Tuesday, May 30, 2017

1Password Travel Mode

Rick Fillion (MacRumors):

Travel Mode is a new feature we’re making available to everyone with a 1Password membership. It protects your 1Password data from unwarranted searches when you travel. When you turn on Travel Mode, every vault will be removed from your devices except for the ones marked “safe for travel.” All it takes is a single click to travel with confidence.

[…]

Your vaults aren’t just hidden; they’re completely removed from your devices as long as Travel Mode is on. That includes every item and all your encryption keys. There are no traces left for anyone to find. So even if you’re asked to unlock 1Password by someone at the border, there’s no way for them to tell that Travel Mode is even enabled.

[…]

Travel Mode is limited to 1Password.com accounts, and there’s no way to directly interact with it within the apps themselves. It’s an example of a feature that’s now possible with a centralized service that can coordinate everything for all of your devices, and provide a place to control settings outside of the apps themselves.

Tom S:

While I can’t speak for the AgileBits team, the major theme behind Travel Mode seems to be the fact that the data isn’t present on your device and that there’s no possible way to get around it. Even if a comparable, modified approach could be managed by splitting up vault files, all of that data could still be accessed indirectly via Dropbox/iCloud. There’s no way around that without third-party access.

[…]

Unless you logout of Dropbox on your phone/laptop/other devices, trash the 1Password files in your ~/Dropbox folder on your laptop, and remove your Dropbox info from 1Password, the data is still indirectly accessible. And as such, border agents have a viable—albeit indirect—route to access it.

So it seems like there’s a good reason that this particular feature is only available when syncing via 1Password.com. I can see why 1Password.com is the future, as it provides a better experience for most users, requires less support from the developer, and has a subscription business model. Yet it’s sad that the old syncing methods are basically in maintenance mode, when they offered some advantages of their own.

1Password is an essential app for me, so I wouldn’t really mind paying for a subscription except that I’m not that keen to use their cloud service. I like that I don’t have to give them my (encrypted) data or depend on their server for syncing to work. I like having direct access to the sync files. I like that I can deny the 1Password app network access (at least on the Mac). I like that, thanks to 1PasswordAnywhere, my passwords are accessible offline without the need for an app. This was a deciding factor in getting me to start using 1Password back in the day. It still gives peace of mind, even though it’s no longer viewable on Dropbox. Unfortunately, it doesn’t sound like there are any plans to support it with 1Password.com.

Also unfortunately, the file format that 1Password uses with Dropbox is slower and less secure. It’s not the focus of development, so it’s unlikely to get any new features, even where they would technically be possible.

I much prefer the way 1Password has evolved compared with what happened with TextExpander. The latest versions of the apps still work with the old syncing methods, and they’re even still selling standalone licenses. But though those of us who prefer the old design have not been abandoned, it still feels like we’re being left behind.

Update (2017-06-01): Bruce Schneier:

Everything you do along these lines is problematic, because 1) you don’t want to ever lie to a customs official, and 2) any steps you take to make your data inaccessible is in itself suspicious. Your best defense is not to have anything incriminating on your computer or in the various social media accounts you use.

@dkhamsing pointed me to pass, which can synchronize via Git and has an open source iOS app.

Update (2017-07-10): Kenn White:

1Password’s decision to sunset local credential storage for a 3rd-party cloud model alienates its most vocal allies — security professionals

It increasingly sounds to me like us standalone users have been abandoned. They’re just waiting until something breaks before they tell us.

Update (2017-07-12): Lorenzo Franceschi-Bicchierai (via Jason Snell, AppleInsider, MacRumors, Hacker News):

Last weekend, though, several security researchers tweeted that 1Password was moving away from allowing people to pay for a one-time license and have local password vaults, in favor of its cloud-based alternative that requires a monthly subscription.

brenty:

I know it’s not the answer you want, but we will never publicly commit to Dropbox, iCloud, or local vaults for the future. Even if we bring local vaults forward in a hypothetical new version of 1Password which does not yet exist, that’s not to say that the subsequent version will continue that, especially if the costs we put into building that into a new app far outweigh the return we get on that work in license sales.

Doug Lhotka:

The design of the new cloud based system appears robust, and they’ve had audits done on the code and service. Good so far. […] But that statement is based an overly simplistic user base and threat model. The truth is far more nuanced, and for substantial minority of users it’s not a good option. These include folks who are prohibited by corporate policy from using non-contracted third-party cloud services (extremely widespread), and individuals willing to put up with the minor hassle of local syncing to reduce their risk. Having all the vaults in a single place makes it a tempting target for an attack, breach and disclosure. Unfortunately, Agilebits asserts in forum posts that compromised vaults are “useless” to an attacker. That’s grossly oversimplified, and I quickly came up with three ways they aren’t useless[…]

dougl:

I give many briefings on future ‘plans’ and have the legal boilerplate about commitments and forward looking statements memorized. ‘No plans to remove’ does not equal ‘plan to keep’. We understand that things change, but there’s a very important intent and nuance in the language you’re using. One breeds confidence, the other raises concerns.

Clearly the development effort will focus on the subscription client, not the standalone, and a browser, iOS or OSX update will break it at some point (much as High Sierra has). How long will you continue to support the standalone client for those changes? We don’t know.

Update (2017-07-13): Juanjo López:

Unbelievable comment by a @1Password employee. People are not really concerned about local vaults, [they] just want to be “security gurus.”

Update (2017-07-15): Kenn White (Hacker News):

Nowhere in that process did I remember being specifically prompted to sync or backup my dummy accounts in the 1Password app to the 1Password cloud. It just happens. Automatically. When you respond to that initial “New to 1Password? Get started with your free trial of 1Password.com subscription” splash screen by clicking on the “Start My Trial” button, what you you are really saying is: auto-sync & backup everything by default into the 1Password cloud. In this theater, it’s a package deal. Popcorn comes with the Coke.

[…]

From a geek perspective, it’s kind of amazing that the HTML5 WebCrypto API has evolved enough to allow that. But there’s still a fundamental problem. Unlike, say, Signal Desktop which is a Chrome App with a known signature and a well-understood body of code, this is on-demand web-based javascript which gets pulled down anew every time I visit the 1Password site (which is presumably a lot, since it’s also where you manage your monthly billing and any other cloud syncing sorts of things that one does).

[…]

The security chief at 1Password seems to be saying that he’s not a big fan of the browser client either, or at least acknowledges the inherent additional risks that this particular type of host-based javascript crypto (i.e., live web page loads, versus a fixed browser extension or app) introduces.

Glenn Fleishman:

There’s one significant way in which syncing via Dropbox or iCloud has an advantage over 1Password.com syncing: in the latter case, you have to trust AgileBits to do what it says it will. When 1Password native apps use local vaults and sync via Dropbox or iCloud, your password never touches AgileBits’ login Web page. Because 1Password itself is freestanding, security researchers can test (and have tested) it in ways that aren’t possible with 1Password.com.

AgileBits says that your password never leaves your browser, and while trusting the company is reasonable, Thomas H. Ptáček noted to me via Twitter that the point is to not have to trust them.

Update (2017-07-16): My1:

2) you are using a CDN (me.1password.com -> IP -> amazon AWS), meaning you are not in control of what happens in the transit meaning the CDN has the ability to (it doesn’t matter whether they promise not to do so or whatever, just that they have to ability to) add or change scripts in a way that the master password is sent directly to a rogue server, they could even go one step further and just sent a decrypted wallet along the way.

4 Comments RSS · Twitter

The one thing that prevents me from switching to the 1Password subscription is that once you subscribe, there app stops generating local backups of your data. AgileBits staff have tried to explain the technical reasons for this, but at the end of the day, having control over and local backups of my password database is essential.

@remmah Thanks for that information. I had no idea the backup feature didn’t work with server vaults. And, apparently, files are not cached locally, so even the local database doesn’t have a copy of everything on the server. This is a dealbreaker for me.

[…] train SpamSieve on the iMac from other devices. OmniFocus and Fantastical sync. My RSS feeds and passwords sync. Other key files are in Git repositories, Dropbox, or Resilio Sync. For the remaining […]

[…] partial commitment is nice to hear, although it would have been nicer a few days ago when I asked about support for standalone vaults beyond version 6 and the response […]

Leave a Comment