[liberationtech] Standalone JS apps vs. browser extensions, which is better?

Sat Aug 24 14:32:04 PDT 2013

Hello Francisco:

We have the same dilemma in our online decision-taking software (Agora
voting). Browser extensions are more secure by being more static i.e.
the code is not loaded visiting a website. In general, this is a
problem of trust. If you're doing client-side encryption you have
multiple ways of doing it:

1. You could trust the website code, but it might get hacked or the
government might send a request to them, or they might do a
man-in-the-middle attack, etc. Please read the story of Hushmail!! [1]
2. You could create a site-specific browser extension as you propose.
This way, at least it gets more difficult to hack the system, as it
would require a new version of the browser extension.
3. You could create a more generic browser extension that adds support
for general encryption techniques and try to standarise it so that
browsers ship this. The idea is not to have to trust the website at
all, just your webbrowser.

I explored a bit case 3 in my final career project in the university
and here is a post about it
https://edulix.wordpress.com/2012/01/08/the-server-in-the-middle-problem-and-solution/

Regards,
--
[1] https://en.wikipedia.org/wiki/Hushmail#Compromises_to_email_privacy

On Sat, Aug 24, 2013 at 11:13 PM, Francisco Ruiz <ruiz at iit.edu> wrote:
> My encryption app, PassLok, is currently in the shape of a standalone,
> static web page with two text boxes where users copy and paste plain or
> encrypted messages. I am considering the possibility of making a browser
> extension version out of it, probably along the lines of myMail-crypt or
> Mailvelope for Chrome, to provide a tighter integration with email programs
> (or at least with Gmail, which is very popular these days).
>
> But let me frame this as a general issue, since I am sure there are other
> developers who are wondering if browser extensions are the way to go. They
> tend to make things easier for the user, but at some cost. I’d like to know
> more exactly what is the trade-off.
>
> There is a lot going for making an extension that ties with a web mail
> service. For instance:
>
> 1.      1. Users would be able to store their contacts’ public keys within
> the app, so the extension would fetch them automatically once recipients’
> emails are typed.
>
> 2.      2. Extensions, I am told, can be better protected from tampering by
> an enemy than a simple web page, even if that page travels by TLS/SSL.
>
> On the other hand:
>
> 1.      1. Users would be forced to trust me, the developer, concerning the
> security of the extension, while right now they can look at the code and
> decide for themselves if they want to use it.
>
> 2.      2. The extension could be broken by Google changing things in Chrome
> or Gmail, which would force me to be constantly updating it.
>
> 3.      3. In the examples I mentioned above, public keys are stored locally
> in the computer, which would break the principle of perfect portability that
> PassLok is based on. This would not be so much of a problem if the keys
> could be stored in the Cloud, but I haven’t seen an example that does it
> satisfactorily.
>
> 4.     4.  There’s also the issue that Google does no longer have a clean
> nose concerning cooperation with spy agencies (with or without judicial
> warrants), so they could change my code and weaken the extension without my
> knowledge.
>
> 5.      5. Browser extensions don’t yet run on mobile devices, again against
> one of PassLok’s design principles.
>
> What do you think? Given the state of affairs these days, with some secure
> mail services compromised and others shutting down because of the threat of
> government interference, is it still worthwhile to invest the effort in
> developing an extension in order to streamline user experience?
>
> Thanks!
>
> --
> Francisco Ruiz
> Associate Professor
> MMAE department
> Illinois Institute of Technology
>
> PL13lok=WsH3zTgZn8V3hnIqjdbfPus+5YF5n+LBRPuH9USMMp8izPv+hsLoZKv+jaCFMapJFfiA11Q9yJU1K1Wo0TbjXK/=PL13lok
>
> get the PassLok privacy app at: http://passlok.com
>
> --
> Liberationtech is a public list whose archives are searchable on Google.
> Violations of list guidelines will get you moderated:
> https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe,
> change to digest, or change password by emailing moderator at
> companys at stanford.edu.

-- 
Eduardo Robles Elvira     +34 668 824 393            skype: edulix2
http://www.wadobo.com    it's not magic, it's wadobo!