This is a staging forum for AgileBits, not an official support forum. Visit http://discussions.agilebits.com instead.
Data Not Secure Enough
<div class="IPBDescription">URLs show in cache files unencrypted</div>Hi! I purchased 1Password recently (this week) and just found out 1Password cache files show stored URLs unencrypted.
1Password cache file is here: ~/Library/Caches/1Password/default-datafile.cache
Opening this file in Text Wrangler I can clearly read URLs like:
http://forums.sketchucation.com/ucp.php?mode=login
http://XXXXX.com/web/wp-login.php?redirect_to=http%3A%2F%2FXXXXX.com%2Fweb%2Fwp-admin%2Ftheme-editor.php&reauth=1ÜíÑóò
and so on...
Say the url you are saving is something like "ftp://user:password@ftpserver.com/url-path" EVERYTHING is EXPOSED!
I love 1Password easyness, workflow and integration but having unencrypted cache files is a MAJOR CONCERN for me.
I hope there will be a fix for this very soon.
1Password cache file is here: ~/Library/Caches/1Password/default-datafile.cache
Opening this file in Text Wrangler I can clearly read URLs like:
http://forums.sketchucation.com/ucp.php?mode=login
http://XXXXX.com/web/wp-login.php?redirect_to=http%3A%2F%2FXXXXX.com%2Fweb%2Fwp-admin%2Ftheme-editor.php&reauth=1ÜíÑóò
and so on...
Say the url you are saving is something like "ftp://user:password@ftpserver.com/url-path" EVERYTHING is EXPOSED!
I love 1Password easyness, workflow and integration but having unencrypted cache files is a MAJOR CONCERN for me.
I hope there will be a fix for this very soon.
Flag
0
Comments
-
Hey there, jvnvr! Welcome to the forums!
This has been [url="http://forum.agile.ws/index.php?/topic/1958-all-information-is-not-encrypted/"]discussed in great detail in another thread[/url], and is described in our [url="http://help.agile.ws/1Password3/agile_keychain_design.html"]AgileKeychain design document[/url] in the knowledgebase.
Our nascent next-gen data format will be completely encrypted, but I do not have a timeframe for when that will be available.
If you have any specific questions, just ask. We are always here to help. <img src='http://forum.agile.ws/public/style_emoticons/<#EMO_DIR#>/smile.gif' class='bbc_emoticon' alt=':)' />Flag 0 -
[quote name='brenty' timestamp='1311244155' post='32607']
Our nascent next-gen data format will be completely encrypted, but I do not have a timeframe for when that will be available.
[/quote]
No rush, no pressure, I'm another user eager to get this issue resolved. I do hope it's weeks and not months away. It's scaring me away from fully migrating to 1P until it's resolved. Having naked URLs in the data isn't safe at all.Flag 0 -
[quote name='CurbedEnthusiasm' timestamp='1312764192' post='37565']
No rush, no pressure, I'm another user eager to get this issue resolved. I do hope it's weeks and not months away. It's scaring me away from fully migrating to 1P until it's resolved. Having naked URLs in the data isn't safe at all.
[/quote]
We will make this a reality as soon as we are able. I agree that this is a privacy concern, which is why we are building this into the upcoming 1Password format. Just keep in mind that your browser keeps a record of these as well and the URLs are necessarily being transmitted (through your ISP) over the internet in order to reach the appropriate web server so that you can get a response with the requested data. Even using secure tunneling, there has to be an endpoint at which your traffic is sent out onto the public internet.
I don't mean to alarm you, but even once 1Password has all this data encrypted, the battle is far from over. After all, you have much greater control over who accesses your locally stored data than what is being broadcast over the internet. Sadly, we are fighting a losing battle for our privacy. Hopefully we will be able to win in the long run. Only time will tell.Flag 0 -
[quote name='brenty' timestamp='1312765849' post='37568']
We will make this a reality as soon as we are able. I agree that this is a privacy concern, which is why we are building this into the upcoming 1Password format. Just keep in mind that your browser keeps a record of these as well and the URLs are necessarily being transmitted (through your ISP) over the internet in order to reach the appropriate web server so that you can get a response with the requested data. Even using secure tunneling, there has to be an endpoint at which your traffic is sent out onto the public internet.
I don't mean to alarm you, but even once 1Password has all this data encrypted, the battle is far from over. After all, you have much greater control over who accesses your locally stored data than what is being broadcast over the internet. Sadly, we are fighting a losing battle for our privacy. Hopefully we will be able to win in the long run. Only time will tell.
[/quote]
Thanks for the speedy response Brent. I'm glad to hear it's being treated as an important issue there <img src='http://forum.agile.ws/public/style_emoticons/<#EMO_DIR#>/smile.gif' class='bbc_emoticon' alt=':)' /> Yes, I do agree privacy is a losing battle, however my main concern is really just Dropbox having another security slip-up and then someone being able to parse through the 1P data and scrounge around for URLs and other unencrypted data. I realize there's a tonne of other places that this data can be and *is* exposed, but I can control my devices(s) and my net connection (to a certain point) but I can't control Dropbox. And for better or worse, it's the only way to use 1P these days with multiple devices/platforms. For what it's worth, I think that is a bad thing (relying on Dropbox), but the Dropbox argument has been done to death here, I know <img src='http://forum.agile.ws/public/style_emoticons/<#EMO_DIR#>/wink.gif' class='bbc_emoticon' alt=';)' />
I feel once the 1P data is completely encrypted, I will be able to at least breathe easier to the point that I'm not concerned about the data being out there on Dropbox/AmazonS3, etc.Flag 0 -
[quote name='CurbedEnthusiasm' timestamp='1312766466' post='37574']
I realize there's a tonne of other places that this data can be and *is* exposed, but I can control my devices(s) and my net connection (to a certain point) but I can't control Dropbox.
I feel once the 1P data is completely encrypted, I will be able to at least breathe easier to the point that I'm not concerned about the data being out there on Dropbox/AmazonS3, etc.
[/quote]
Excellent point! I think that is the best assessment of why we need to do this that I have ever seen. Dropbox and S3 are great, but there are no guarantees. Having stronger full encryption that you control can go a long way toward both overall security and peace of mind. It is no longer a matter of "if" but of "when", and I am looking forward to it myself. <img src='http://forum.agile.ws/public/style_emoticons/<#EMO_DIR#>/smile.gif' class='bbc_emoticon' alt=':)' />Flag 0