Expression of sorrow regarding the lack of HTTP Auth prompt support

mahoosive

Releasing an update that can not deal with HTTP Authentication prompts is amateur. Many of the websites I use requite this kind of authentication and now I'm stuck copying and pasting long password from the main app. It's pathetic and if not resolved soon will result in me abandoning the software all together. It's supposed to make your life easier and now it just complicates it. There are far too many other issues for this to be a public release.



Since making the switch to 1Password I've given it glowing recommendations to friends and family, some of whom have got on board. In it's current state I wouldn't recommend it to anyone.

[Deleted User]

Hello mahoosive,



We weren't happy about not being able to offer HTTP Authentication either, but the new Safari API placed restrictions on this functionality. Please review our FAQ regarding the issue: [url="http://help.agilebits.com/1Password3/http_auth.html"]HTTP Authentication Prompts[/url]



We hope to find a workaround in the future, but I do not have any timeline on when that may be feasible. I use a lot of sites that use HTTP Auth, and I miss it too. I hope we both see it sooner rather than later.



Cheers!



Brandt

ooglek

And now as of Firefox 6 on the Mac HTTP Auth is no longer supported! Really, truly, this sucks. 40% of the greatness of 1Password + Firefox was the support for HTTP Auth. Now that it is gone, well, 1password is less.



Could you detect then brute force the request and re-submit it with the user/pass in the URL?

[Deleted User]

That's an option, we could potentially submit the username and password in the form of http://username:password@yoursite.com but that's massively insecure and would leave a trail in your browser history.



We are looking at solutions for HTTP Auth. requests in the future, but anything we put in place needs to be secure, In all honesty, HTTP Auth. is outdated and unless it's going over HTTPS it's completely insecure, modern web forms are the best way for sites to handle logins, HTTP Auth. is a shortcut and an insecure one at that.

ooglek

Agreed, it is outdated and a less secure option is less desireable. Unfortunately in many cases, even at my current Fortune 100 tech-savvy employer, HTTP Auth is used. It's used as a backup for kerberos in some cases, and in others that's simply what is used. Easier I guess to have the web server handle the auth than an application.



Regardless of its outdatedness, or AgileBits opinion of HTTP Auth, it remains in use broadly and seemingly more heavily in the tech industry. Plus, losing features makes customers sad! <img src='http://forum.agilebits.com/public/style_emoticons/<#EMO_DIR#>/skype_smile.png' class='bbc_emoticon' alt=':-)' />



I would happily accept the risk of a less secure implementation. Likely you should make the option disabled by default and when I check it throw up a warning indicating that HTTP Auth support is a giant insecure hack that you do not recommend. Or make it a hidden option. Either way I'd prefer the hack than no HTTP Auth support at all. It is more likely that the password will be sniffed over the network than in the browser history, though I agree the user/pass in the history is also not good for security.

khad

As Stu mentioned, we are working on a solution for this. However, I can't share any further details and don't have time frame for a specific release at the moment.



Please let me know if there is anything else we can help with in the mean time.



Cheers,

thanosd

So is there any Mac browser where HTTP Auth still works? Here's what I have so far: Chrome - NO. Safari - NO. FF6 - NO.



Thanks



Thanos

[Deleted User]

With 1Password 3.7.5 and newer, no, all current supported browsers use native JavaScript extensions and in all 3 cases these APIs don't provide us with access to the HTTP Auth. prompts.



As such, we'll have to find another solution to support HTTP Auth. but as Khad mentioned we don't have a timeframe for when this may be available.

TerriZeee

Today as I'm logging in to my admins I realized that many of the admins that I logged into are protected first by HTTP Auth before getting to the script login page.



This has been done to avoid hackers that find exploits in the scripts. An example would be OpenX which was hacked numerous times before adding HTTP Auth to the login process and has never been hacked since. So HTTP Auth is far from being dead and useless.

[Deleted User]

We're not saying HTTP Auth is dead, nor useless, but it is an older technology and unless it's being handled via HTTPS (though I'm sure in most cases it is if the site's admin is security conscious) then it's not secure at all.



Where it is, sadly, dead is in the extensions APIs for the native extensions in Safari, Chrome and Firefox, without those we just can't access the HTTP Auth. prompts to have 1Password fill the details.

ooglek

[quote name='khad' timestamp='1313321678' post='39155']As Stu mentioned, we are working on a solution for this. However, I can't share any further details and don't have time frame for a specific release at the moment.[/quote]



Hey -- it's been about 12 days. I understand you aren't in a position for a time frame, but is this like a 1 month focused code sprint with a path in sight? Or like a 6 month argument with browser producers with no guaranteed positive outcome?

mekondelta

OP, blame Mozilla, Google and Apple. 1Pasword guys are trying to work within the boundaries of products like Chrome and Mozilla which have really fast release cycles AND are cracking down on plugins to make themselves more secure. Maybe you should post in their forums and put pressure on Mozilla/Apple/Google to allow extensions such as 1Password to work in their ecosystems.

[Deleted User]

[quote name='ooglek' timestamp='1314411659' post='42704']

I understand you aren't in a position for a time frame, but is this like a 1 month focused code sprint with a path in sight? Or like a 6 month argument with browser producers with no guaranteed positive outcome?[/quote]



Honestly, I just can't say, we need to spend time investigating the best solutions, this may not even involve the browsers themselves. If we can't find a solution then the court may indeed lay in the court of Google, Apple and Mozilla.



[quote name='mekondelta' timestamp='1314433345' post='42776']

OP, blame Mozilla, Google and Apple.[/quote]



I think I've suggested this before, but my theory is that the new extensions frameworks are designed for interacting with website content, rather than the elements of the browser itself (which HTTP Auth is part of, it's implemented at a browser level rather than in the browser engine or website content) which I would imagine is because they want a more stable and secure browser setup.

talisto

[quote name='stu' timestamp='1313273960' post='39081']

That's an option, we could potentially submit the username and password in the form of [url="http://username:password@yoursite.com"]http://username:password@yoursite.com[/url] but that's massively insecure and would leave a trail in your browser history.[/quote]



Since this is a potentially doable option, I think it should be seriously considered (albeit disabled-by-default and with the appropriate warnings). 1password is significantly less useful now that we've lost HTTP Auth support, and I would gladly trade a bit of "security" to have it back, especially considering a browser history trail isn't really a concern to me at all.

[Deleted User]

Hello talisto,



As Stu mentioned, the option he mentioned is potentially feasible, but the risk-reward for implementing that particular format is not very palatable. Regardless, we do know that many users, including many team members, would love to see a form of HTTP Auth support, and I am confident that if there is a way to add this functionality without an unacceptable corresponding spike in security risk, we will find it.



Cheers!



Brandt

sandman4sure

If it is still possible to use the old way it worked in Firefox, I think you should have included that in the new version until you have found a new better way to do it (using the official FF API for new extensions).

[Deleted User]

Hello sandman4sure,



Quoting our [url="http://FAQs%20and%20Known%20Issues%20with%20our%20new%20Browser%20Extensions"]Browser Extensions FAQ[/url]:



[quote]The current extension frameworks we're using for our new extensions does not allow us to integrate with the external windows in the browsers. We're working with the browser vendors to try to find a solution for this. We hope to bring this support back in the near future. In the meantime, please copy and paste between the browser and 1Password.[/quote]



I realize that from reading this thread, you are aware of this, but others who read this thread may not. Unfortunately, the current framework we are using does not allow us to include the integration that we used with prior browser versions.



Indeed, we are working with the various browser vendors to look for a way to add HTTP Auth functionality back, and we do hope to add the functionality in the future. However, the previous coding solution we implemented is not supported with the latest stable versions of our current browser mix, and including HTTP Auth functionality in that way is not in our current plans.



Regardless, we "never say never", and if there are any changes, we will let everyone know immediately.



Cheers!



Brandt