Wednesday, 2 March 2016

This Medium post about Wireshark is the result of poor system hygene

Ross Hosman posted this Medium entry complaining that 1Password exposes user data via the loopback interface in an unencrypted format.

Ross was nice enough to provide a "TL;DR":
TL:DR 1Password sends your password in clear text across the loopback interface if you use the browser extensions. 
Note: Running Mac OSX 10.11.3, 1Password Mac Store 6.0.1, Extension Version 4.5.3.90 (Chrome)
I posted a response on Reddit but felt like sharing it here too:
This is likely the result of the OP having installed Wireshark and would otherwise not be a problem if he hadn’t done so. 
Countless guides on the Internet recommend doing something like this: 
sudo chown <username> /dev/bpf* 

Now fortunately after a reboot, these permissions get set back automatically. However, Homebrew for OS X by default implements ChmodBPF, which keeps the permissions needed so you don’t have to do this every time after you reboot.
This isn’t a Mac OS X thing either as under Windows, WinPCAP is installed, and Wireshark tells you that any user can make use of it:
The WinPcap driver (called NPF) is loaded by Wireshark when it starts to capture live data. This requires administrator privileges. Once the driver is loaded, every local user can capture from it until it’s stopped again.
So default behaviour in Windows is to allow anyone to make use of the capture driver and it is encouraged in guides and Wireshark themselves to make use of the OS X tool. Under Linux, you need to be a member of the wireshark group in order to make use of the capture interface (or just haphazardly use “root”). 
These details are important because under any other circumstance where Wireshark or any packet capture software is not installed, what the OP complains about would be completely unnecessary to worry about because typically (as in a default, non-SELinux Linux; OS X, or Windows installation) the permissions required to sniff the loopback interface are at the same level as sniffing for the key within memory. 
His concerns are valid in a sense but having a packet capture driver with global access permissions is along the same lines as having no password on your administrator accounts. If you’re concerned about this being a real problem, run Wireshark on a separate machine or at least within a virtual machine.
Overall there is nothing to panic about unless you are running Wireshark.