Extension Security Design

We mentioned extension password managers are not safe enough in our previous post Stop using browser extension password managers. Use password manager extension instead.

Talk is cheap. Show me the video.

We injected a piece of "bad code" into a Github page with no login form, and stole the password by tricking the user into closing an ugly ads. (The opacity of Login form and LastPass can be very low to be imperceptible in real attack.)

The demonstration exploited LastPass password manager without any vulnerability. A real attack might be able to steal passwords with zero-click if some proper vulnerabilities are available.

Most web pages contain lots of third party contents and codes, especially ads. It is almost impossible to ensure all of them are risk-free. Extension password managers can be pretty vulnerable.

Requirement

Since long ago, ID Guard Offline users have been asking for bringing our advanced security features to Windows. It is not easy. We have done lots of research for possible solutions.

Desktops do not have full sandbox protection. Persistent data of apps can be easily accessed by malicious programs which can even obtain the master passwords of password managers by Keylogger or scanning runtime memory. What's more, without security chip, desktops cannot keep the encryption keys for password managers as secure as modern mobile system.

Last year, a research from Independent Security Evaluators, Password Managers: Under the Hood of Secrets Management,was reported by Washington post Password managers have a security flaw. But you should still use one..

Master password of 1Password extracted by Adrian Bednarek


There are two types of password managers on desktops:

  1. Desktop app

    Since about a decade ago, PBKDF2 algorithm has brought true protection to password managers. By taking advantage of PBKDF2, the second generation password managers allow user to set a master password to protect passwords. They transform the master password into a secret key and then encrypt passwords, which is still the foundation of most password managers today.

  2. Extension app

    Desktop apps usually remember a user's password at first time login. But web apps ask for passwords time and time again due to browser restrictions and security concerns.

    Extension password managers are based on extension API of browsers and keep synchronized from cloud. They can offer password filling in browsers, as well as the same features in their desktop version. That makes them very popular.

    Do not use browser built-in password managers. They are the first generation password managers. They can manage passwords but not protect them well.

We'd like to help autofill passwords in browsers, but still keep them secure. So we refused the popular extension password manager solution and designed our own secure remote fill technology.

Design

Why not another extension password manager?

Most extension password managers include these components:

Extension password manager architecture

Besides the lacking of sandbox protection and security chip on desktops, compared to smartphones, extension password managers are facing more serious threats:

Innovative design

Exploring

As we explored, the picture became clear.

Architecture

We explained how to use the extension in our previous post Stop using browser extension password managers. Use password manager extension instead. Here is the tech side.

Architecture Diagram

Sequence Diagram

sequenceDiagram participant User participant LoginPage participant Extension participant MobileBrowser participant IDGuardOffline note over Extension: make ECC key pair Extension ->> LoginPage: 1. show QR code User ->> IDGuardOffline: 2. scan QR code on page note over IDGuardOffline: show matched account for page User ->> IDGuardOffline: 3. select account note over IDGuardOffline: make ECC key pair and make ECDH agreed secret note over IDGuardOffline: encrypt username and password IDGuardOffline ->> MobileBrowser: 4. encrypted data MobileBrowser ->> Extension: 5. send via Cloud note over Extension: make ECDH agreed secret and decrypt Extension ->> LoginPage: 6. fill
  1. ID Guard Offline extension generates an Elliptic-curve cryptography(ECC) public-private key pair if a login form is detected on the web page, and then encodes the page URL and public key into a QR code.

  2. User scans the QR code with ID Guard Offline app.

  3. When an account is selected, the app,

    choose account

    • generates an elliptic-curve public-private key pair
    • generates a shared encryption key with ECDH algorithm
    • encrypts username and password with the shared key

  4. The app launches a mobile browser on the phone to send encrypted data to the extension.

  5. The extension generates shared key with ECDH algorithm and decrypts username and password.

  6. The extension fills username and password into the login form.

With the ECDH key agreement algorithm, ID Guard Offline app and extension implement an end-to-end encryption, which makes sure that passwords can never be stolen by hackers or our employees.

Since the autofill process involves user interaction - tapping on the phone, bad programs cannot steal passwords stored inside the app on the phone even if zero-click vulnerabilities of browser can be used.

Extension components

Extension architecture

Chrome extension is made up of four components:

For security reasons, each component runs in its own process, and they can talk with each other by message passing.

The UI Elements and Options Page of ID Guard Offline extension are pretty simple. We only focus on the Content Script and the Background Script in this article.

sequenceDiagram participant BackgroundScript participant ContentScript participant WebPage participant IDGuardOffline ContentScript ->> WebPage: detect login form ContentScript ->> BackgroundScript: make ECC key pair BackgroundScript ->> ContentScript: public key ContentScript ->> WebPage: show QR code(public key) IDGuardOffline ->> WebPage: scan QR code(by user) note over IDGuardOffline: select account to fill(by user) note over IDGuardOffline: make ECC key pair note over IDGuardOffline: make shared secret key and encrypt IDGuardOffline ->> BackgroundScript: encrypted data, public key via H5 app/cloud note over BackgroundScript: make shared secret key and decrypt BackgroundScript ->> ContentScript: username, password ContentScript ->> WebPage: fill

Content Script

The Content Script parses the browsing web page to detect login form and fill username and password into the form. Besides, it offers a lot of security enhancement.

  1. Passwords security

    Autofill is awesome. However, it exposes an attack surface at the same time. Hackers might be able to loot passwords by abusing autofill. Checkout a recent research paper Revisiting Security Vulnerabilities in Commercial Password Managers. The author found that none of those password managers could defend all the attacks.

    ID Guard Offline offers Advanced Phishing Detection that can help users identify all the threats mentioned in the paper. Furthermore, our Content Script can detect more risks like:

    • Passwords will be disclosed when submitting over HTTP connection which is not safe.
    • Passwords can be stolen when current page loaded over HTTP connection.
    • The login form in iframe can be hacked when the main page loaded over HTTP connection.
    • Passwords are submitted to another website.

  2. Minimized the attack surface

    ECC is very secure for now. However, quantum computing has demonstrated the potential to break it in the future. To minimize the risk, the QR code is limited to be valid only within 2 minutes. The scan box will be closed automatically after 2 minutes, and the app will prompt a warning when an expired QR code scanned.

    Users can pick up their phone to scan the QR code within 2 minutes in no hurry. We believe even quantum computers might not be able to break ECC within 2 minutes, let alone traditional computers.

Background Script

The Background Script is the core of our extension. We design a number of security enhancements.

After receiving the public key and encrypted data from the app, the extension recovers username and password with 2 steps.

  1. Generates the shared secret key.

    const curve = {name: "ECDH", namedCurve: "P-384"}; const publicKey = await window.crypto.subtle.importKey('spki', keyBytes, curve, true, []); const ecdh = {name: "ECDH", public: publicKey}; const aes = {name: "AES-GCM", length: 256}; const secretKey = await window.crypto.subtle.deriveKey(ecdh, page.keyPair.privateKey, aes, true, ["encrypt", "decrypt"]);

    The secret key for AES-256-GCM is generated with the standard ECDH algorithm.

  2. Decrypts username and password from encrypted data.

    const ivBytes = Uint8Array.from(window.atob(encrypted.iv), c => c.charCodeAt(0)); const cipherBytes = Uint8Array.from(window.atob(encrypted.cipher), c => c.charCodeAt(0)); const aesParams = {name: "AES-GCM", iv: ivBytes}; const bytes = await window.crypto.subtle.decrypt(aesParams, secretKey, cipherBytes);

    It parses IV(Initial Vector) and cipher text, and then decrypts the cipher text with the secret key above.

    We choose AES-256-GCM mode here because it can detect change of cipher text and is much safer, while some other modes, like AES-CBC, cannot.

Of course, HTTPS/TLS is a must for transportation, which adds an additional layer of security.

Comparison

Most extension password managers manage and synchronize passwords with cloud service. But ours is not. The extension and the app are two separated components working together to fill passwords in browsers.

The design minimizes the attack surfaces of both components and secures user data much better.

Comparison of attack surface

Attack surface ID Guard Offline app ID Guard Offline extension extension password managers
Internet permission N Y Y
Persistent storage Y N Y
UI Y Y Y
Web DOM N Y Y

There are 4 attack surfaces uncovered in extension password managers, while only 2 in our app and 3 in our extension. This solution isolates 2 most risky attack surfaces, network and storage. The app stores passwords without accessing the Internet, and the extension accesses the Internet without storing any passwords.

By utilizing security chip, sandbox protection and eliminating Internet access, our app, ID Guard Offline password manager, is much much safer than extension password managers. So let's focus on the extension part and compare each attack surface.

  1. Internet permission

    Our extension is much safer. As we know, it might be impossible to prevent all network attacks. Bad code in web pages or bad browser extensions might still be able to steal the filling password. But it is impossible to grab all passwords because they are staying safe on smartphone.

  2. Persistent storage

    Lots of programs running on Windows or other desktop OS can access data stored by Chrome, including password databases, cookies and other important data kept by extension password managers.

    If a user enables remembering master password, bad programs can decrypt all passwords just like the extension password manager. If not, the master password is the only obstacle. Though master passwords must be unique, complex and long, lots of users still use weak passwords or reuse them. And more, master passwords can be recorded by Keyloggers.

    Of course, it is still safer than Chrome's built-in password manager which does not require a master password, nonetheless.

    Decrypt passwords/cookies/history/bookmarks from the browser

    Our extension does not reveal this attack surface.

  3. UI

    Sean Cassidy demonstrated a Pixel-perfect Phishing technology to steal passwords in his blog LostPass.

    Pixel-perfect Phishing

    Phishing is usually attained by misdirecting users to enter their password into a spoofing UI faked by malicious programs. It is effortless to make a UI clone. Browsers do not offer much UI components for extensions to make them distinct from cloned UI. It is ironic:

    Password managers can help prevent phishing, but cannot prevent being phished.

    Our extension, like our app, has NO account, NO registration and NO login, so it has NOTHING to be phished.

  4. Web DOM

    This is a unique attack surface of browser extensions. We demonstrated how to steal passwords by manipulating UI of a password manager with the DOM API in the video at the beginning of this article. If there are some proper vulnerabilities can be used, it might be able to grab passwords with zero-click.

    When using our extension, users need to scan QR code to fill password, so they must know what they are doing. Malicious programs can never attack the filling password without perception.

Summary

So how do we design a very secure autofill solution for desktop browsers? Let's put them together.

  1. Passwords storage

    The extension does not store passwords at all. All passwords are stored in ID Guard Offline app on the phone. It is a fourth generation password manager. Most security problems involve network. The app is still true offline, with no Internet permission. It does not expose the most dangerous attack surface. All saved passwords cannot be attacked from network at all.

  2. Transportation

    The account, to be filled into a desktop browser, is selected by the user on the phone. The username and password are encrypted and sent to the extension. The extension decrypts and fills them into the login form on the web page.

    We introduce these methods to secure passwords during transportation.

    • Encryption and decryption are managed in an isolated background process.
    • Use strong ECC/ECDH algorithm to generate shared key to achieve end-to-end encryption.
    • ECC private key is set to be non-extractable.
    • ECC key pair is for one-time use only.
    • Use strong AES-256-GCM encryption, and prevent cipher text modification at the same time.
    • Use HTTPS/TLS for transportation.
    • Limit ECC key pair validity to only 2 minutes.

    As we know, HTTPS/TLS uses ECDH/AES to secure data in transit and is used by most cloud password managers for synchronization. The algorithm used in ID Guard Offline extension is more secure than HTTPS/TLS. We will explain it in our next post.

  3. Phishing prevention

    The Advanced Phishing Detection technology of ID Guard Offline app is the best among all known password managers. Our extension continues to invest in phishing detection too.

    • Autofill requires scan with phone manually.

      Since Web DOM uncovers an uncontrollable attack surface, browser extensions can be attacked with the Web DOM API. In our design, passwords are stored on the phone, and only the selected account will be sent to the extension after scanning QR code manually. Malicious programs can never steal passwords from the app remotely without perception. Manual scan limits the speed of autofill. In one second, computer code can be executed as fast as to a million times, but no one can do scan more than once. Even supposing a user misbelieves the attacker and gives his/her password, this design still limits the quantity and speed of disclosure.

    • Request speed limitation

    • Advanced Phishing Detection of the app

      After the QR code is scanned, users can see the filling website and its logo. If the selected password might be disclosed, the app can display a warning dialog. For example, if a user selects facebook account to fill a phishing website, say faceb00k.com, the app will remind the user it is a phishing website.

    • Warn users that passwords will be disclosed when submitting over HTTP connection.

    • Warn users that passwords can be disclosed when loading page over HTTP connection.

    • Warn users that if the main page is loaded over HTTP connection which is not safe. The login form can be hacked.

    • Warn users that passwords will be submitted to another website.

NOTE: malicious programs in the web page or bad extensions still can steal passwords filled in the login form by our extension. There is no prevention based on current web technology. Those bad programs can also steal passwords even if they are entered by user manually.


More articles about ID Guard Offline extension...