On Thu, Jan 23, 2014 at 3:05 AM, Fabio Pietrosanti (naif) < [email protected]> wrote:
> Browser extension could be hacked if they are unsafe, trough the use of > XSS-like attack techniques, by triggering an external payload into it > (for example from a website visited by the user). > ...but as long as they can't break out of the browser's sandbox, they can't be used to compromise native applications. So browser exploits affect: 1) Browser extensions and other in browser data > Native applications could be hacked if they are unsafe, trough the use > of buffer/heap overflow like techniques, by triggering an external > exploit payload (for example by sending an email to a > thunderbird/enigmail target user). > But the browser is a native code application! So native code exploits affect: 1) Browser extensions and other in browser data 2) Native applications So, my personal feeling is that chrome browser extensions can provide a > better secure environment for crypto applictions than the native ones. No, browser extensions have *more attack surface* than native applications. If you're pwned at a native code level, everything you're doing in browsers is vulnerable too. Provided you are able to obtain a good build of a well-audited native crypto app, it's sandboxed from browser-based attacks via the browser. If you are able to obtain a good build of a well-audited Chrome extension, it's still potentially susceptible to browser-based attacks. In either case, if the crypto software itself is compromised, it's effectively game over. Using a native code app will airgap you from browser-based attacks (kind of) -- Tony Arcieri
-- Liberationtech is public & archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at [email protected].
