Introducing the 1Password Watchtower service for Heartbleed and beyond
by Jeffrey Goldberg on
When news of the internet’s Heartbleed bug broke last week, we published what we knew about it and the implications for 1Password and 1Password users.
To recap: 1Password is not affected by Heartbleed, but there are steps you need to take to protect your passwords from sites that may have been affected.
Today, we’re introducing a new service to help you check vulnerable sites and stay on top of your online security. We call it 1Password Watchtower.
Your password data remains safe and secure within 1Password, but when your web browser sends a password to an insecure website, that particular password can be captured.
Most, but not all, websites have had some period of being insecure because of Heartbleed, and this is why so many passwords need to be changed.
Since those first few hours on April 7, we’ve gone from “what is this all about?” to “which sites do I need to change my password, and when?” Today, the 1Password Watchtower service will help you answer that question.
With respect to Heartbleed, the 1Password Watchtower service will try to categorize websites into one of the following five categories.
Sites that are still exhibiting the Heartbleed bug should be avoided until they’ve fixed it. Once fixed, you should change your password.
If you reused a password for one of these sites, then all of those websites are also at risk. You should change your passwords on those other websites as soon as appropriate, and be sure to set up a different password for each of these sites.
This is where things get complicated. While these sites have stopped the bleeding, their master keys may have been stolen while the site was vulnerable.
To protect against this, websites need to get new certificates signed by certification authorities, which simply takes time (especially when nearly every site needs to do it). It took two days to get our new certificate, and I would not be surprised if others will have to wait longer, especially if they submitted their requests after us.
For these sites we recommend that you change your password twice. Changing your password now will prevent an attacker from using any previously stolen passwords. Then you can change your passwords again once the site’s certificates have been reissued to guarantee that the new password is only known by you.
These sites were vulnerable to Heartbleed at one time but have been completely fixed. You can go ahead and change your passwords on these sites.
You may find yourself with many sites for which you need to change passwords, but don’t let yourself get overwhelmed. Focus on changing passwords for your most important websites first.
1Password can help you through the process, and of course, this is a great opportunity to use 1Password’s Strong Password Generator to create a strong and unique password for each site.
Some sites and services were never vulnerable to Heartbleed, typically because they never used OpenSSL or had disabled various features.
One piece of good news is that, as far as we can tell, most banks fall into this category. However, to the annoyance of security researchers, banks are not telling us why they weren’t vulnerable; they are merely repeating that their customers are and have been safe.
For sites that were never vulnerable, no special action is needed. You do not need to change those passwords if your passwords were unique to those sites.
But (and you will hear us repeating this often) if you used the same password on a “never vulnerable” site that you used on one which was vulnerable, then you should change your passwords to be strong and unique on both sites.
This illustrates why password reuse on multiple sites is so dangerous. Even services that have had excellent security on their own can be broken into with a password stolen from elsewhere. 1Password’s Security Audit will help you find duplicate passwords.
Sites in this category are in no way affected by Heartbleed, but these are the services where it is most important that you don’t reuse passwords.
Some sites and services do not use SSL/TLS to secure connections between your web browser and their service. Because they have no transport security to break, their security can’t be “broken” by Heartbleed. Any password—or, really, any data—sent to such a site can be easily captured. If you have a password for one of these sites, make sure that you don’t use the same password for any other service.
Subdomains matter: It is important to remember that 1Password Watchtower checks the exact domain you tested. So even if
go.com doesn’t use SSL, subdomains such as
disney.go.com, may. It does not appear that one ever sends passwords to
go.com itself, so its lack of SSL does not put passwords at risk.
As 1Password Watchtower checks for Heartbleed, it performs a number of tests on a domain and its certificate, as well as looking at the results of earlier tests. But even with all of the tests that we run, there is some substantial “guess work” in the categorization.
We can reliably tell which sites are currently vulnerable and which sites aren’t. We can also check the start date for the validity of a certificate. We run other tests, but whether they produce results or not, they only offer hints at which category we should put a domain into.
The biggest uncertainty is that we have no reliable way to distinguish between sites waiting for new certificates and sites which were never vulnerable. Both such sites will not be currently vulnerable and will not have new certificates. We look at fragmentary results of previous scans as well as web server software to try to form a guess, but it remains a guess.
Every certificate has a validity period. They have a “valid from” date and a “expiry” date. We are (mostly) using the date from which they are valid to see if they are old or new. However many recently reissued certificates have the same validity period as the one that they replaced. As a consequence, certificates that appear as if they are in need of replacement aren’t.
Many high traffic web sites use load balancers, which don’t actually process your web request, but send off your request to a one of many back-end servers. The software on a load balancer is meant to be invisible, but it will often be different than what appears on the backend. The tests we perform involve a number of queries, some of which will be handled by the back-end servers and some by the load-balancer. For example, a load-balancer that was running an affected version of OpenSSL might be using IIS as a back end, and thus we might false report as “never vulnerable”.
Heartbleed is an astonishingly serious thing, but it isn’t cause to panic. Indeed, frightened people tend to make poor security decisions. The bulk of the work is being done by system administrators, and there are changes to come in the ways critical software is scrutinized. But for most people like you and me, the job is to improve our password practices.
Many—I’d like to think nearly all—1Password users are good about having strong, unique passwords for each site and service. That habit should already make the current task easier for you. Heartbleed and this initial version of 1Password Watchtower gives you another opportunity to improve even more. Doing so will make you safer now and long into the future.