With their very comprehensive whitepaper and Charles Proxy you can verify all their claims. Their whitepaper is one of the best resources I have found on E2EE in general. With that, you should be able to write your own 1P vault parser. Then you can verify that traffic to their server is exactly what they claim it to be.
In another comment you are criticizing that their product is proprietary - that's IMO not quite true. Yes, 1P is closed source, but their crypto strategy is documented extensively - they list the exact cipher algos and settings.
> not only with respect to vault encryption but vault storage and operational security
That's a valid argument, BUT, if you read their whitepaper, you'll likely arrive at the conclusion that even a full leak of the encrypted vault is currently not that problematic. I wouldn't post it online, but I'm not worried if they announce a leak tomorrow.
That's just not accurate:
1. First off, all the encryption happens client-side. It is possible for anyone so inclined to validate how 1P and LP are doing their encryption.
2. The deficiencies in LP's encryption approach were well known for years.
My point it, yes, companies will spin things how ever they want, which is why you should completely ignore what they say and only evaluate what is verifiable. And 1P's and LP's approaches are verifiably different.
With respect to your confidence in 1Password's code and encryption methodology, would you be willing to send me your 1Password vault so that I can have a look at it?
It's Javascript running in a browser.
> With respect to your confidence in 1Password's code and encryption methodology, would you be willing to send me your 1Password vault so that I can have a look at it?
Yes, absolutely (note I don't actually know how to get the encrypted version of the vault standalone). Are you willing to send banking information over HTTPS? It's the same level of security.
