Delivery-Date: Fri, 28 Aug 2015 17:55:58 -0400
Return-Path: <tor-talk-bounces@lists.torproject.org>
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on moria.seul.org
X-Spam-Level: 
X-Spam-Status: No, score=-4.2 required=5.0 tests=BAYES_00,RCVD_IN_DNSWL_MED,
	T_RP_MATCHES_RCVD autolearn=ham version=3.3.1
X-Original-To: archiver@seul.org
Delivered-To: archiver@seul.org
Received: from eugeni.torproject.org (eugeni.torproject.org [38.229.72.13])
	(using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by khazad-dum.seul.org (Postfix) with ESMTPS id 164101E08B9;
	Fri, 28 Aug 2015 17:55:56 -0400 (EDT)
Received: from eugeni.torproject.org (localhost [127.0.0.1])
	by eugeni.torproject.org (Postfix) with ESMTP id BB8EE36A9B;
	Fri, 28 Aug 2015 21:55:50 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
 by eugeni.torproject.org (Postfix) with ESMTP id 7A3F636A84
 for <tor-talk@lists.torproject.org>; Fri, 28 Aug 2015 21:55:47 +0000 (UTC)
X-Virus-Scanned: Debian amavisd-new at 
Received: from eugeni.torproject.org ([127.0.0.1])
 by localhost (eugeni.torproject.org [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id OHGrGKAxH_Lk for <tor-talk@lists.torproject.org>;
 Fri, 28 Aug 2015 21:55:47 +0000 (UTC)
Received: from nk11p00mm-asmtp001.mac.com (nk11p00mm-asmtp001.mac.com
 [17.158.161.0])
 (using TLSv1.2 with cipher DHE-RSA-AES128-GCM-SHA256 (128/128 bits))
 (Client did not present a certificate)
 by eugeni.torproject.org (Postfix) with ESMTPS id 5A9D336A7E
 for <tor-talk@lists.torproject.org>; Fri, 28 Aug 2015 21:55:47 +0000 (UTC)
X-Greylist: delayed 3606 seconds by postgrey-1.34 at eugeni;
 Fri, 28 Aug 2015 21:55:47 UTC
Received: from [10.0.1.2] (unknown [203.189.127.54])
 by nk11p00mm-asmtp001.mac.com
 (Oracle Communications Messaging Server 7.0.5.35.0 64bit (built Mar 31 2015))
 with ESMTPSA id <0NTT000PG8S9YL20@nk11p00mm-asmtp001.mac.com> for
 tor-talk@lists.torproject.org; Fri, 28 Aug 2015 20:55:37 +0000 (GMT)
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:,,
 definitions=2015-08-28_11:,, signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 spamscore=0
 suspectscore=1 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0
 reason=mlx scancount=1 engine=8.0.1-1412110000 definitions=main-1508280334
From: Graham & Heather Harrison <nosirrah.mac@me.com>
Date: Sat, 29 Aug 2015 06:55:14 +1000
Message-id: <59C7C746-7C63-4E88-9A8F-9E9BB376FCB9@me.com>
To: tor-talk@lists.torproject.org
MIME-version: 1.0 (Apple Message framework v1085)
X-Mailer: Apple Mail (2.1085)
Subject: [tor-talk] 1PassWord Firefox extension
X-BeenThere: tor-talk@lists.torproject.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: tor-talk@lists.torproject.org
List-Id: "all discussion about theory, design,
 and development of Onion Routing" <tor-talk.lists.torproject.org>
List-Unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-talk>, 
 <mailto:tor-talk-request@lists.torproject.org?subject=unsubscribe>
List-Archive: <http://lists.torproject.org/pipermail/tor-talk/>
List-Post: <mailto:tor-talk@lists.torproject.org>
List-Help: <mailto:tor-talk-request@lists.torproject.org?subject=help>
List-Subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk>, 
 <mailto:tor-talk-request@lists.torproject.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: tor-talk-bounces@lists.torproject.org
Sender: "tor-talk" <tor-talk-bounces@lists.torproject.org>

I am very new to Tor - just getting set up. I want to use 1Password as my password manager. I have been with them since they started and trust them more than any other similar application. The copy of their latest response on why 1P does not work with Tor is below. (I had originally only told them I was having problems with Ff 38.) I want information on whether it is possible to make 1P work without compromising Tor.

OS X 10.6.8 and 10.10.3

The reason you can't use 1Password's extension inside Tor has to do with the modifications that TorProject makes to Firefox. They go to significant lengths to prevent information from being leaked (or able to be spied-upon) in non-Tor channels that might reveal your true IP address. This includes things like DNS leakage, but it also includes web sockets, which is what 1Password uses to communicate between the Mini (in your menubar) and the extension in Firefox. This requires that there not be anything blocking 127.0.0.1. 

As with most proxy/firewall software that customers add to their computers to increase security, we can tell them to add an exception to the whitelist for localhost (127.0.0.1), but in the case of Tor, I just don't know enough about the internals of how it goes about blocking things it deems potentially harmful to know whether adding an exception for 127.0.0.1 would be considered voiding the protection offered by Tor. The Tor proxy itself is contained on 127.0.0.1, port 9051, so bypassing for localhost might inadvertently induce a whole host of other, non-1Password applications/utilities/helper programs to pass information outside of the Tor channels, potentially exposing your real IP address. I just don't know. In my own testing just now, i can confirm that adding 127.0.0.1 to Tor's Preferences => Advanced => Network Settings does indeed allow the 1Password extension to work...but at what cost to the anonymity afforded by Tor, I have no idea. You may wish to take this up with the To
 r devs themselves, or with someone who knows the internals of Tor better than me.

I'd also point out that this isn't going to be a "solvable" issue from our end. The 1Password extension needs to communicate with the Mini, and that's true across all browsers on the Mac (Safari, Chrome, Firefox, Opera), and that's not going to be changing. To the extent that this conflicts with Tor, that's going to be permanent unless/until Tor itself allows for local extensions to communicate via web socket. In short: I can't recommend you take these steps unless you do so with the explicit understanding that we don't warrant what effect doing so might have on the efficacy of Tor itself. The effect *might* be zero...or it might be significant indeed. Taking this step will indeed allow the 1Password browser extension to work in Tor's version of Firefox 38...but at what cost, we don't know, so this is an at-your-own-risk modification.

Thank you.
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

