[guardian-dev] Is there security risks on developing OTR addons for web browsers ?
Natanael
natanael.l at gmail.com
Wed Sep 25 17:32:48 EDT 2013
The general idea is that it's too easy to break crypto on the web.
Attackers can often too easily inject malicious javascript, often
disabling any encryption or leaking the private keys, and in
practically all cases leak the plaintext (the sent messages). Like
with the case of fake SSL certs being used against Gmail users, this
is something to take seriously since these attacks can be 100%
transparent to the user, there's often nothing at all that would seem
suspicious to the user.
If you want to do crypto in a browser addon, then don't bother trying
to interact with web pages if you want to make sure it's secure even
against powerful attackers, do it in a separate window or sidebar
where an attacker can't easily mess with your system.
On Wed, Sep 25, 2013 at 11:15 PM, Mohamed Akram Tabka <tabkram at gmail.com> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hi all,
> I'm thinking about developping an OTR addon for handling OTR
> discussions on web browsers. Is it really secure ?
> Does really browser extensions for crypto operations pose threats to
> users security?
>
> If it is not recommended to develop crypto addons for browsers please
> tell me.
>
> All bests,
> A.
>
> - --
> Mohamed Akram Tabka
> Tech intern at Access | AccessNow.org
> Student at the National School of Computer Sciences
> PGP ID : 0x82000BEF
> PGP FingerPrint : 40DF DB6B D10B 107B 7609 362F 1045 B72D 8200 0BEF
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.12 (GNU/Linux)
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>
> iQEcBAEBAgAGBQJSQ1JxAAoJEBBFty2CAAvv58oH/jT85aBVRDYcgYsiVyWWEZaD
> W8WJAfTk/8nXr6Toq0jegBVcBGq9z6nMrfhCY5DGjkSfSuRRcqbh+eCUO7aMdqEU
> N0d3DpZcus9Q9/AdpHGRWeRUtf0qiigoWHrX0EGGurejXMHGEOcBUYz1vpRsndYs
> 5gBw7qe9pkFdr9UWcKmLsUwEa3SZFWYPTlH3e0Ek3ajj50ZX0ODkW788xsRLYZiz
> HRhbJHxG/B7D9zARCje1B/CpfwofktSziLZeSpGvEQMhISDdxi6ttz2fa6Qa1PXu
> X2vY1cAY0JXlpC8nqCWPlsovfo7FyOvS/WIw9vw6WpwzFzjvcx671tZ8y0OjWpo=
> =H6I1
> -----END PGP SIGNATURE-----
> _______________________________________________
> Guardian-dev mailing list
>
> Post: Guardian-dev at lists.mayfirst.org
> List info: https://lists.mayfirst.org/mailman/listinfo/guardian-dev
>
> To Unsubscribe
> Send email to: Guardian-dev-unsubscribe at lists.mayfirst.org
> Or visit: https://lists.mayfirst.org/mailman/options/guardian-dev/natanael.l%40gmail.com
>
> You are subscribed as: natanael.l at gmail.com
More information about the Guardian-dev
mailing list