This is a staging forum for AgileBits, not an official support forum. Visit http://discussions.agilebits.com instead.
Access to preferences is permitted even before autentication
Feels like a security vuln to be able to access some of the app preferences before passing in the master password.
Things that could happen:
[list]
[*]An attacker could change the location of the password file in use, to somewhere he may control. (a network share or something)
[*]Similarly, it may collect backups elsewhere out of the user's knowledge
[*]It may also change the behavior of login saving, and might force saving of logins to domains that were previously unsaveable.
[*]Once the preferences window is displayed, it opens the 1pw cache. (not sure if there's value there but lets assume it could start to watch truss output to figure out what's being written/read)
[/list]
ideal behavior: everything is prohibited till a password is entered, and the app will forceably quit within a period of time if no password has been entered.
and, on that note, Dave et al: I would pay extra for a service which would store a secondary unlock code in a secure system (i.e. not connected to the internet, or whatever) of yours. I would have to pre-identify myself with good questions and answers, as well as documentary evidence of who I am. Then, my machine would be configured to lock out (and, permanently disable my key to unlock 1pw) until the second key was entered (and you had the chance to validate and verify my identity).
This would have to be owned/managed by an entity outside of any particular jurisdiction to prevent disclosure under the patriot act etc. <img src='http://forum.agile.ws/public/style_emoticons/<#EMO_DIR#>/tongue.gif' class='bbc_emoticon' alt=':P' />
any chance you'd bite on that? <img src='http://forum.agile.ws/public/style_emoticons/<#EMO_DIR#>/smile.gif' class='bbc_emoticon' alt=':)' />
thanks!
Things that could happen:
[list]
[*]An attacker could change the location of the password file in use, to somewhere he may control. (a network share or something)
[*]Similarly, it may collect backups elsewhere out of the user's knowledge
[*]It may also change the behavior of login saving, and might force saving of logins to domains that were previously unsaveable.
[*]Once the preferences window is displayed, it opens the 1pw cache. (not sure if there's value there but lets assume it could start to watch truss output to figure out what's being written/read)
[/list]
ideal behavior: everything is prohibited till a password is entered, and the app will forceably quit within a period of time if no password has been entered.
and, on that note, Dave et al: I would pay extra for a service which would store a secondary unlock code in a secure system (i.e. not connected to the internet, or whatever) of yours. I would have to pre-identify myself with good questions and answers, as well as documentary evidence of who I am. Then, my machine would be configured to lock out (and, permanently disable my key to unlock 1pw) until the second key was entered (and you had the chance to validate and verify my identity).
This would have to be owned/managed by an entity outside of any particular jurisdiction to prevent disclosure under the patriot act etc. <img src='http://forum.agile.ws/public/style_emoticons/<#EMO_DIR#>/tongue.gif' class='bbc_emoticon' alt=':P' />
any chance you'd bite on that? <img src='http://forum.agile.ws/public/style_emoticons/<#EMO_DIR#>/smile.gif' class='bbc_emoticon' alt=':)' />
thanks!
Flag
0
Comments
-
Hey imajes,
Thanks for asking about this. It is good to be thinking about such things!
[quote]An attacker could change the location of the password file in use, to somewhere he may control. (a network share or something)[/quote]
This is not really a security threat since an attacker providing false information wouldn't really help him in any way. What an attacker really wants is access to your real information which this does not facilitate. There is no way to access your data without the master password. Additionally, if you ever have a corrupt data file (due to hard drive failure, etc.) which will not allow you to unlock it you will need to be able to point 1Password to a good backup copy without entering the master password for the (corrupt) data file.
[quote]Similarly, it may collect backups elsewhere out of the user's knowledge[/quote]
Although we don’t recommend making your 1Password database publicly available to the world, we have designed it so that your username and password data (along with other secret data stored within it) is protected no matter whose hands they fall into. You can find more details in our [url="http://help.agilebits.com/1Password3/cloud_storage_security.html"]Cloud Storage Security[/url] document which deals with these sorts of scenarios.
[quote]It may also change the behavior of login saving, and might force saving of logins to domains that were previously unsaveable.[/quote]
Again, this is only possible in the data file which you have access to through the knowledge of your master password. Autosave being on or off will have no benefit to someone who does not know your master password.
[quote]Once the preferences window is displayed, it opens the 1pw cache. (not sure if there's value there but lets assume it could start to watch truss output to figure out what's being written/read)[/quote]
Your unencrypted data is never written to disk. The cache is just as secure as your own data file which itself requires the master password to access.
[quote]ideal behavior: everything is prohibited till a password is entered, and the app will forceably quit within a period of time if no password has been entered.[/quote]
Certain preferences that [i]do[/i] have security implications [i]are[/i] inaccessible while 1Password is locked, but the ones which are available even while 1Password is locked do not provide a vector of attack.
[quote] I would pay extra for a service which would store a secondary unlock code in a secure system (i.e. not connected to the internet, or whatever) of yours. I would have to pre-identify myself with good questions and answers, as well as documentary evidence of who I am. Then, my machine would be configured to lock out (and, permanently disable my key to unlock 1pw) until the second key was entered (and you had the chance to validate and verify my identity).
This would have to be owned/managed by an entity outside of any particular jurisdiction to prevent disclosure under the patriot act etc.
any chance you'd bite on that?
[/quote]
I can see how this would appear beneficial at first, but a backdoor is a backdoor, and we have no plans to include one. I can see my mom getting locked out of her data with this system. <img src='http://forum.agile.ws/public/style_emoticons/<#EMO_DIR#>/skype_smile.png' class='bbc_emoticon' alt=':-)' />
Also, I'm not certain how such a system would work if it wasn't connected to the internet.
Perhaps I can get Jeff to weigh in here. Maybe I am missing something. [url="http://forum.agile.ws/index.php?/topic/2278-suggestion-emergency-password-for-family-in-case-of-death/"]We have had some very similar discussions in the past.[/url]
What do you think?Flag 0