Web extension vs Web application security considerations

Below we would like to list considerations about web extension security that we consider important while implementing end-to-end email encryption comparing with traditional web applications.

Delivery model. Authenticity. 

Web extension delivery is controlled by the end-user who can:

• Install web extension from the store (Chrome web store, Firefox Add-ons, ...) delegating the store owner checking authenticity, security, privacy policy.
• Install web extension manually verifying its authenticity and security using corresponding scanners and utilities
• Get web extension as preinstalled with the corporate version of the browser. 

NOTE that in a web application case, the user doesn’t have control over the webserver that is providing the web application, any web service provider can potentially provide a malicious version that could compromise the encryption. 

It's valid for webmail encryption services like ProtonMail, Tutanota, ...

Fine-grained permissions 

Web extensions have a permissions model to give users fine-grained control over what information and resources could be accessed by any extensions they install. 

Each extension comes packaged with a list of permissions, which govern access to the browser APIs and web domains. If an extension has a core vulnerability, the attacker will only gain access to the permissions the vulnerable extension already has.

Privilege separation

Extensions are built from two types of components, which are isolated from each other - content scripts and extension cores. Content scripts interact with websites and execute with no privileges. Extension cores do not directly interact with websites and execute with the extension's full privileges.

Process Isolation

From Protecting Browsers from Extension Vulnerabilities: 

"Each component of the extension runs in a different process. The extension core and the native binary each receive dedicated processes. Content scripts run in the same process as their associated web pages. 

This process isolation has two benefits: it defends against browser errors and low-level exploits. 

Process isolation helps protect the extension core from browser implementation errors, such as cross-origin JavaScript capability leaks because JavaScript objects cannot leak from one process to
another. 

Process isolation also defends against low-level exploits in the browser. For example, if a malicious web site operator manages to corrupt the renderer process (e.g., via a buffer overflow), the attacker will not be granted access to the extension APIs because the extension core resides in another process."

Web extension isolated world

Important to note that the extension's content script runs in an isolated world. "Isolated worlds do not allow for content scripts, the extension, and the web page to access any variables or functions created by the others. This also gives content scripts the ability to enable functionality that should not be accessible to the web page" [2]

Moreover, the extension's content script is completely cut off from the background script (an invisible page that holds the main logic of the extension)  and can communicate with it only via Chrome messages https://developer.chrome.com/extensions/messaging. So that message content can be validated and sanitized in a favor of security.

Vulnerability analysis

Web extensions have more privileges thus vulnerabilities in browser extensions put users at risk by providing a way for website and network attackers to gain access to users' private data and credentials.

Following researches like An Evaluation of the Google Chrome Extension Security Architecture browser vendors improve web extensions platform security regularly at the same time making extension developers publish and follow strict data privacy policies.

Fossa Guard Pro 1.0.3 Hidden Subject support

Fossa Guard Pro V1.0.3 supports an option to hide the Subject and Recipient's name (leaving only email address) by wrapping the original message using content-type message/rfc822 and encrypting it.

New checkbox 'Hide Subject' is available once you select to Encrypt the message 

The subject is hidden under generic 'Confidential Email' and looks like an empty message with encrypted attachment 'smime.p7m'

In Outlook this message is represented by a message with an internal original message S/MIME encrypted and signed

Check the video demonstrating it.

Link to the extension: Fossa Guard Pro V1.0.3 

Fossa Guard Pro 1.0 Personal Certificate enrollment options

Once Fossa Guard Pro 1.0 installed User has to enroll his Identity - Personal Certificate to start secured emailing. The enrollment procedure artifacts are stored into the local Chrome extension storage within userspace (see https://fossaguard.blogspot.com/2020/03/technical-details-about-chrome-extension.html for details) and consists of:

• Private Key - you should keep privately and use to 
• decrypt messages sent to you 
• sign messages so that your recipients will be able to verify the signature using your Public Certificate 
• Trusted Certificates - a chain of officially Trusted certificates that issued the Public Certificate from direct Issuer up to the Root Trusted Certificate so that anyone can verify the origin of your Public Certificate.
• Public Certificate - the certificate your recipients should use to encrypt private messages sent to you, this certificate is also used when you're sending an encrypted message to yourself, thus it's present in Personal and in Recipient lists of certificates.

There are three main options to enroll the Personal Certificate once Fossa Guard is installed.

Import Private Key (p12, pfx)

The option valid when the User already has got a personal identity in the form of a file P12 or PFX format protected by a Passphrase (can be empty). Usually, it contains a Private Key accompanied by a corresponding Public Certificate. 

Once the user provides the correct passphrase to decrypt the imported file, Fossa Guard:

• Checks if contained Public Certificate is valid and is issued to the email of logged User, if Yes - the Private Key assigned as the default User's identity 
• Adds the corresponding certificate to Recipients list (so the user will be able to send encrypted emails to himself)

NOTE that there are few or no vendors providing free trusted S/MIME identities: http://kb.mozillazine.org/Getting_an_SMIME_certificate

Enroll Fossa Certificate

The user has an option to enroll a free Personal Certificate signed by Fossa Certificate Authority (CA). Fossa Guard extension and Fossa CA designed to make the enrollment simple and secure using Enrollment over Secure Transport (EST).
Once the user provides the name (the only mandatory parameter) he can start the procedure

The pair Private / Public Keys and Certificate Signing Request (CSR) are generated locally in the browser.

On the next step, the User should log in to Fossa Server (by clicking `Get Shared Secret from Fossa.me Server`) to get a shared secret which will be used to establish a TLS connection. Please note that you should log in to the Fossa Server using the same Gmail user to get the shared secret for the corresponding email address.

Using TLS connection Fossa Guard securely sends Certificate Request with Public Key inside and gets back Public Certificate signed by Fossa CA

On the final step, Fossa Guard asks the User to enter Passphrase to protect Private Key before storing it with Public Certificate in local Chrome extension storage.

That's all, Fossa Guard is ready for secure mailing via Gmail.

Enroll Self-signed Certificate

Self-signed Personal Certificate enrollment procedure has only the first and last steps from Fossa certificate enrollment.
On completion self-signed certificate is automatically added to the Personal, Trusted, and Recipient certificates list.

NOTE that self-signed certificates can't be verified checking Issuer certificates, so the user should find the trusted way to share it with his recipients.

Fossa Guard Pro 1.0 Settings overview

Fossa Guard settings page contains three corresponding lists:

• Personal Certificates - list represents Private Keys for the User. There are three main options to add them:
• Import Private Key (p12, pfx) - via P12 or PFX file protected by a Passphrase (can be empty)
• Enroll Fossa Certificate - via enrollment procedure when the certificate is securely signed on Fossa Server
• Enroll Self-signed Certificate - via fully local enrollment procedure
• Trusted certificates - list of Certificate Authorities (CA) Certificates officially trusted by main vendors, usually openly published on vendor sites. Fossa Guard has preloaded trusted certificate for the following identity vendors:
• Comodo
• DigiCert
• Fossa.me 
• Global Sign
• WISE Key
• Recipients certificates contain public certificates of your recipients including your own.

Users can import additional Trusted and Recipient certificates via a file in PEM or DER formats.

NOTE that Self-signed certificates are recognized and proposed to be added into both lists Trusted and Recipients

By click on Certificate name User can view certificate details

Fossa Guard Pro 1.0 S/MIME signed support

Send S/MIME signed message

Gmail mangles S/MIME signed messages differently http://fossaguard.blogspot.com/2020/04/smime-signed-messages-support-in-gmail.html

• application/pkcs7-mime with SignedData by restricting access to the signature (since G Suite uses this format to sign messages)
• multipart/signed by rearranging MIME parts of the message converting to multipart/mixed

The following approach has been implemented to send S/MIME signed emails:

• to *@gmail.com addresses multipart/mixed format used with smime.p7m attachment which contains original S/MIME multipart/signed message with signature due to the following reasons:
  • User will be able to see message content, files without any extension
  • User will be able to view content, files of the original message with the digital signature using of Fossa Guard
• to all other addresses a standard S/MIME SignedData format due to the following reasons:
• G Suite accounts use custom domains, 
• G Suite uses SignedData format internally for S/MIME signed messages
• Gmail doesn't mangle message to external addresses

Signature status indication

When User opens S/MIME signed message in Gmail UI Fossa Gard extension tries to verify the signature 

Once S/MIME signature verified the corresponding status is indicated. 

Fossa Guard replaces the content of the message by the original read from smime.p7m attachment. 

A new button `View Original  Message` becomes available to open the email in Fossa Guard View dialog with original message content and original attachments

Signature verification 

• The attached certificate chain is not used in the email signature verification procedure until added to the list of trusted. 
• Email signature verification is performed per email Sent date. 

Fossa Guard Pro 1.0 improvements

Roboto font

• Roboto font has been introduced as a default font to be aligned with the overall Gmail appearance.

Compose / View dialogs

• Fossa Guard Compose / View dialogs can be minimized by the click on the header not to block creating and viewing other S/MIME emails.

• Minimized Compose / View dialogs are represented as bars at the bottom of the Gmail window and can be restored by the click on the subject or closed by the click on the cross icon.

Search Index

• Search index size is presented in the form of a bar indicating the amount of available space.

Informational warnings for error cases

• Informational alerts and warnings have been added for extension invalidation, user authentication, authorization, and synchronization errors.

See detailed article on the point: http://fossaguard.blogspot.com/2020/03/fossa-guard-authentication-and.html

Recipient certificate details and status

Recipients are presented by the pillows indicating the status of user certificate by the color and the corresponding icon, considering:

• Green - there is at least one valid certificate for the email address
• Red - there is at least one invalid certificate for the email address
• Grey - there is no certificate for the email address

Click on the recipient's pillow opens `Recipient Details` popup with the information from the Contacts (photo, name, email) and list of certificates found in the local Chrome extension storage. There are in-place options to

• Load certificate from the file
• Load certificate from Fossa registry

Click on the certificate info opens `Certificate Details` popup displaying the internal information of the selected certificate.

Fossa Guard Pro 1.0 released

27 of June 2020

Glad to announce Fossa Guard Pro 1.0 commercial release is available at https://chrome.google.com/webstore/detail/fossaguardpro-encrypt-gma/opfepnmdnnmiiemnkhaneagicmlakdjh

S/MIME end-to-end encryption Chrome extension for Gmail with

• S/MIME formats supported (including attachments)
• Sign
• Encrypt
• Sign-then-Encrypt

• Constant pricing about $1.99 per month 
• Interoperability tested with
• Outlook
• Thunderbird

Release details should come in further articles on this blog.

Future plans 

• Triple wrapping: Sign-then-Encrypt-then-Sign considering 2 private keys
• Firefox, Opera, Yandex browsers support  
• Mobile Gmail web version support

S/MIME signed messages support in Gmail

From RFC5751 

"There are two formats for signed messages defined for S/MIME:

• application/pkcs7-mime with SignedData
• multipart/signed.

In general, the multipart/signed form is preferred for sending, and receiving agents MUST be able to handle both."

As per 1st of April, 2020 the situation with S/MIME signed messages support for free Gmail accounts is as following:

multipart/signed

• Gmail to Gmail: NOK  (since 2013)
• Gmail to External Mail: NOK (since 2013)
• External Mail to Gmail: OK 
• 
  

application/pkcs7-mime with SignedData

• Gmail to Gmail: NOK (since 2017)
• Gmail to External Mail: OK
• External Mail to Gmail: OK 

NOK means Gmail service mangles a message in transit by:

• repacking MIME entities and changing boundaries
• changing the content type of the message to multipart/mixed
• restricting access to S/MIME signature for multipart/signed messages

The history of the above points:

• 2013 - Google has started to mangle multipart/signed messages inside Gmail
• 2017 - Google has started to mangle application/pkcs7-mime with SignedData inside Gmail

Fossa Guard authentication and authorization error cases

Below the list of hints and tricks related to privacy which help you to start using Fossa Guard:

• understanding authentication and authorization details
• avoid common issues and misunderstandings

Chrome extension isolation

During installation, a dedicated copy of a Chrome extension for each Google user is copied into the corresponding Operating System (OS) user's space including a dedicated storage instance. Please refer to Technical details about Chrome extension.

Extension installation

Sometimes the extension is installed with incorrect Extension ID which is used as a credential to access Google APIs, so that User can get the following error

The detailed information about installed extensions can be found at chrome://extensions.

Note that Fossa Guard extensions have the following static Extension IDs (can be verified in Chrome Web Store):

• Fossa Guard Pro - opfepnmdnnmiiemnkhaneagicmlakdjh
• Fossa Guard - dgieialkiekjbocjiekgghpkggjppnfe

Please contact support@fossa.me if your Fossa Guard extension installation has the wrong Extension ID on your machine.

Extension permissions 

At first usage time, Fossa Guard requests a formal user's approval to use permissions needed to call Google APIs on a user's behalf.

 

If User didn't give the permissions requested the following error will be displayed:

The given permissions can be reviewed and revoked (if necessary) via Google Account portal.

Extension update

From time to time a new version of the extension is being released and automatically updated by Chrome. Once the extension updated User has to refresh the Gmail page to continue with a new version of the extension.

Extension not yet loaded

Gmail tends to be a quite heavy web application and requires a remarkable time to load all installed extensions, add-ins. When User tries to invoke Fossa Guard functionality when it' snot yet loaded onto the Gmail the following notification can be displayed:

Google identity and Private Key access

Fossa Guard uses the current Chrome logged user as a primary Google identity to authorize the private key access and certificate management following the extension isolation approach defined in the previous chapter meaning that each extension instance operates with the private key related to the single Google account.

 

It means that the Chrome user should be logged in and synchronization should be turned on to make Fossa Guard extension to grant access to the private key and certificates.

Chrome user will be notified about the necessity to log and to synchronize the account.

Chrome user vs Gmail user

Since Fossa Guard uses the identity of the currently logged Chrome user it considers that User should operate within the corresponding Gmail mailbox. If a User would try to use different Gmail mailbox Fossa Guard notifies about it.

To use a particular mailbox, the User has to login to Chrome with the corresponding account so that Chrome's extension isolation mechanism will be applied to establish the private key security.

Privacy policy

Fossa Team has quite detailed and formal Fossa privacy policy with the main statement that the Fossa solution has been designed with the only main goal to supply Gmail users with privacy via industry-grade email encryption (S/MIME) integrated into the web browser.

Technical details about Chrome extension

Installation 

During the installation on Windows 10 Chrome extension artifacts are copied into the folder for default Chrome account:
C:\Users\<Windows Login>\AppData\Local\Google\Chrome\User Data\Default

Note that if Windows user has several Chrome accounts, each Chrome account has its own set of installed extensions with root located at
C:\Users\<Windows Login>\AppData\Local\Google\Chrome\User Data\Profile<N>

Source files 

Source files of Chrome extension are stored in the sub-folder named after the id and the version of the extension:
...\Extensions\<Extension ID>\<Extension Version>\

Local Storage

Local storage of Chrome extensions is stored at the: 

...\Local Extension Settings\<Extension ID>\

Note that: 

• local storage is isolated from common Chrome storages: Local, Session or IndexedDB
• local storage can be accessed only from the corresponding Chrome account using Developer Tools
• local storage has levelDb format 

State Management

Navigate to chrome://extensions to manage extensions for the currently logged Chrome user.

User can:

• Enable / Disable extension
• Update / Refresh
• Remove
• Navigate to Background page (Developer mode) 
• Review Errors log (Developer mode)

Using Developer mode one can install extensions from not only Chrome Web Store but from a local drive as well using 'Load unpacked'.

Components

Fossa Guard extension consists of 3 main components linked via messaging

• Content script operates on Gmail page in the dedicated iframe, communicates with Gmail via DOM messages, observing DOM events, communicates with Background Script via Chrome messages.
• Settings page provides user UI to manage certificates and keys
• Background script is responsible for cryptography, uses with extension storages and communicates external services via http(s) calls.

Reply and Forward in S/MIME format

From V0.1.17 Fossa Guard Pro enables Reply All, Reply and Forward for plain-text messages via the dedicated bar on top of each email.

When clicked, it opens FossaGuard compose dialog with the content of the selected email and the options to encrypt and to sign the replied (forwarded) message.

You should click on the email to view content to be able to access the bar and reply (or forward) the specific email from the thread.

Auto-indexing option

Starting from V0.1.17 Fossa Guard Pro supports the option to auto-index S/MIME emails during reading meaning that the search index is auto-updated.

Emails that are left unread can be indexed manually by clicking `Refresh` link it actualize the index from last update time up to the current time.
Note that the search index is limited by extension local storage size quota around 5Mb https://developer.chrome.com/apps/storage#property-local

2019 year summary

2019 was quite intriguing and motivating. Fossa solution has got strong interest from tier 1 international companies. End-to-end encryption for Gmail is becoming a vital necessity while US head offices insisting regional offices to migrate to Gmail. Technical experts quickly realized that hosted S/MIME solution provided by G Suite from Google doesn't guarantee email privacy having a 10x bigger operational cost comparing with the Fossa solution.

Gmail 2018 UI

At the beginning of 2019 Fossa Team has accomplished Gmail 2018 new UI support introducing preview pane support.

Google Security requirements 2019

We have spent a remarkable amount of time to pass through a new Gooogle security requirements verification from May 2019 till October 2019 which included:

• detailed OAuth scopes explanation with necessity proved by corresponding videos on our Youtube channel (free version, pro version)
• Fossa privacy policy continuous review and update

Gmail Web mobile 

Basic Gmail web mobile support has been implemented following one of the requests from our customers giving the same user experience on the Android devices:

Non-Chrome browsers

Yandex, Firefox, Opera browsers support has come as an alternative to Chrome browser is quite important for some of our potential clients.

Multiple emails 

Multiple email support in Subject Alternative Name extension is also the request "from the field" when companies practice long and short email addresses for the same employee.

Search in encrypted emails

The final and most wanted ability has become a full-text multi-language search inside S/MIME encrypted messages based on the manual generation and refreshing of the local search index.



2020 is promising to become rich in new features and capabilities.
Stay tuned.