This is a staging forum for AgileBits, not an official support forum. Visit http://discussions.agilebits.com instead.
1Password and Sandboxing
Initially I was super positive about 1Password and decided to buy the app right away after using it for a bit and checkout out the feature overview, it looked like it was exactly what I have been looking for for a long time.
Unfortunately I has caused me a LOT of grief already since I bought it, browser extensions not working, the program hanging, popping up every 10 seconds while it was minimized etc.
I've got it to work now, but I just wanted to share my path so far, so that you know...
I am pretty paranoid about my data and thus I run everything from a TrueCrypt volume. My documents, dropbox, profiles for the browsers, source code.
All that stuff sits in the truecrypt volume with symlinks pointing to it from the normal filesystem locations.
The first thing that costed a lot of my time was trying to get my db in the dropbox to sync it between my iMac and my MBP. After quite a bit of time I found on the forum that this was because the app was sandboxed and you were assuming the default Dropbox location. So the first thing I had to do was move my dropbox files out of my encrypted volume, which is already against my principles.
Next up: the browser extensions... they were installed without any issue, however they could not connect to the agent... I think I have seen a lot of errors and looked at every topic but what was the problem in the end? Exactly, the sandboxing again! Because my profiles are in a custom location the sandbox was denying read access to the plugin or something. This resulted in 1Password being reloaded every 10 seconds to try again. So every 10 seconds it just popped up. I ended up by also moving my browser profiles out of my encrypted volume to have them back in the default locations. Both for FF and Chrome.
I reinstalled everything and so far its working.
To be really honest: I paid EUR40 for an app that is sandboxed but gives me a [b]less secure feeling[/b] about my system overall.
I will keep on using it, because it is a very good app overall, but I'd like to see custom locations for the involved apps supported in a decent way, because this is ridicoulous.
Basically I would really like to move all my application data back in my secure volume asap.
I can't imagine I'm the only one who likes to have everything personal secure in case of theft?
Unfortunately I has caused me a LOT of grief already since I bought it, browser extensions not working, the program hanging, popping up every 10 seconds while it was minimized etc.
I've got it to work now, but I just wanted to share my path so far, so that you know...
I am pretty paranoid about my data and thus I run everything from a TrueCrypt volume. My documents, dropbox, profiles for the browsers, source code.
All that stuff sits in the truecrypt volume with symlinks pointing to it from the normal filesystem locations.
The first thing that costed a lot of my time was trying to get my db in the dropbox to sync it between my iMac and my MBP. After quite a bit of time I found on the forum that this was because the app was sandboxed and you were assuming the default Dropbox location. So the first thing I had to do was move my dropbox files out of my encrypted volume, which is already against my principles.
Next up: the browser extensions... they were installed without any issue, however they could not connect to the agent... I think I have seen a lot of errors and looked at every topic but what was the problem in the end? Exactly, the sandboxing again! Because my profiles are in a custom location the sandbox was denying read access to the plugin or something. This resulted in 1Password being reloaded every 10 seconds to try again. So every 10 seconds it just popped up. I ended up by also moving my browser profiles out of my encrypted volume to have them back in the default locations. Both for FF and Chrome.
I reinstalled everything and so far its working.
To be really honest: I paid EUR40 for an app that is sandboxed but gives me a [b]less secure feeling[/b] about my system overall.
I will keep on using it, because it is a very good app overall, but I'd like to see custom locations for the involved apps supported in a decent way, because this is ridicoulous.
Basically I would really like to move all my application data back in my secure volume asap.
I can't imagine I'm the only one who likes to have everything personal secure in case of theft?
Flag
0
Comments
-
Hi Blizz,
Welcome to the forums. You are absolutely correct that the sandboxing requirements for 1Password 3.9 don't allow us to hunt around for the Drobpox folder location. We have to specify "entitlements" for the application which include what files and folders we can look at. This means that the Dropbox folder needs to be in its default location.
We worked with the Dropbox developers to see if we could work around this using symbolic links, but we weren't able to find a way to do that. There is discussion of this both in our forums and the Dropbox forums, if you want to explore what people have tried. But no one has found a solution. One thing that you can do, at least for the time being, is use the non-MAS version of 1Password (send me a PM on the forums so that I can try to sort out licensing stuff). That version doesn't have the sandboxing restrictions.
The broader lesson is that the increased security that we get through sandboxing requirements does limit user customization. In your case, your user customization does improve security, but we've also found that when users try to "out smart" the system, they often weaken their security without knowing it. One theme that I can talk far too much about is that many security trade offs are not between "convenience" and "security" but are between security in one respect verses security in another respect.
We have made some recent improvements in detecting browser profiles in non-default locations, but I don't think we are yet at the point where you can move them about just yet. (Mostly we have better error reporting and detection in this regard.)
We really want 1Password to work the way you work, but sandboxing really does require explicit assumptions about where things are. So I only very reluctantly suggest that change the way you use disk volume encryption. Filevault in OS X Lion is dramatically improved from previous versions, and you may wish to explore that.
Cheers,
-jFlag 0 -
Thank you for the reply. It's not often that you make a post like this and get an honest reply about it from the company behind the product.
I myself am a developer and thus I can perfectly imagine the issues you face with the sandboxing.
I just needed to vent my frustration. TBH, the fact that I couldn't find any relevant info was more frustrating that the actual problem itself.
For example the agent support page (when the plugin reports that it cannot connect to agent) is referring to a restart helper link under the "help > request" menu, while it seems its not there in the MAS version (or at least I couldn't find it). There are other places too that seem to have outdated info. Might be a good idea to put on those pages that they are about the non MAS version?
In total I've spent between 3 and 4 hours trying to get everything working and was wishing I never bought 1P at all. This is a frustration for your customers that can be easily avoided IMHO.
Just add a remark about the use of dropbox (and perhaps mention that this applies to involved browsers as well) that the files are expected to be in the default locations. Or instead of simply disabling the "Use dropbox" button, add a tooltip like "Either you don't have dropbox or we couldn't find it in the default location" will help people as well.
I'm pretty sure all that would lower the complaints (and probably make your support team happier as well <img src='http://forum.agilebits.com/public/style_emoticons/<#EMO_DIR#>/smile.png' class='bbc_emoticon' alt=':)' /> ). On the MAS page there is at the very least 1 customer complaining about dropbox no longer working, pretty sure he has the same issue.
As for your suggestion regarding filevault: I've looked in to it but I found several claims that it lowers the performance of a MBP by as much as 30%, worst case scenario, which is why I went for encryption only on the files that need it.Flag 0 -
[quote]Thank you for the reply. It's not often that you make a post like this and get an honest reply about it from the company behind the product.[/quote]
On behalf of Jeff, you are quite welcome! We all love helping folks, but I know Jeff especially enjoys some of the more technical discussion. <img src='http://forum.agilebits.com/public/style_emoticons/<#EMO_DIR#>/skype_smile.png' class='bbc_emoticon' alt=':-)' />
[quote]it). There are other places too that seem to have outdated info. Might be a good idea to put on those pages that they are about the non MAS version?[/quote]
Thanks for mentioning this, Blizz. There have been so many changes lately that it can be fun trying to keep up with all of them. I'll mention this to the developers so we can make things a bit clearer going forward.
[quote]Or instead of simply disabling the "Use dropbox" button, add a tooltip like "Either you don't have dropbox or we couldn't find it in the default location" will help people as well.
I'm pretty sure all that would lower the complaints (and probably make your support team happier as well <img src='http://forum.agilebits.com/public/style_emoticons/<#EMO_DIR#>/smile.png' class='bbc_emoticon' alt=':)' /> ).[/quote]
You surely have my vote. <img src='http://forum.agilebits.com/public/style_emoticons/<#EMO_DIR#>/laugh.png' class='bbc_emoticon' alt=':lol:' /> I will mention this to the developers as well. We have a great support article about this which we could link to instead of or in addition to having a disabled "Use Dropbox" button.
[quote]As for your suggestion regarding filevault: I've looked in to it but I found several claims that it lowers the performance of a MBP by as much as 30%, worst case scenario, which is why I went for encryption only on the files that need it. [/quote]
The previous version of FileVault was much worse from a performance perspective, but Lion's FileVault 2 has almost nothing in common with its predecessor (except that things are being encrypted). My own experience lines up more with the results seen in [url="http://osxdaily.com/2011/08/10/filevault-2-benchmarks-disk-encryption-faster-mac-os-x-lion/"]this OS X Daily article[/url]:
[quote]Bottom line: if you have a Core i3, Core i5, or Core i7 processor, you’ll barely notice the impact of disk encryption, regardless of whether you’re using an SSD or traditional platter drive. Is a tiny performance hit worth the peace of mind of total data security? You’ll have to decide, but if you have sensitive data and a newer CPU on your Mac, it probably is.[/quote]
I hope that helps. If we can be further assistance, please let us know. <img src='http://forum.agilebits.com/public/style_emoticons/<#EMO_DIR#>/skype_bigsmile.png' class='bbc_emoticon' alt=':-D' />Flag 0