View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0005276 | Taler | wallet (WebExtension) | public | 2018-02-07 15:05 | 2021-08-24 16:23 |
Reporter | Florian Dold | Assigned To | Florian Dold | ||
Priority | normal | Severity | minor | Reproducibility | have not tried |
Status | closed | Resolution | fixed | ||
Product Version | git (master) | ||||
Target Version | 0.7.1 | Fixed in Version | 0.8 | ||
Summary | 0005276: consider restricting wallet permissions | ||||
Description | In the light of a recent critical security issue in a popular extension [1], I've been thinking about wallet security. And not only about the security of the coins you have, but "will all my passwords and private data be compromised if the Wallet has a serious bug". Currently Chrome/ displays for the wallet "Permissions: Read and change all your data on websites you visit". This is obviously bad, both technically and for user confidence. Our goal should be that it displays "Has no special privileges" (which is probably technically impossible) or "Can read and write your data on https://w.taler.net" (bear with me for the reason for this domain). Then we're completely off the hook in regards to serious exploits, nobody can use the wallet to exploit other websites unless Chrome/FF itself has a serious bug. Even if somebody hacks our Chrome Web Store account and uploads a rogue extension, after the auto-update users will have to approve the new extended permissions of the rogue extension. As a preliminary technical measure, we could restrict the extension [2] to only be able to access URLs of the form "https://*/taler-payment/*". This makes us relatively safe, but because of Chrome's policy it will still show as "Permissions: Read and change all your data on websites you visit". This would require adjusting some URLs though, so not sure if this intermediary solution is worth it right now. Now there is a better solution though, with only minimal trade-offs (it only affects people who use NoScript): Pages can communicate to extensions directly without any special permissions, but to do that they need the extension ID. For many reasons this should not be hard-coded in the merchant, so we need some other way to get the extension ID. This is where https://w.taler.net comes in, this site itself can be blackholed (it wouldn't even matter if it's compromised), but the merchant (or rather JavaScript on a merchant backend page) will use it to get the extension ID to send the message to. When the extension is installed, it will catch the request and send back its ID, if it doesn't exist or it's compromised, worst case is that the "pay" message is sent to another extension that the user already installed. This requires JavaScript on the merchant backend's site that triggers the payment. For noscript payments, the user would have to trigger the payment manually by opening the popup (with the "activeTab" permission, which still displays as "Has no special privileges we can read the current page if the popup is open". But this is a reasonable price to pay for having good security. We lose the ability to do presence detection only when the user has disabled JavaScript, which is IMHO also a reasonable tradeoff. [1] https://bugs.chromium.org/p/project-zero/issues/detail?id=1527&desc=2 [2] https://developer.chrome.com/extensions/match_patterns | ||||
Tags | No tags attached. | ||||
|
Instead of a domain, it might make more sense to use an IP address that can't be routed, such as 240.0.0.1 |
|
The wallet now can run with reduced permissions. Full permissions can be granted on an opt-in basis. This is according to the resolution (*not* the original proposal) of https://docs.taler.net/design-documents/001-new-browser-integration.html |
Date Modified | Username | Field | Change |
---|---|---|---|
2018-02-07 15:05 | Florian Dold | New Issue | |
2018-02-07 15:05 | Florian Dold | Status | new => assigned |
2018-02-07 15:05 | Florian Dold | Assigned To | => Florian Dold |
2018-09-28 11:10 | Florian Dold | Note Added: 0013257 | |
2019-06-27 01:05 | Florian Dold | Target Version | 0.6 => 0.7.1 |
2020-05-04 16:21 | Florian Dold | Status | assigned => resolved |
2020-05-04 16:21 | Florian Dold | Resolution | open => fixed |
2020-05-04 16:21 | Florian Dold | Note Added: 0015848 | |
2020-07-24 11:56 | Christian Grothoff | Fixed in Version | => 0.8 |
2021-08-24 16:23 | Christian Grothoff | Status | resolved => closed |
2023-04-13 20:37 | Florian Dold | Category | wallet (WebExtensions) => wallet (WebExtension) |