1password to use as an encryption key while your device performs all the cryptography functions would be much safer, but would limit you to using your phone to interact with the service, and would depend on the strength of your phone's security (e.g. Having said all that, the problem of 'initial trust' is difficult to solve. Actually, I also believe that if a human ever has, even potentially, access to a secret, then it is also no longer considered to be secret. I strongly believe that if an external party has ever, even potentially, had access to a secret then it should be considered to have been disclosed, unsafe, and no longer a secret. I'm something of an expert on secrets management, having designed and implemented secrets management systems for large banks. Assuming that you have already been hacked is one of the cornerstones of modern security practice.Įven if their specific hackers haven't got access to their encryption keys, it is very likely that they'll just be voluntarily giving these keys away to a requesting government agency. Instead of just copy/pasting your secret key (like in Synergy), with Dropbox you have to create a file, wait for it to be uploaded to the cloud, then wait for it to download on your other computer (or use the web UI), open the file, then copy, and finally paste the secret key into 1Password.Not only could 1password be hacked, they probably already have. Certainly, Dropbox is a great tool (there's also Google Drive), but for something as simple as a string of text, using cloud file sharing is unnecessarily complicated. According to the top result, one approach suggested on the 1Password forums (back in 2015) was to use Dropbox. So how does everyone else do it? Well, most people probably Google for something like " how to copy 1password to another computer". End of post.īut, it got me thinking, a lot of people don't know that it can be done this simply and easily. Almost automatically, I then installed Synergy and copy/pasted the 1Password secret key over (just like if my new Windows computer was a 2nd screen off my Mac) from 1Password on the old computer directly to 1Password on the new computer.There's a few ways to copy your secret key (depending on your OS), but on Windows, I open the 1Password app, go to Account, mouse over the secret key, then click Copy.
0 Comments
Leave a Reply. |