Geek Answers Handbook

Chrome host protection

I am developing an application using Chrome's built-in email that starts through the Chrome extension.

My question is: how can I guarantee that the host application is really delivered equally by me?

I need to ensure the authenticity of the application caused by the extension. How can I get it if I donโ€™t have permission to read the registry or verify that something has been changed?

+5
source share
3 answers

This is a great question, and I think the answer is "unfortunately you cannot."

It would be interesting to implement some kind of cryptographic hash like the ones Chrome uses to check extension files, but this is not a very strong guarantee.

Consider (all this is hypothetical):

  • You can easily save the registry entry / manifest in this way, but what about the file itself?
  • Suppose you attach a hash of an executable file, then it becomes painful to update it (you will also have to update the extension in synchronization too). It can be resolved using some kind of public key signature, but instead of a hash.
  • Suppose you write an executable file in a manifest. How is its data files? More importantly, what about the libraries that the native application uses?

Protecting your Chrome extension / application is easy because the only "library" / runtime you rely on is Chrome itself (and you trust that). Your own application can depend on many, many things in the system (for example, the already mentioned libraries), how do you track?

Anyway, this seems interesting for a brainstorming session. Check out Chrome's error tracker , if there is something similar, if not, try raising a feature request. Perhaps try the chrome-related mailing list to ask the developers.

+2
source

I understand that this is an older post, but I thought it was worth exchanging the official response of the Chromium team to the error I filed: https://bugs.chromium.org/p/chromium/issues/detail?id=514936

An attacker who can modify the registry or FS on a user computer can also modify the chrome binary, and therefore any type of check implemented in chrome can be disabled by such an attacker by controlling the chrome code. For this reason, chrome must trust FS (and everything that comes from the local machine).

+1
source

If I understood the question correctly, the solution could be

  • Register your executable file on your server during installation along with the signature of the executable file and save your register number inside the executable file and server
  • In each request (postMessage) from the extension, send the token additionally that was provided by your server.
  • Ask the server for the next token to send a response to the extension, passing the token from the extension along with your registry number
  • The server will respond with a token if you are a registered user
  • Encrypt it with the registry number and send it to the extension along with the token from the extension
  • the extension holderโ€™s browser will ask the server for a good answer
  • Using the extension token, the server identifies the executable registry number and decrypts the executable token and checks what was created by us (the server) for the extension token
  • After the server is confirmed, the browser will consider it as an answer

To be important, your registry number must be safe, and the client machine will not be able to extract it from the executable file (using a proper signature may be achievable)

As Chrome stopped supporting Applet, I implemented the same for smart cards in Chrome

The only through hole: the client computer can track every request sent with some tools

If you can make your executable communication with your server secure using some httpOnly Cookie (the client machine cannot read) or a password mechanism, this is most likely a secure solution that you can achieve

0
source

More articles:


All Articles