View Issue Details
|ID||Project||Category||View Status||Date Submitted||Last Update|
|0005276||Taler||wallet (WebExtensions)||public||2018-02-07 15:05||2021-08-24 16:23|
|Reporter||Florian Dold||Assigned To||Florian Dold|
|Priority||normal||Severity||minor||Reproducibility||have not tried|
|Product Version||git (master)|
|Target Version||0.7.1||Fixed in Version||0.8|
|Summary||0005276: consider restricting wallet permissions|
|Description||In the light of a recent critical security issue in a popular extension , I've been thinking about wallet security. And not only about the security of the coins you have, but "will all my passwords and private data be compromised if the Wallet has a serious bug".|
Currently Chrome/ displays for the wallet "Permissions: Read and change all your data on websites you visit". This is obviously bad, both technically and for user confidence.
Our goal should be that it displays "Has no special privileges" (which is probably technically impossible) or "Can read and write your data on https://w.taler.net" (bear with me for the reason for this domain).
Then we're completely off the hook in regards to serious exploits, nobody can use the wallet to exploit other websites unless Chrome/FF itself has a serious bug.
Even if somebody hacks our Chrome Web Store account and uploads a rogue extension, after the auto-update users will have to approve the new extended permissions of the rogue extension.
As a preliminary technical measure, we could restrict the extension  to only be able to access URLs of the form "https://*/taler-payment/*". This makes us relatively safe, but because of Chrome's policy it will still show as "Permissions: Read and change all your data on websites you visit". This would require adjusting some URLs though, so not sure if this intermediary solution is worth it right now.
Now there is a better solution though, with only minimal trade-offs (it only affects people who use NoScript):
|Tags||No tags attached.|
||Instead of a domain, it might make more sense to use an IP address that can't be routed, such as 240.0.0.1|
The wallet now can run with reduced permissions. Full permissions can be granted on an opt-in basis.
This is according to the resolution (*not* the original proposal) of https://docs.taler.net/design-documents/001-new-browser-integration.html
|2018-02-07 15:05||Florian Dold||New Issue|
|2018-02-07 15:05||Florian Dold||Status||new => assigned|
|2018-02-07 15:05||Florian Dold||Assigned To||=> Florian Dold|
|2018-09-28 11:10||Florian Dold||Note Added: 0013257|
|2019-06-27 01:05||Florian Dold||Target Version||0.6 => 0.7.1|
|2020-05-04 16:21||Florian Dold||Status||assigned => resolved|
|2020-05-04 16:21||Florian Dold||Resolution||open => fixed|
|2020-05-04 16:21||Florian Dold||Note Added: 0015848|
|2020-07-24 11:56||Christian Grothoff||Fixed in Version||=> 0.8|
|2021-08-24 16:23||Christian Grothoff||Status||resolved => closed|