Hey, > But then the extension doesn't work: it takes a full core starts eating as much RAM as it can. See this screencast:
The SHA 256 takes time and CPU to compute for such large files. In the previous add-on we were using a native method (which is not supported in web extensions) which was probably fast because it was a native methods are native are not bound to Javascript while the SHA libs must javascript to compute hash. What we can do as a workaround is that we compute hash in a webworker. A web worker won't hang the page/browser but it'll still take CPU and RAM. > That you are embedding a crypto library to compute the SHA256 (scripts/vendor/sha256.js) while the previous code didn't do that. In tails-download-and-verify/lib/hash.js he seems to use a build-in function from Firefox with: This is not possible in web extensions, that api only works Add-on SD. > That you don't pin on the SSL certificate of our certificate authority (Let's Encrypt). This library is also addon SDK specific and is not supported in Web Extensions. There's this certificate pinning feature in HTML5 https://developer.mozilla.org/en-US/docs/Web/HTTP/Public_Key_Pinning in which pinned certificates are returned in header of request when user visits the site first time. It'd have been easier for us to reuse Giorgio's code instead of rewriting from scratch but because of the fact that a lot of API's being used in Giorgio's code are add-on SDK specific and aren't supported in WebExtensions, it was better to rewrite. On Sun, Oct 15, 2017 at 10:07 PM, sajolida <[email protected]> wrote: > Uzair Farooq: > > We made the commit on top of existing repo, here > > https://github.com/usman-subhani/Tails-repos > > Yeah, I like that! > > I merged your changes in the production website so you can test it from: > > http://tails.boum.org/install/download_2 > > I also: > > - Hid the "Update extension" that was displayed by default. > - Hid the <input> that you added for the file chooser. > > So far so good! > > > Here's how to install Firefox extension > > https://developer.mozilla.org/en-US/Add-ons/WebExtensions/ > Temporary_Installation_in_Firefox > > . There's a video tutorial at the end. > > I tried this as well and installing the extension like this works, yeah! > > But then the extension doesn't work: it takes a full core starts eating > as much RAM as it can. See this screencast: > > https://dl.poivron.org/n7exagegay7wmynbugh4-ekzsjrqmajdq5lyn > > Also, I see in the report for the extension itself that you decided to > start a code base from scratch. Our initial idea was to instead base > your work on the current code base from Giorgio Maone, but I also > understand that given the fact that the scope of the extension has been > drastically reduced after we removed the download from it and that the > download page has been completely rewritten, it might make more sense > for you to start from scratch. So that's not a problem as such. > > Still, as initial comments (because I can't really understand your code > beyond that), I see: > > - That you are embedding a crypto library to compute the SHA256 > (scripts/vendor/sha256.js) while the previous code didn't do that. > In tails-download-and-verify/lib/hash.js he seems to use a build-in > function from Firefox with: > > let hasher = Cc["@mozilla.org/security/hash;1"] > .createInstance(Ci.nsICryptoHash); > hasher.init(hasher.SHA256); > > https://developer.mozilla.org/en-US/docs/Mozilla/Tech/XPCOM/ > Reference/Interface/nsICryptoHash > > If this is still possible with WebExtensions, why not do that? > > Because auditing and maintaining crypto primitives is not really > something we want to go into... > > - That you don't pin on the SSL certificate of our certificate authority > (Let's Encrypt). > > See: > > - https://tails.boum.org/blueprint/bootstrapping/extension/#index5h2 > - tails-download-and-verify/lib/cert-pinner.js in the current code > > I'm sorry if I didn't point you to this document before but I didn't > expect that you would rewrite the internals of the verification > mechanism and would rather reuse Giorgio's code. >
_______________________________________________ Tails-dev mailing list [email protected] https://mailman.boum.org/listinfo/tails-dev To unsubscribe from this list, send an empty email to [email protected].
