[tor-talk] 1PassWord Firefox extension
Graham & Heather Harrison
nosirrah.mac at me.com
Fri Aug 28 20:55:14 UTC 2015
I am very new to Tor - just getting set up. I want to use 1Password as my password manager. I have been with them since they started and trust them more than any other similar application. The copy of their latest response on why 1P does not work with Tor is below. (I had originally only told them I was having problems with Ff 38.) I want information on whether it is possible to make 1P work without compromising Tor.
OS X 10.6.8 and 10.10.3
The reason you can't use 1Password's extension inside Tor has to do with the modifications that TorProject makes to Firefox. They go to significant lengths to prevent information from being leaked (or able to be spied-upon) in non-Tor channels that might reveal your true IP address. This includes things like DNS leakage, but it also includes web sockets, which is what 1Password uses to communicate between the Mini (in your menubar) and the extension in Firefox. This requires that there not be anything blocking 127.0.0.1.
As with most proxy/firewall software that customers add to their computers to increase security, we can tell them to add an exception to the whitelist for localhost (127.0.0.1), but in the case of Tor, I just don't know enough about the internals of how it goes about blocking things it deems potentially harmful to know whether adding an exception for 127.0.0.1 would be considered voiding the protection offered by Tor. The Tor proxy itself is contained on 127.0.0.1, port 9051, so bypassing for localhost might inadvertently induce a whole host of other, non-1Password applications/utilities/helper programs to pass information outside of the Tor channels, potentially exposing your real IP address. I just don't know. In my own testing just now, i can confirm that adding 127.0.0.1 to Tor's Preferences => Advanced => Network Settings does indeed allow the 1Password extension to work...but at what cost to the anonymity afforded by Tor, I have no idea. You may wish to take this up with the Tor devs themselves, or with someone who knows the internals of Tor better than me.
I'd also point out that this isn't going to be a "solvable" issue from our end. The 1Password extension needs to communicate with the Mini, and that's true across all browsers on the Mac (Safari, Chrome, Firefox, Opera), and that's not going to be changing. To the extent that this conflicts with Tor, that's going to be permanent unless/until Tor itself allows for local extensions to communicate via web socket. In short: I can't recommend you take these steps unless you do so with the explicit understanding that we don't warrant what effect doing so might have on the efficacy of Tor itself. The effect *might* be zero...or it might be significant indeed. Taking this step will indeed allow the 1Password browser extension to work in Tor's version of Firefox 38...but at what cost, we don't know, so this is an at-your-own-risk modification.
More information about the tor-talk