[Disclosure: I work for AgileBits, the makers of 1Password]

I’d like to point people to blog post of ours on exactly this issue: https://blog.agilebits.com/2015/06/17/1password-inter-process-communication-discussion/

The short answer is that we are limited in what we can do against malware running on your own devices. And all schemes we’ve looked at to “encrypt” that communication would either require users actively pairing their browser extension very frequently or would rely on obfuscation.

Note also that is only data that gets filled into web forms that is at risk from such a local attack. So it is the same kind data that would be exposed by a malicous process running within a browser.

We have actually toyed with obfuscation, but decided against it, as the principle effect of obfuscating that communication would be to _conceal from customers_ that that communication is available to an attacker instead of protecting that communication from attackers.

We are looking at other methods of inter-process communication that might provide that with more privacy.

Suggestions are welcome, but before you say “here is a way to encrypt that communication” think through where the keys for that must be stored.