Comment by tyingq

8 years ago

Sounds bad to me...

"We've discovered (and purged) cached pages that contain private messages from well-known services, PII from major sites that use cloudflare, and even plaintext API requests from a popular password manager that were sent over https (!!)."

The trouble is you have no way to know if someone discovered this earlier, and harvested info for a long time.

Or, how much harvested info from your site might be in a Google cache for someone else's site.

5 comments

tyingq

rdl 8 years ago

Does 1Password really send anything meaningful in their API queries, or is it encrypted separately and then just sent over HTTPS?

fjarlq 8 years ago
For what it's worth, I've posted this question in 1Password's support forum, which is frequented by 1Password staff: https://discussions.agilebits.com/discussion/75711/cloudblee...
- zaatar 8 years ago
  
  1Password has said via their blog that nothing was compromised whatsoever: https://blog.agilebits.com/2017/02/23/three-layers-of-encryp...
  More details are promised in the coming days.
travem 8 years ago

According to their blog post about this issue they use multiple levels of encryption to guard against compromise at the SSL/TLS layer - https://blog.agilebits.com/2017/02/23/three-layers-of-encryp...