Uzair! I forgot to put you in copy while sending this to tails-dev...
sajolida: > Someone pointed me to this paper: > > http://www.cse.chalmers.se/research/group/security/publications/2017/extensions/codaspy-17-full.pdf > > ABSTRACT > > Browser extensions provide a powerful platform to enrich > browsing experience. At the same time, they raise impor- > tant security questions. From the point of view of a website, > some browser extensions are invasive, removing intended fea- > tures and adding unintended ones, e.g. extensions that hi- > jack Facebook likes. Conversely, from the point of view of > extensions, some websites are invasive, e.g. websites that by- > pass ad blockers. Motivated by security goals at clash, this > paper explores browser extension discovery, through a non- > behavioral technique, based on detecting extensions’ web ac- > cessible resources. We report on an empirical study with > free Chrome and Firefox extensions, being able to detect > over 50% of the top 1,000 free Chrome extensions, including > popular security- and privacy-critical extensions such as Ad- > Block, LastPass, Avast Online Security, and Ghostery. We > also conduct an empirical study of non-behavioral extension > detection on the Alexa top 100,000 websites. We present the > dual measures of making extension detection easier in the > interest of websites and making extension detection more > difficult in the interest of extensions. Finally, we discuss a > browser architecture that allows a user to take control in > arbitrating the conflicting security goals. > > The new version of our verification extension should not be detectable > using this technique. > > Uzair: do you want to look into this as you're in the process of > rewriting a good share of the code of our extension? _______________________________________________ Tails-dev mailing list [email protected] https://mailman.boum.org/listinfo/tails-dev To unsubscribe from this list, send an empty email to [email protected].
