Friday, January 6, 2017

My two cents on the 1 password Dropbox issue

Here's a quote:

Your characterizations are incorrect, or as some might say, 'disingenuous'. AgileBits does not claim it's impossible to do so. To quote: "This is not to say it's impossible, but it requires much more careful planning and consideration than changing the permission request in the application." They also note that 'the new secure mode' would break functionality for "many customers", due to a design choice (or flaw) in the Dropbox API: "But even if we were able to work around many of those complications and used the Dropbox API to limit permissions and use a specific app folder, there's still at least one major issue, which (as Khad explained to you a few years ago) is that Dropbox API doesn't allow sharing folders between different Dropbox accounts. That would prevent sharing a 1Password vault with others via Dropbox, which is a feature that many customers love and rely on." Claiming that this 'wouldn't be the case' is a misleading characterization. In actuality, they would have to support two modes - a reduced-functionality 'secure' mode, and a full-functionality 'legacy' mode. While it may be distasteful that users shares password vaults using Dropbox, they have clearly chosen to continue supporting that use case. 1Password offers a paid product that competes with the usually-free Dropbox-based sharing solution. Their paid product is far more secure than the shared-Dropbox method, with both per-vault and per-device encryption keys. It offers no compromises in functionality and offers what some would consider an increase in security for shared-vault users over the 'legacy' Dropbox model discussed herein. It uses a cloud storage service other than Dropbox, but that's no more a dealbreaker than Dropbox itself would be. So with 1Password having already implemented both "the new secure mode" (paid) and "a legacy mode for backwards compatibility" (dropbox), they clearly have already accepted the additional maintenance burden of the increased security requirements of their 'new' method. Please identify the evidence you see supporting your claim that it is impossible, in light of their words and actions to the contrary.


Obviously, the reason they don't want to work on this is because it competes with their paid product. Simple as that I think.

No comments:

Post a Comment

Please be kind.