New
#11
AgileBits is far from at fault here. It’s Cloudflare who stand at the stage of the problem. From what I’ve gathered, the problem in its essence is that their content delivery system, the way it had been designed, would occasionally leak private data sent to it via SSL, undermining their use of HTTPS. “Cloudbleed” it’s being called, and Cloudflare have a technical analysis of the issue on their blog. Of course, the issue has quickly been resolved.
I trust AgileBits’ word when they say that they don’t rely on HTTPS to be secure. They’re password management specialists after all, and 1Password is their primary product and service so you can expect them to be especially focused on stabilising and staying vigilant to the security aspects of their service.
Your sense of trust is galling. If you don’t trust encryption and you heavily value privacy over the information you transmit over the internet, how is it that you’ve signed up with any internet service at all? Encryption is the basis of your safety on the internet. If you don’t trust encryption I’m not sure what technology you were relying on for safety prior to the news. Perhaps it were the terms “SSL” and “HTTPS” that made you feel safe. These protocols themselves are completely encryption oriented. Encryption is an established process.
This was a completely separate incident in which their mistake was hardly a disreputable one. The developers screwed up, got flamed for it, worked tirelessly to resolve the issue. I can sympathise. It happens, you get over it, you move on.
From what I can interpret, they were completely honest about the situation the whole way through: Certificates, Provisioning Profiles, and Expiration Dates: The Perfect Storm
This was painful for everyone. We lost sleep over the weekend, but worse than that… our users temporarily lost access to some of their most important information. This is unacceptable to us and we want to make sure this doesn’t happen again.
Furthermore, there’s nothing that indicates AgileBits putting blaming on Apple for their own mistake. In fact, if anything, they have drawn closer relations to Apple now as they ensure that the incident doesn’t repeat itself in future.
And that is the best action they could have possibly taken in the circumstances.We’ve reached out to Apple for help and guidance on what we can do to avoid this happening again in the future. Our new provisioning profile doesn’t expire until 2022, but we’ll make sure that this is resolved far before then so that you need not worry about that happening.
By the way, I’m sure Apple doesn’t spend their days going around telling developers how to compose a developer’s certificate. If you’ve got evidence of “Apple having told them previously”, I’d like to hear.
Unless a wave of instances of 1Password users suddenly discovering their login details being compromised begins to surface, I say AgileBits get to keep their established reputability in security for now.