Sunday, March 22, 2020

Fossa Guard authentication and authorization error cases

Below the list of hints and tricks related to privacy which help you to start using Fossa Guard:

  • understanding authentication and authorization details
  • avoid common issues and misunderstandings

Chrome extension isolation

During installation, a dedicated copy of a Chrome extension for each Google user is copied into the corresponding Operating System (OS) user's space including a dedicated storage instance. Please refer to Technical details about Chrome extension.

Extension installation

Sometimes the extension is installed with incorrect Extension ID which is used as a credential to access Google APIs, so that User can get the following error
The detailed information about installed extensions can be found at chrome://extensions.


Note that Fossa Guard extensions have the following static Extension IDs (can be verified in Chrome Web Store):


Please contact support@fossa.me if your Fossa Guard extension installation has the wrong Extension ID on your machine.

Extension permissions 

At first usage time, Fossa Guard requests a formal user's approval to use permissions needed to call Google APIs on a user's behalf.
 


If User didn't give the permissions requested the following error will be displayed:
The given permissions can be reviewed and revoked (if necessary) via Google Account portal.


Extension update

From time to time a new version of the extension is being released and automatically updated by Chrome. Once the extension updated User has to refresh the Gmail page to continue with a new version of the extension.

Extension not yet loaded

Gmail tends to be a quite heavy web application and requires a remarkable time to load all installed extensions, add-ins. When User tries to invoke Fossa Guard functionality when it' snot yet loaded onto the Gmail the following notification can be displayed:

Google identity and Private Key access

Fossa Guard uses the current Chrome logged user as a primary Google identity to authorize the private key access and certificate management following the extension isolation approach defined in the previous chapter meaning that each extension instance operates with the private key related to the single Google account.
 

It means that the Chrome user should be logged in and synchronization should be turned on to make Fossa Guard extension to grant access to the private key and certificates.

Chrome user will be notified about the necessity to log and to synchronize the account.

Chrome user vs Gmail user

Since Fossa Guard uses the identity of the currently logged Chrome user it considers that User should operate within the corresponding Gmail mailbox. If a User would try to use different Gmail mailbox Fossa Guard notifies about it.


To use a particular mailbox, the User has to login to Chrome with the corresponding account so that Chrome's extension isolation mechanism will be applied to establish the private key security.

Privacy policy

Fossa Team has quite detailed and formal Fossa privacy policy with the main statement that the Fossa solution has been designed with the only main goal to supply Gmail users with privacy via industry-grade email encryption (S/MIME) integrated into the web browser.

Friday, March 6, 2020

Technical details about Chrome extension

Installation 

During the installation on Windows 10 Chrome extension artifacts are copied into the folder for default Chrome account:
C:\Users\<Windows Login>\AppData\Local\Google\Chrome\User Data\Default

Note that if Windows user has several Chrome accounts, each Chrome account has its own set of installed extensions with root located at
C:\Users\<Windows Login>\AppData\Local\Google\Chrome\User Data\Profile<N>

Source files 

Source files of Chrome extension are stored in the sub-folder named after the id and the version of the extension:
...\Extensions\<Extension ID>\<Extension Version>\

Local Storage

Local storage of Chrome extensions is stored at the: 
...\Local Extension Settings\<Extension ID>\


Note that: 

  • local storage is isolated from common Chrome storages: Local, Session or IndexedDB
  • local storage can be accessed only from the corresponding Chrome account using Developer Tools
  • local storage has levelDb format 

State Management

Navigate to chrome://extensions to manage extensions for the currently logged Chrome user.

User can:

  • Enable / Disable extension
  • Update / Refresh
  • Remove
  • Navigate to Background page (Developer mode) 
  • Review Errors log (Developer mode)

Using Developer mode one can install extensions from not only Chrome Web Store but from a local drive as well using 'Load unpacked'.

Components


Fossa Guard extension consists of 3 main components linked via messaging

  • Content script operates on Gmail page in the dedicated iframe, communicates with Gmail via DOM messages, observing DOM events, communicates with Background Script via Chrome messages.
  • Settings page provides user UI to manage certificates and keys
  • Background script is responsible for cryptography, uses with extension storages and communicates external services via http(s) calls.