Introducing native messaging for the 1Password extension

I’m really excited to announce a brand new way for 1Password to save and fill in browsers. It’s not a new feature, and chances are you won’t even notice it. It’s called native messaging, and it changes the way 1Password integrates with your browser. In fact, if you use 1Password with Google Chrome, you might already be using it.1

Native messaging makes the 1Password extension faster, more stable, and more compatible in more situations. It improves the performance and reliability of the 1Password extension, and it’s the end result of talking with thousands of 1Password users over the years.

Once upon a time…


When the 1Password extension made its debut for Chrome in 2012, the options for browser extensions to talk to apps were limited. We settled on an approach using WebSockets, which creates a network connection on your computer between 1Password and the browser. Although it’s technically a network connection, the data is only transmitted locally and never leaves your computer. This served us well in the vast majority of cases, but for a significant number people, this connection was unreliable. Proxies, antivirus, and other security software could interfere with the connection and prevent saving and filling. These conflicts caused a lot of pain, especially for Windows users. Over time, it became clear that we needed a better approach.

Enter native messaging

Thankfully, Google led the way and introduced that better approach. Native messaging is a more direct way for browser extensions to communicate with apps. Unlike WebSockets, it doesn’t rely on creating a network connection between your computer and itself.

With native messaging, no longer is Chrome’s connection to 1Password subject to the vagaries of your network and computing environment. No matter how you’ve configured your computer, if you can run 1Password and Chrome, then native messaging will work for you. Last year, we began the transition to replace WebSockets with native messaging. In order for 1Password to use native messaging, we needed to update the extension and the apps. So in April, we released a version of the 1Password extension for Chrome with support for native messaging. Since then, all current versions of 1Password for Mac and Windows have been updated to use the new technology.

What will change?

If you notice any changes, they should only be positive. Communication is nearly instant, and you’ll be able to use the extension as soon as you open your browser. Native messaging removes entire classes of problems that have affected 1Password users for a long time. Conflicts with network proxies and firewalls in corporate computing environments, ad blocking software, and even productivity tools that lock you out of distracting sites should be a thing of the past. Security software that gets spooked by local network connections should relax down from red alert. And many less common scenarios will work much better with native mesaging as well.

How do I get it?!


The first thing to do is check for updates in 1Password to make sure you’re using the latest version available. The latest releases of 1Password all include native messaging. We even updated 1Password 4 for Windows to make sure everyone can take advantage of this advancement on both Mac and Windows. 1Password has built-in support for Google Chrome and many other browsers based on Chrome, like Opera. If you’re using a supported browser, 1Password will switch to native messaging immediately.

Some Chrome-based browsers are supported but require additional configuration to work with native messaging. See our support article for more details.

Conclusion

Native messaging is the future for the 1Password extension. For now it’s supported in Chrome, but support will be coming soon to other browsers like Firefox and Edge. We’ll let you know when native messaging arrives on new browsers — and stay tuned for more posts about the 1Password extension. There’s a lot of exciting stuff going on that I can’t wait to share with you. For now, I’d love to hear your thoughts about native messaging in the comments, and you can always connect with me and the rest of the extension team in the forum.


  1. I will use Chrome as a shorthand for Chrome and browsers based on
    Chromium such as Opera and Vivaldi throughout this post unless there are
    specific differences to note. 
20 replies
    • Jamie Phelps
      Jamie Phelps says:

      Thanks for letting us know you’re interested in basic authentication popups. Right now, we don’t have any changes to announce on this front. Native messaging is only about the way that Chrome talks to 1Password and not about any particular functionality. The features of what the extension can do are the same; this just makes it much faster and more stable.


      Jamie Phelps
      Code Wrangler @ AgileBits
      Fort Worth, Texas

  1. Tuur
    Tuur says:

    Even though I might be a bitter about the step away from local vaults for v6, I would sincerely like to thank you for also including 1Password 4 in this update

    Reply
    • Jamie Phelps
      Jamie Phelps says:

      Thanks for noticing, Tuur! We continue to love and support our 1Password 4 for Windows customers. :)


      Jamie Phelps
      Code Wrangler @ AgileBits
      Fort Worth, Texas

    • Jamie Phelps
      Jamie Phelps says:

      Native messaging is for browsers that use Chrome as a base (Chrome, Opera, Vivaldi, etc.) or that have extensions APIs that conform to the same features (Firefox, Edge). For now, this is just for the ones that use Chrome as a base, but we’ll have more to say about Firefox soon and Edge a little while later.

      But that doesn’t mean Safari isn’t getting any love. In fact, we’re planning a big update to our Safari extension for later this year. I can’t say too much about it at this early stage, but in the context of this post, I can say that it too will no longer use the WebSocket connection and will get many of the same benefits of moving away from that connection that native messaging delivers for the browsers that use it.


      Jamie Phelps
      Code Wrangler @ AgileBits
      Fort Worth, Texas

  2. Skeptic
    Skeptic says:

    I have always been paranoid about the communication between password managers and browsers. I don’t trust it at all, to the point where I just use 1Pass without any browser extensions. It’s a mild inconvenience in exchange for piece of mind that my data is not being intercepted by another extension or anything else running on the system.

    Can you guys provide any details on how exactly this data is secured to potentially convince me to give it another shot?

    Reply
    • Jamie Phelps
      Jamie Phelps says:

      You’re right to be cautious about your data and the browser, Skeptic! Thanks for asking about it. There are a few things that are important to know about the extension and 1Password.

      First, the 1Password extension doesn’t store any of your data. It’s more like a hook for 1Password to send messages into the browser. So, when you fill a 1Password item, 1Password asks the extension for some information about the page like what fields are there and combines those details with the item details in our form filling brain in 1Password and gets a result back. (You can read more about the brain here: https://blog.agilebits.com/2015/05/06/synapse-and-1passwords-new-brain/) It sends that result to the extension, which then follows the steps to put the values from your item into the appropriate fields.

      The other thing that 1Password does is encrypt the data in transit between the extension and the app. When the extension first connects to 1Password, the two exchange a secret and then on subsequent connections, they both verify that the other side has that same original secret and use it to construct an encryption key. That key is then used to encrypt each message between the extension and 1Password.

      As for your data being spied on, any native process that’s running on your computer could snoop on your clipboard. With the 1Password extension in general and with native messaging in particular, this kind of spying is much more difficult.

      Extensions are a little bit different. Many extensions can see what you do on all web pages, which would allow them to monitor the fields on the page for new values, whether it’s 1Password filling them or you copy-pasting them by hand. Chrome and other browsers will tell you what an extension will be able to do if you choose to install it. As with most things, if someone with bad intentions gets software running on your computer, the game is effectively won. Stay safe and make sure you install only trusted software.

      I hope this helps. If you have other questions or concerns about security and the browser extension, I’d encourage you to come by the discussion forum and we can discuss it further.


      Jamie Phelps
      Code Wrangler @ AgileBits
      Fort Worth, Texas

    • Jamie Phelps
      Jamie Phelps says:

      I see where you’re coming from. The move to native messaging further restricts the options for an attacker because it can only be used within a particular user account rather than across user accounts as Tavis described. Since there isn’t a way to turn off browser extension support entirely, any issue that could affect a user that’s using the browser extension could also affect users who are not using the extensions.

      The 1Password extension does treat web content with a healthy dose of skepticism, and we keep a hard boundary between the page’s Javascript and our own. The browser extensions frameworks handle much of this for us, but if for instance an extension injects elements into the page and then responds to the user’s interaction with that element, that could open up the extension to external interactions without fully considering all the possibilities.

      That being said, every user has to decide what is the most appropriate for their own mix of security and convenience. 1Password efforts to keep the browser extension as small and lightweight as possible and not have any of your 1Password data itself. For most users, I recommend using the browser extensions because the convenience of using it makes behaving securely more convenient than behaving insecurely, which is always a significant challenge for security products.

      Stay safe out there!

    • Skeptic
      Skeptic says:

      Thanks again, Jamie. Although browser extension support cannot be turned off, I’d at least assume that if the browser does not know of 1Password’s existence then any malicious executable won’t be able to do anything unless it already had access to the operating system level itself. So, at least from that perspective, I’ll take security over convenience.

      Plus, the 1Password Mini makes it easier to get away without using the browser extension.

      Though you raised a good point which is that if I was using the browser extension, then I wouldn’t be copy/pasting which could be sniffed by other applications. I suppose both methods are “insecure” if you’ve already been compromised. But my saving grace is that I only copy/paste the password, not the url or the username. Hopefully that’s enough… but it’s definitely something to think about.

      Thanks again.

    • Jamie Phelps
      Jamie Phelps says:

      Thanks for reading, Judith, and for your enthusiasm for a new Safari extension. We, too, are excited for what’s coming this year for our Safari extension. I can’t say too much, but I think all our Safari-first users—including me!—will be very happy with what’s in store. 💖


      Jamie Phelps
      Code Wrangler @ AgileBits
      Fort Worth, Texas

    • Jamie Phelps
      Jamie Phelps says:

      Thanks for your question! No, the helper process is still required for access to the 1Password data. In fact, the process that native messaging uses then uses native inter-process communication to talk to the 1Password helper. The good news, though, is that reaching the helper should be much faster and more reliable than WebSockets, especially for users that experienced any of the conflicts that I mentioned in the post. I hope this helps!


      Jamie Phelps
      Code Wrangler @ AgileBits
      Fort Worth, Texas

    • Jamie Phelps
      Jamie Phelps says:

      Unfortunately, this is correct, Michael. With the move to native messaging, we are no longer allowing any unsigned application to connect to 1Password. The Chromium team has long declined to sign its builds. Chromium is the only major browser that does not sign its prerelease builds; WebKit Nightly and Firefox Nightly are both signed and continue to work fine with 1Password. Running unsigned code is really not a safe general computing practice.

      The Chromium page https://www.chromium.org/getting-involved/download-chromium says that Chromium should be used more for testing if a particular fix works or other one-off fixes. If you’re looking to get the latest Chrome features in a signed binary that automatically updates, you should use the Canary channel of Chrome: https://www.google.com/chrome/browser/canary.html

      I hope that helps. Let us know if you need anything else.


      Jamie Phelps
      Code Wrangler @ AgileBits
      Fort Worth, Texas

  3. Jose Diaz-Gonzalez
    Jose Diaz-Gonzalez says:

    This change seems to have completely broken 1Password on Chrome for Mac for me. It continually tells me it cannot write to the NativeMessaging directory even if it exists and is world-writeable. Is there any way to disable NativeMessaging, or perhaps figure out what is going on here?

    Reply
    • Jamie Phelps
      Jamie Phelps says:

      Hi, Jose. I’m sorry for the trouble you’re having! It’s hard to say what might be happening on your system from a blog comment, so it’d be helpful if you could email us a diagnostics report. You can create the report by following this guide: https://support.1password.com/diagnostics/ Then, attach it to an email to support+extension@agilebits.com. Mention my full name “Jamie Phelps” in the subject line and include a link to this post in the message so our support system can land it in front of me faster.

      Thanks!


      Jamie Phelps
      Code Wrangler @ AgileBits
      Fort Worth, Texas

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *