Use Google Safe Browsing API for recipient domains check

[frerghost]

Google Workspace (went through troubleshooting to determine it was FlowCrypt extension), Chrome is up to date:
Version 115.0.5790.171 (Official Build) (64-bit),

When I send an email to a specific address: xcxxxxxx EMAIL ADDRESS NOT ALLOWED TO PUT HERE THAT CAUSES THE PROBLEM it removes me from Chrome and slams me into a Dangerous Notice page. Specifically, I can do NOTHING once I click anything like Subject Line, Body, etc. without being removed from Google Workspace Gmail and sent to the below screen. No similar issue with Gmail, Outlook, Proton etc. Happens on Windows or Ubuntu.

Love the product, but this is an issue. As background, the person has no website, never has, and his email is ported through paid Yahoo Turbify.

Never seen this action happen in the 12+ years I have used Google. The scary thing here is that it allows the hijacking of Google Workspace to send to that page and that is something to look at! That is a level of command and control that needs to be addressed and new permission notices issued.

Thank you!

Updates to some portions that were "emotional" language. ;) I also advised the party to contact their IT folks as well as removed the above video as it has email info in it. Thanks again for all your hard work!

[github-actions]

There were 1 email addresses found in the above comment. Please:

1. Click three dots -> edit to remove the email addresses.
2. Click edited in the comment header, and click on the previous revision of the comment.
3. When viewing the old revision with an email in it, click options -> delete this revision from history.

[github-actions]

There were 1 email addresses found in the above comment. Please:

1. Click three dots -> edit to remove the email addresses.
2. Click edited in the comment header, and click on the previous revision of the comment.
3. When viewing the old revision with an email in it, click options -> delete this revision from history.

[martgil]

Hello,

Thanks for reporting this to us.

I've visited https://fivestarpropertymgmt.com and this alone is sufficient to trigger Google's deceptive site warning.

Clicking 'Details' button and proceeding to visit https://fivestarpropertymgmt.com shows just the following site:

In the case where it is triggered when the FlowCrypt browser extension is installed and composing a regular email going to for example test @ fivestarpropertymgmt.com (without spaces), the FlowCrypt browser extension tries to lookup for a public key via an AJAX requests to openpgpkey.fivestarpropertymgmt.com that is being prevented by Google browser. Just a side note that at this point, no request has been made yet, until users would like to proceed further by clicking 'Details' -> 'visit this unsafe site.' but keep in mind that it wont actually redirect user directly to it but by just letting the AJAX request to be made.

Example: (clicking run will show the Google warning replicating the scenario shown in the video above) https://jsfiddle.net/w650egqt/

Let's hear some feedback from our team members. @tomholub @sosnovsky An AJAX request at openpgpkey.domain.com seemed to be called when the FlowCrypt browser extension is installed while a user is composing a regular Gmail email.

[martgil]

Reference: https://mail.google.com/mail/u/[email protected]/#inbox/FMfcgzGtwgdFJMQkSwWWZDbBjfrslMXx

[sosnovsky]

Hi @frerghost,

thanks for letting us know about such issue!

It happens because FlowCrypt browser extension checks if recipients of your message have encryption enabled.
Check is done by sending request to openpgpkey.RECIPIENT_DOMAIN, and if recipient public key is available - compose box will show Your recipients seem to have encryption set up notification with link to secure compose:

And as domain of your recipient is marked as unsafe by Chrome, it shows full-page warning like when you open this website.

To fix this issue we'll need to add check for safety of recipient domains and try to fetch public keys only from safe domains.
I'll plan this functionality in our current milestone, thanks again for reporting!

[sosnovsky]

Seems like we can use Google Safe Browsing Lookup API - https://developers.google.com/safe-browsing/v4/lookup-api

[frerghost]

Appreciate it and have a great day! Love the product and soooo appreciative of your work!

[ioanmo226]

Hey, @sosnovsky, which API key should we use?
Generating an API key and sticking it in the frontend doesn't seem smart to me.
If we put it in our backend and create our own API, we need to submit domain to our api and retrieve threatMatches result.
I think making our backend api makes sense as we only need to submit domain (no sensitive info) to api and retrieve threatMatches result.

What's your take on this?

The request header includes the request URL and the content type. Remember to substitute your API key for API_KEY in the URL.
POST https://safebrowsing.googleapis.com/v4/threatMatches:find?key=API_KEY HTTP/1.1
Content-Type: application/json

[sosnovsky]

Google allows to restrict API key usage to specific websites, maybe it's possible to create key which will be limited to usage only in FlowCrypt extension? Then we can include it in extension code

[ioanmo226]

Didn't know it. That sounds good though!

[ioanmo226]

@sosnovsky Finished checking and it seems possible to only restrict to specific browser extension.
Could you generate api key (set limit to only browser extension) and provide it?
Or @tomholub should have a look at it?

[sosnovsky]

I think we have configured FlowCrypt project at Google Developer console, and API key should be generated there, but unfortunately I don't have access it.

Can you please generate some temporary API key for development for now? And before merging we'll replace it with the correct FlowCrypt API key.

@tomholub what will be the better way for generating FlowCrypt API key from Google Developer console to use with Google Safe Browsing API? You can do it or maybe you can give me access to FlowCrypt project there, I'll generate a key and share it with Ioan?

[ioanmo226]

Sounds good

[frerghost]

Thank you folks for working so hard and keeping encryption safe!

[tomholub]

Roma, Could you please share some reference that shows it's okay to keep the api key exposed in the client?

Also cc @martgil

[sosnovsky]

I tested limiting API key only to specific extension, but looks like it's not possible - we can only limit it to some URL (https://mail.google.com in our case). So someone can copy API key and use it in another extension on mail.google.com (however this API key will be limited only to Safe Browsing API).

I'll try to find some other way for detecting dangerous websites before performing openpgpkey.RECIPIENT_DOMAIN request.