[liberationtech] OTRon: Chrome extension for end-to-end FB chat encryption
Omar Rizwan
omar.rizwan at gmail.com
Wed Jan 29 02:13:01 PST 2014
Yeah. To be precise, there isn't any evidence that they record the
*text* of such aborted posts, but they certainly record the behavior,
and they could easily record the text as well.
This extension injects an iframe on a different origin and does I/O in
that (+ some anti-phishing tokens), so I think it should be safe
against compromise by Facebook JS. Nadim has said that there's still a
danger here, though, so I'll wait for him to detail that attack before
pronouncing anything definitive.
On Wed, Jan 29, 2014 at 1:26 AM, Jens Christian Hillerup
<jens at hillerup.net> wrote:
> On Tue, Jan 28, 2014 at 10:43 PM, Omar Rizwan <omar.rizwan at gmail.com> wrote:
>>
>> Haven't spread it widely yet or made it easy to install, I'm looking
>> for feedback both on how well it works (it needs some more testing and
>> does have some functionality bugs -- you may be blocked from FB chat
>> for a few minutes if it goes wrong!), how easy it is to use, and on
>> the general approach.
>
>
> Disclaimer: I haven't read the source, tried the extension or otherwise
> gotten to know about this tool other than reading OP.
>
> The reason I'm writing anyway is that this is important to know generally.
> Facebook records the text in text fields even before they're submitted [1].
> Therefore, if this tool relies on Facebook's own text fields (or anything
> within the DOM, really), they can completely circumvent this OTR
> implementation. The right way to do this would be to spawn something out of
> the reach of Facebook JS. That means, spawning a separate chat window in the
> context of the extension, or use window.prompt in either context (the
> contents of a window.prompt cannot be read before the OK button is pressed).
>
> JC
>
> [1]
> http://www.slate.com/articles/technology/future_tense/2013/12/facebook_self_censorship_what_happens_to_the_posts_you_don_t_publish.html
>
> --
> Liberationtech is public & archives are searchable on Google. Violations of
> list guidelines will get you moderated:
> https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe,
> change to digest, or change password by emailing moderator at
> companys at stanford.edu.
More information about the liberationtech
mailing list