Re: [liberationtech] Browser extensions or native application for crypto? Was: Whiteout OpenPGP.js encrypted mail client (Chrome HML5 App)
On Thu, Jan 23, 2014 at 3:05 AM, Fabio Pietrosanti (naif) < li...@infosecurity.ch> wrote: > Browser extension could be hacked if they are unsafe, trough the use of > XSS-like attack techniques, by triggering an external payload into it > (for example from a website visited by the user). > ...but as long as they can't break out of the browser's sandbox, they can't be used to compromise native applications. So browser exploits affect: 1) Browser extensions and other in browser data > Native applications could be hacked if they are unsafe, trough the use > of buffer/heap overflow like techniques, by triggering an external > exploit payload (for example by sending an email to a > thunderbird/enigmail target user). > But the browser is a native code application! So native code exploits affect: 1) Browser extensions and other in browser data 2) Native applications So, my personal feeling is that chrome browser extensions can provide a > better secure environment for crypto applictions than the native ones. No, browser extensions have *more attack surface* than native applications. If you're pwned at a native code level, everything you're doing in browsers is vulnerable too. Provided you are able to obtain a good build of a well-audited native crypto app, it's sandboxed from browser-based attacks via the browser. If you are able to obtain a good build of a well-audited Chrome extension, it's still potentially susceptible to browser-based attacks. In either case, if the crypto software itself is compromised, it's effectively game over. Using a native code app will airgap you from browser-based attacks (kind of) -- Tony Arcieri -- Liberationtech is public & archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] Browser extensions or native application for crypto? Was: Whiteout OpenPGP.js encrypted mail client (Chrome HML5 App)
Comments inline. Edwin On Thu, Jan 23, 2014 at 3:05 AM, Fabio Pietrosanti (naif) < li...@infosecurity.ch> wrote: > Let's try to get bit deeper in the comparison of the effective > vulnerability exposure window of a chrome browser extensions vs. native > application. > > My feeling is that chrome browser extensions are more secure than native > applications. > > > > > Il 1/22/14, 9:53 AM, Tony Arcieri ha scritto: > > > > It's true that native applications have wide-ranging capabilities that > > browser extensions don't. > Which kind of capabilities does natives applications, that browser > extensions doesn't provide within the context of encryption software? > For example, privileges separation using application sandbox, jail, LXC or various techniques are useful for writing secure software. I don't aware of any comparable technologies on Chrome App platform. > > > Where browser extensions can fall down is unexpected interactions with > > web pages and JavaScript running on them. This is a problem that > > native apps don't have because the browser is attempting to act as a > > sandbox, so escalating privilege from a JavaScript to access to native > > code execution is much more difficult than escalating privileges to > > interact with browser extensions unexpectedly. In this regard, native > > apps are superior, because the browser is trying to prevent that > > interaction from happening. Native apps are "airgapped" from web pages > > in a way browser extensions are not. > > In order to "attack" a client side application (being a browser > extension or a native one) you need to exploit a vulnerability in the > application itself. > > Browser extension could be hacked if they are unsafe, trough the use of > XSS-like attack techniques, by triggering an external payload into it > (for example from a website visited by the user). > Native applications could be hacked if they are unsafe, trough the use > of buffer/heap overflow like techniques, by triggering an external > exploit payload (for example by sending an email to a > thunderbird/enigmail target user). > Yes, both are vulnerable to various kinds of attacks. However, the browser itself is complex software, the interaction between different moving parts in a browser, e.g. extensions, plugins make it worse. Yes, OS is complex too, but browsers just add another complex layer on top of the OS. Complexity is the worst enemy of security. Native apps are superior in this aspect. > > Browser extensions, if exploited, provide less damage to the underlying > operating system and data due to the Browser Sandbox. > Native application, if exploited, provide access to all of the > underlying operating system an data. > Native apps can also be sandboxed. > > Browser extensions install and update securely trough the Chrome App > Store (Ok, it's a wallet guarden, but application are safely distributed) > Native applications (for windows for example) cannot be install > securely, unless following complex binary hashing verification and > comparison procedures that most users does not follow. > What do you think about the native apps App Store model of Apple, Google and Microsoft? The applications are signed and the system only allows applications signed by a trusted authority by default. > > Browser extensions can be run within a dedicated Chrome profile, that's > effectively a native sandboxing of the environment where the browser > extension run with it's additional layer of sandbox. > Native applications are more difficult to be sandboxed with such a > double layer, unless third party application sandboxing are used. > User system of modern OS is designed for this purpose. And you get a clearer separation between different users. > > So, my personal feeling is that chrome browser extensions can provide a > better secure environment for crypto applictions than the native ones. > > > -- > Fabio Pietrosanti (naif) > HERMES - Center for Transparency and Digital Human Rights > http://logioshermes.org - http://globaleaks.org - http://tor2web.org > > -- > Liberationtech is public & archives are searchable on Google. Violations > of list guidelines will get you moderated: > https://mailman.stanford.edu/mailman/listinfo/liberationtech. > Unsubscribe, change to digest, or change password by emailing moderator at > compa...@stanford.edu. > -- Liberationtech is public & archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] Browser extensions or native application for crypto? Was: Whiteout OpenPGP.js encrypted mail client (Chrome HML5 App)
Operating systems have decades of research into privilege separation between users and processes. Browsers are a nice interface for viewing websites. If you want signed executables and cross-platform support, you can use e.g., Java Web Start (which is what Android apps essentially boil down to). -- Liberationtech is public & archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] Browser extensions or native application for crypto? Was: Whiteout OpenPGP.js encrypted mail client (Chrome HML5 App)
Let's try to get bit deeper in the comparison of the effective vulnerability exposure window of a chrome browser extensions vs. native application. My feeling is that chrome browser extensions are more secure than native applications. > > Il 1/22/14, 9:53 AM, Tony Arcieri ha scritto: > > It's true that native applications have wide-ranging capabilities that > browser extensions don't. Which kind of capabilities does natives applications, that browser extensions doesn't provide within the context of encryption software? > Where browser extensions can fall down is unexpected interactions with > web pages and JavaScript running on them. This is a problem that > native apps don't have because the browser is attempting to act as a > sandbox, so escalating privilege from a JavaScript to access to native > code execution is much more difficult than escalating privileges to > interact with browser extensions unexpectedly. In this regard, native > apps are superior, because the browser is trying to prevent that > interaction from happening. Native apps are "airgapped" from web pages > in a way browser extensions are not. In order to "attack" a client side application (being a browser extension or a native one) you need to exploit a vulnerability in the application itself. Browser extension could be hacked if they are unsafe, trough the use of XSS-like attack techniques, by triggering an external payload into it (for example from a website visited by the user). Native applications could be hacked if they are unsafe, trough the use of buffer/heap overflow like techniques, by triggering an external exploit payload (for example by sending an email to a thunderbird/enigmail target user). Browser extensions, if exploited, provide less damage to the underlying operating system and data due to the Browser Sandbox. Native application, if exploited, provide access to all of the underlying operating system an data. Browser extensions install and update securely trough the Chrome App Store (Ok, it's a wallet guarden, but application are safely distributed) Native applications (for windows for example) cannot be install securely, unless following complex binary hashing verification and comparison procedures that most users does not follow. Browser extensions can be run within a dedicated Chrome profile, that's effectively a native sandboxing of the environment where the browser extension run with it's additional layer of sandbox. Native applications are more difficult to be sandboxed with such a double layer, unless third party application sandboxing are used. So, my personal feeling is that chrome browser extensions can provide a better secure environment for crypto applictions than the native ones. -- Fabio Pietrosanti (naif) HERMES - Center for Transparency and Digital Human Rights http://logioshermes.org - http://globaleaks.org - http://tor2web.org -- Liberationtech is public & archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
