2018-12-17 05:32 CET

View Issue Details Jump to Notes ]
IDProjectCategoryView StatusLast Update
0005276Talerwallet (WebExtensions)public2018-09-28 11:10
ReporterFlorian Dold 
Assigned ToFlorian Dold 
PrioritynormalSeverityminorReproducibilityhave not tried
StatusassignedResolutionopen 
Product VersionSVN HEAD 
Target Version0.6Fixed in Version 
Summary0005276: consider restricting wallet permissions
DescriptionIn the light of a recent critical security issue in a popular extension [1], I've been thinking about wallet security. And not only about the security of the coins you have, but "will all my passwords and private data be compromised if the Wallet has a serious bug".

Currently Chrome/ displays for the wallet "Permissions: Read and change all your data on websites you visit". This is obviously bad, both technically and for user confidence.

Our goal should be that it displays "Has no special privileges" (which is probably technically impossible) or "Can read and write your data on https://w.taler.net" (bear with me for the reason for this domain).

Then we're completely off the hook in regards to serious exploits, nobody can use the wallet to exploit other websites unless Chrome/FF itself has a serious bug.

Even if somebody hacks our Chrome Web Store account and uploads a rogue extension, after the auto-update users will have to approve the new extended permissions of the rogue extension.

As a preliminary technical measure, we could restrict the extension [2] to only be able to access URLs of the form "https://*/taler-payment/*". This makes us relatively safe, but because of Chrome's policy it will still show as "Permissions: Read and change all your data on websites you visit". This would require adjusting some URLs though, so not sure if this intermediary solution is worth it right now.

Now there is a better solution though, with only minimal trade-offs (it only affects people who use NoScript):

Pages can communicate to extensions directly without any special permissions, but to do that they need the extension ID. For many reasons this should not be hard-coded in the merchant, so we need some other way to get the extension ID. This is where https://w.taler.net comes in, this site itself can be blackholed (it wouldn't even matter if it's compromised), but the merchant (or rather JavaScript on a merchant backend page) will use it to get the extension ID to send the message to. When the extension is installed, it will catch the request and send back its ID, if it doesn't exist or it's compromised, worst case is that the "pay" message is sent to another extension that the user already installed.

This requires JavaScript on the merchant backend's site that triggers the payment. For noscript payments, the user would have to trigger the payment manually by opening the popup (with the "activeTab" permission, which still displays as "Has no special privileges we can read the current page if the popup is open". But this is a reasonable price to pay for having good security.

We lose the ability to do presence detection only when the user has disabled JavaScript, which is IMHO also a reasonable tradeoff.

[1] https://bugs.chromium.org/p/project-zero/issues/detail?id=1527&desc=2
[2] https://developer.chrome.com/extensions/match_patterns
TagsNo tags attached.
Attached Files

-Relationships Relation Graph ] Dependency Graph ]
+Relationships

-Notes

~0013257

Florian Dold (manager)

Instead of a domain, it might make more sense to use an IP address that can't be routed, such as 240.0.0.1
+Notes

-Issue History
Date Modified Username Field Change
2018-02-07 15:05 Florian Dold New Issue
2018-02-07 15:05 Florian Dold Status new => assigned
2018-02-07 15:05 Florian Dold Assigned To => Florian Dold
2018-09-28 11:10 Florian Dold Note Added: 0013257
+Issue History