Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fingerprint pipe communications example #706

Open
MGibson1 opened this issue Oct 2, 2024 · 1 comment
Open

Fingerprint pipe communications example #706

MGibson1 opened this issue Oct 2, 2024 · 1 comment
Labels
needs-triage: chrome Chrome needs to assess this issue for the first time needs-triage: firefox Firefox needs to assess this issue for the first time

Comments

@MGibson1
Copy link

MGibson1 commented Oct 2, 2024

While discussing native messaging at TPAC, I mentioned Bitwarden encrypts these communication channels.

It was asked that I share a quick demo of that experience.

Bitwarden-IPC-fingerprinting.mov

What is going on here is the browser extension creating a public/private key pair, sharing the public one along the unencrypted and insecure native messaging pipe to the desktop application. The desktop application calculates a fingerprint of the public key and asks the user to verify it is the same one calculated by the browser. In this way, we ensure that no middle party intercepted and injected a compromised key to spy on communications between the applications.

The user experience of validating the fingerprint is not perfect, but without a supervisor (probably the OS) validating both isolated communications between the two applications AND validating the identity of both parties, we need to rely on the user to do so.

@github-actions github-actions bot added needs-triage: chrome Chrome needs to assess this issue for the first time needs-triage: firefox Firefox needs to assess this issue for the first time needs-triage: safari Safari needs to assess this issue for the first time labels Oct 2, 2024
@xeenon xeenon removed the needs-triage: safari Safari needs to assess this issue for the first time label Oct 3, 2024
@Rob--W
Copy link
Member

Rob--W commented Oct 7, 2024

Thanks for sharing. The meeting notes are still pending review at #704; once merged it should be possible to find the relevant discussion permanently at https://github.com/w3c/webextensions/blob/main/_minutes/2024-09-23-wecg-tpac.md#native-messaging#native-messaging

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
needs-triage: chrome Chrome needs to assess this issue for the first time needs-triage: firefox Firefox needs to assess this issue for the first time
Projects
None yet
Development

No branches or pull requests

3 participants