How are the icons downloaded?

photonlight

Thank you for the feedback and link! While I can't promise anything, I'm passed your request for a favicon-only option along to our product team. 🙂

-Dave

ref: PB-32488667

DNS is an application layer protocol and DNS queries are hidden if used with VPN and a custom DNS, so, it might not be that public. Though yeah, they aren't that secret, at least ISP will know as soon as you disable the vpn. It's just that single point of ... storing the many addresses might be concerning.

As for Keepassxc, tbh I didn't know, that they now use icons.duckduckgo.com as a fallback for the high resolution icons.

https://github.com/keepassxreboot/keepassxc/blob/1d00c22244ca34b27b1fef395e087af2eb07846d/src/gui/IconDownloader.cpp

I agree, it's a complicated question, in terms of usability, though personally I'd be fine with low res favicons if there was such an option.

Thanks for such a detailed explanation.

photonlight

Domain names are, by their very nature, public. They're stored and published by various DNS companies to help with resolving a domain name to a specific IP address/location. Basically think of DNS like a phone book, your domain is published by DNS providers for all to see so that a web browser knows how to connect to the website behind the domain name.

if I save a password for a private web site behind vpn, like my-company-task-tracker.com or my-company-db.private, then the domain is stored in your servers in plain text?

Website addresses are stored end-to-end encrypted in your 1Password account as is the rest of the data that you enter into 1Password. You can read more here: What we (don’t) know about you | 1Password

If you have rich icons enabled, and the 1Password app receives a response from the cache server that no rich icon for a certain domain exists, then we'll log that request so that we can look into adding a rich icon for that domain in the future. However, everything but the domain name is stripped away, once the request is logged we have no way to associate that domain name with your account since we only keep the domain name. And the domain name, as explained in my first paragraph, is already public information.

Then it would be nice to have a feature to have not so rich, but more private icons, as for me, just .ico icons would be enough, like the ones, that are downloaded by keepassxc for example

You can disable rich icons and provide your own icons for all websites. This prevents the 1Password app from requesting a rich icon from the cache servers or sending requests for icons to be added. How does the KeypassXC feature work? Does it just download a website's favicon? We've considered doing that but favicons are usually extremely low resolution and not suitable to be used as rich icons for items.

-Dave

So, am I understanding correctly, that if I save a password for a private web site behind vpn, like my-company-task-tracker.com or my-company-db.private, then the domain is stored in your servers in plain text?

Then it would be nice to have a feature to have not so rich, but more private icons, as for me, just .ico icons would be enough, like the ones, that are downloaded by keepassxc for example

Hello photonlight! 👋

1Password maintains our own database of high quality rich icons which are served using two different cache servers as described here: About rich icons and your privacy

Also, are the urls of private websites, like the ones behind vpns in the companies also go to your servers to try to download icons?

The cache server receives the following:

• the originating IP address
• the domain or software license being requested
• and the user agent

The request only goes to our servers if the cache server doesn’t have a particular icon. We remove all information about the request aside from domain or software license title so that we can know what icons to add in the future.

If you'd like to turn off rich icons then you can find instructions here. I hope that helps. 🙂

-Dave