Showing posts with label encryption. Show all posts
Showing posts with label encryption. Show all posts

Sunday, December 27, 2020

Web extension vs Web application security considerations

Below we would like to list considerations about web extension security that we consider important while implementing end-to-end email encryption comparing with traditional web applications.

Delivery model. Authenticity. 


Web extension delivery is controlled by the end-user who can:
  • Install web extension from the store (Chrome web store, Firefox Add-ons, ...) delegating the store owner checking authenticity, security, privacy policy.
  • Install web extension manually verifying its authenticity and security using corresponding scanners and utilities
  • Get web extension as preinstalled with the corporate version of the browser. 

NOTE that in a web application case, the user doesn’t have control over the webserver that is providing the web application, any web service provider can potentially provide a malicious version that could compromise the encryption. 

It's valid for webmail encryption services like ProtonMail, Tutanota, ...


Fine-grained permissions 


Web extensions have a permissions model to give users fine-grained control over what information and resources could be accessed by any extensions they install. 
Each extension comes packaged with a list of permissions, which govern access to the browser APIs and web domains. If an extension has a core vulnerability, the attacker will only gain access to the permissions the vulnerable extension already has.

Privilege separation


Extensions are built from two types of components, which are isolated from each other - content scripts and extension cores. Content scripts interact with websites and execute with no privileges. Extension cores do not directly interact with websites and execute with the extension's full privileges.

Process Isolation


"Each component of the extension runs in a different process. The extension core and the native binary each receive dedicated processes. Content scripts run in the same process as their associated web pages. 

This process isolation has two benefits: it defends against browser errors and low-level exploits. 
Process isolation helps protect the extension core from browser implementation errors, such as cross-origin JavaScript capability leaks because JavaScript objects cannot leak from one process to
another. 
Process isolation also defends against low-level exploits in the browser. For example, if a malicious web site operator manages to corrupt the renderer process (e.g., via a buffer overflow), the attacker will not be granted access to the extension APIs because the extension core resides in another process."


Web extension isolated world


Important to note that the extension's content script runs in an isolated world. "Isolated worlds do not allow for content scripts, the extension, and the web page to access any variables or functions created by the others. This also gives content scripts the ability to enable functionality that should not be accessible to the web page" [2]


Moreover, the extension's content script is completely cut off from the background script (an invisible page that holds the main logic of the extension)  and can communicate with it only via Chrome messages https://developer.chrome.com/extensions/messaging. So that message content can be validated and sanitized in a favor of security.

Vulnerability analysis


Web extensions have more privileges thus vulnerabilities in browser extensions put users at risk by providing a way for website and network attackers to gain access to users' private data and credentials.

Following researches like An Evaluation of the Google Chrome Extension Security Architecture browser vendors improve web extensions platform security regularly at the same time making extension developers publish and follow strict data privacy policies.



Posted by at No comments:
Labels: , , , , , , ,
Location: Russia

Friday, November 27, 2020

Fossa Guard Pro 1.0.3 Hidden Subject support

Fossa Guard Pro V1.0.3 supports an option to hide the Subject and Recipient's name (leaving only email address) by wrapping the original message using content-type message/rfc822 and encrypting it.

New checkbox 'Hide Subject' is available once you select to Encrypt the message 


The subject is hidden under generic 'Confidential Email' and looks like an empty message with encrypted attachment 'smime.p7m'


In Outlook this message is represented by a message with an internal original message S/MIME encrypted and signed



Check the video demonstrating it.

Link to the extension: Fossa Guard Pro V1.0.3 



Posted by at No comments:
Labels: , , , , , , , ,

Saturday, August 10, 2019

How to run Fossa Guard on Android

The guideline describes how to run a free version of Fossa Guard extension V0.4.6+ on mobile Yandex browser on Android platform to enable end-to-end S/MIME encryption on top of Gmail on your mobile.

On your Android mobile:
  1. Install and run the Yandex browser
  2. Navigate to Chrome web store and find Fossa Guard free extension
  3. Click 'Add to Chrome' and then 'Add Extension' to install the Fossa Guard extension. 
  5. Navigate to Fossa Guard extension via Yandex browser 'Extensions' menu. 
  6.   
  7. Switch to Portrait mode for convenience (work on responsive UI is ongoing).
  9. Click 'Login to Extension' to associate your Google account with Fossa Guard - a new tab should appear in Yandex browser with Google authentication. 
  10. Navigate to this tab using Yandex tabs menu. Authenticate to corresponding Google account (we use fossa.user@gmail.com)
  11.  
  12. Allow Fossa Guard to use requested permissions. On success, Google authentication will be auto-closed. 
  13. Navigate back to Fossa Guard tab to check the settings.
  14.  
  15. At this point you have 2 options: Import your backup personal Certificate and key OR Enroll free personal certificate from Fossa CA.
  16. Fossa certificate enrollment is based on the local key pair generation in your Yandex browser without sharing the private key. Certificate Signing Request (CSR) to sign certificate by Fossa CA is initiated using SSL connection over HTTP. Click 'Enroll Fossa Certificate' to initiate the flow. 
  17.  
  19. To establish a secured SSL connection over HTTP navigate to 'Fossa.me Server', log in using the same Google account and copy the one-time shared secret.
  20.   
  21. Paste shared secret at Fossa Guard extension and proceed with the enrollment. 
  22. Once signed certificate is received back from Fossa CA, the extension asks for the strong passphrase to protect your private key (which stays within your browser all the time). 
  23. Your private key will be saved into the local Yandex browser storage within your phone and will never be compromised outside it.
  24.  
  25. Once the enrollment is done you should get an invitation to start secured mailing with Gmail. 
  26.  
  27. Navigate to the mobile web version of Gmail
  28. Ensure that you logged into Gmail with the same Google account (we use fossa.user@gmail.com).  
  29.  
  30. You should notice the fancy green button at the right top with 'S/MIME' label. Click it to compose S/MIME email
  31.   
  32. Type 3 letters of your recipient address and you should get a list of corresponding contacts for selection. Fossa Guard automatically checks if the addressee has got Fossa certificate and indicates it by the green color of the email pill.
  33.  
  34. Once you finished with composing S/MIME message, click 'Send S/MIME' and it will be sent using Gmail API and should appear in Sent folder marked by the corresponding label 'S/MIME'
  36. Click on S/MIME labeled email to check the details and you'll discover 'smime.p7m' attachment which is unreadable for Google robots and the notification from the extension that this email was composed using S/MIME. 
  37. Click 'View Content' and you'll be requested for the passphrase to access your private key (locally within your current browser session).
  39. Once you provide the correct passphrase the extension will decrypt the message and show you in a dedicated window.
  41. If the email address of your Gmail account does not correspond to the email address of Google account associated with the extension you'll the notification to use the same account. This is the identity check Fossa Guard makes to secure access to the private key.


 


Posted by at No comments:
Labels: , , , , , , , ,
Subscribe to: Posts (Atom)