View Issue Details

IDProjectCategoryView StatusLast Update
0005276Talerwallet (WebExtensions)public2021-08-24 16:23
ReporterFlorian Dold Assigned ToFlorian Dold  
PrioritynormalSeverityminorReproducibilityhave not tried
Status closedResolutionfixed 
Product Versiongit (master) 
Target Version0.7.1Fixed in Version0.8 
Summary0005276: consider restricting wallet permissions
DescriptionIn the light of a recent critical security issue in a popular extension [1], I've been thinking about wallet security. And not only about the security of the coins you have, but "will all my passwords and private data be compromised if the Wallet has a serious bug".

Currently Chrome/ displays for the wallet "Permissions: Read and change all your data on websites you visit". This is obviously bad, both technically and for user confidence.

Our goal should be that it displays "Has no special privileges" (which is probably technically impossible) or "Can read and write your data on" (bear with me for the reason for this domain).

Then we're completely off the hook in regards to serious exploits, nobody can use the wallet to exploit other websites unless Chrome/FF itself has a serious bug.

Even if somebody hacks our Chrome Web Store account and uploads a rogue extension, after the auto-update users will have to approve the new extended permissions of the rogue extension.

As a preliminary technical measure, we could restrict the extension [2] to only be able to access URLs of the form "https://*/taler-payment/*". This makes us relatively safe, but because of Chrome's policy it will still show as "Permissions: Read and change all your data on websites you visit". This would require adjusting some URLs though, so not sure if this intermediary solution is worth it right now.

Now there is a better solution though, with only minimal trade-offs (it only affects people who use NoScript):

Pages can communicate to extensions directly without any special permissions, but to do that they need the extension ID. For many reasons this should not be hard-coded in the merchant, so we need some other way to get the extension ID. This is where comes in, this site itself can be blackholed (it wouldn't even matter if it's compromised), but the merchant (or rather JavaScript on a merchant backend page) will use it to get the extension ID to send the message to. When the extension is installed, it will catch the request and send back its ID, if it doesn't exist or it's compromised, worst case is that the "pay" message is sent to another extension that the user already installed.

This requires JavaScript on the merchant backend's site that triggers the payment. For noscript payments, the user would have to trigger the payment manually by opening the popup (with the "activeTab" permission, which still displays as "Has no special privileges we can read the current page if the popup is open". But this is a reasonable price to pay for having good security.

We lose the ability to do presence detection only when the user has disabled JavaScript, which is IMHO also a reasonable tradeoff.

TagsNo tags attached.


Florian Dold

2018-09-28 11:10

manager   ~0013257

Instead of a domain, it might make more sense to use an IP address that can't be routed, such as

Florian Dold

2020-05-04 16:21

manager   ~0015848

The wallet now can run with reduced permissions. Full permissions can be granted on an opt-in basis.

This is according to the resolution (*not* the original proposal) of

Issue History

Date Modified Username Field Change
2018-02-07 15:05 Florian Dold New Issue
2018-02-07 15:05 Florian Dold Status new => assigned
2018-02-07 15:05 Florian Dold Assigned To => Florian Dold
2018-09-28 11:10 Florian Dold Note Added: 0013257
2019-06-27 01:05 Florian Dold Target Version 0.6 => 0.7.1
2020-05-04 16:21 Florian Dold Status assigned => resolved
2020-05-04 16:21 Florian Dold Resolution open => fixed
2020-05-04 16:21 Florian Dold Note Added: 0015848
2020-07-24 11:56 Christian Grothoff Fixed in Version => 0.8
2021-08-24 16:23 Christian Grothoff Status resolved => closed