[Contribution] qubes-app-split-browser

[andrewdavidwong]

Community Dev: @rustybird PoC: https://github.com/rustybird/qubes-app-split-browser Announcement thread: https://groups.google.com/d/topic/qubes-users/SEWwjHj4Byk/discussion

[rustybird]

I'd be happy to add Makefile.builder and be a guinea pig for the Qubes community repository or whatever. :)

The Debian packaging is reproducible when using a new enough dpkg, if that matters. Not sure about the Fedora packaging.

[rustybird]

Anyone (@fepitre?) interested in reviewing Split Browser for inclusion into qubes-repo-contrib? The code looks alright to me nowadays.

[fepitre]

@rustybird sure I can have a look too in the next days.

[andrewdavidwong]

@rustybird, any chance of making this compatible with Chromium/Chrome?

[rustybird]

any chance of making this compatible with Chromium/Chrome?

Ideally, the browser-side code (currently Mozilla AutoConfig) would be rewritten as a WebExtension and then used for both Firefox- and Chromium-based browsers. And I do have a proof of concept lying around from >2 years ago; not even tested with anything besides Tor Browser back then, but it already seemed surprisingly tricky due to:

1. WebExtension limitations: They can't override standard browser hotkeys. For some functions there's a good alternative (instead of overriding the "add bookmark" hotkey, the extension can handle "bookmark added" events), but some will just have to use worse hotkeys.

2. WebExtension bugs: Tor Browser doesn't distinguish WebExtensions from websites in that both are blocked from talking to localhost (i.e. the qrexec service). I had to wedge in an ugly "native messaging" shim script relaying messages back and forth.

3. Browser vendors just hell-bent on making it as hard as possible for the operating system to silently install an extension. Plus, ever more restrictive code signing / distribution channel requirements. I don't know what the situation is today - probably still doable with Firefox ESR (vs. mainline Firefox) and Chromium (vs. Chrome), but what a headache!

4. Having to redesign how Split Browser configures the browser - things like setting the download directory.

I don't much use Chromium myself, so it hasn't been too appealing to work on this... even though it's such a a glaring omission.

[DemiMarie]

Native messaging is the endorsed way to relay messages between a browser extension and native code. When it comes to hotkeys, perhaps an X11 program in the browsing VM could handle this?

[DemiMarie]

Also, the current handling of logins seems to leave a lot to be desired. From my perspective, a better approach would be to somehow interface with the website DOM, just as browser’s built-in password managers do.

[rustybird]

Native messaging is the endorsed way to relay messages between a browser extension and native code.

Well, I know you can't just open a plain TCP connection, but a WebSocket to localhost should have worked nicely - if not for that Tor Browser bug. Maybe almost a drop-in replacement of websocat for socat in the qrexec service.

Native messaging isn't too bad, but it adds some indirection: split-browser-disp qrexec service launches browser, which launches gnarly native shim (from the old PoC), which talks to split-browser-disp.

When it comes to hotkeys, perhaps an X11 program in the browsing VM could handle this?

Yeah, xbindkeys or something. The only affected hotkeys are Alt-b (Open bookmarks) and Ctrl-Shift-u (New Identity), so maybe it's also not too bad to just change them.

Also, the current handling of logins seems to leave a lot to be desired. From my perspective, a better approach would be to somehow interface with the website DOM, just as browser’s built-in password managers do.

Anything that touches the DOM would have to carefully avoid being fingerprintable tho? With the current approach (dumb autotype) it hopefully looks like any other external* password manager, as far as the website can tell.

* Not integrated via a browser extension

[DemiMarie]

How do most password managers handle this?

[rustybird]

Avoiding fingerprinting? I don't know if that's even a goal for mainstream browser extensions. (Assuming you mean password managers that integrate via a browser extension.)

Perhaps it's actually easy, there are protections like Firefox's Xray vision. But that looks more geared towards preventing untrusted page information from being transfered too freely to the trusted extension environment. I can't find anything about the opposite direction. It's an unusual threat model, and I'm definitely not an expert, so the idea of interacting with the page DOM at all makes me nervous.

[DemiMarie]

No, I meant how do most password managers (such as KeePassXC) integrate with browsers?

[rustybird]

For KeePassXC, you can use their browser extension or autotype.

[fepitre]

@rustybird is it tested on both R4.0 and current devel R4.1?

[rustybird]

is it tested on both R4.0 and current devel R4.1?

Yes, it works on both.

BTW I just renamed the Git repo to qubes-app-split-browser (from qubes-split-browser).

[fepitre]

Yes I was about to tell that I would do that when forking into QubesOS-contrib. Builds are ok on tested dists: archlinux, bullseye, centos8 and fc33. I finish the review soon and I notice here for it and build done on contrib.

[fepitre]

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256

Validated https://github.com/rustybird/qubes-app-split-browser/commit/d4ba6b2faa021925fe45c60b4b47768599570d53 -----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEn6ZLkvlecGvyjiymSEAQtc3FduIFAl/EzjUACgkQSEAQtc3F duJ/uhAAp4m1vaTrAHIXlWMCJaVaw4akP8CNIgrU+ZctSriN8ePgbe3rKhzfN5BL FX3NQ0QlSm9TMNEVMb1uWKlRm77FGmIcboBAmS2nqx8oehGQVLELxFmDPL+qNxAv T6lKt8VWikVsM0LNuOJDnsiNqUiTFlqlFjsSwBKHMFaNINt1EUppAVhT1ta7cF6q wB/aDv7iOIbHXxzX1R+UPMZoBsEr2qa8oFomMupUU3903JhHs+sSqnl8Kxm75dhn Kf8qEbKhCSgMSSjJXvZV1giT4dV/WCqkjBt4u7pSOvVLqM9/WN0Zz/ntMmSVImsS pb3Q9EGNkvjp6QHNcVHLJDFCcTGccfqGgE5Bp9MxonmONICeOCzF8ah/Ga2U8LQ9 toT3BVWfuklm287fqiyoFYgGMR9GHj/bmaGhq7bUYWmZiT4316LTGv5glpXOZYxP A0NSMi/Ocl/v52sJcnYMRaun1ezKkhFeQfOI5juXaEidKCozq/t93EPXId0XCssB GXKvoKDsNCjXyeOWivMVf3lUvUh3RUaOY/Xj4EttoTHRVDIftdF5ux7C42U71QI8 Qko7TZpuJa3Wff0veA31mU8lyErk0aLBBJdJxVw7JhT2DuyAg2pGZeIyg1jZz/53 FTg9E8m4SeBzk8RXsEypumIMOfjQTCgHd/tEvaFTkwWzmWnMZSY= =v9DY -----END PGP SIGNATURE-----

[rustybird]

Thank you @fepitre!

Someone posted a bounty on this issue three years ago, when it was titled "Integrate Rustybird's qubes-split-browser". Feel free to collect it.

[fepitre]

Thank you @fepitre!

You are welcome. You can check current built packages here: https://github.com/QubesOS-contrib/updates-status/issues

Someone posted a bounty on this issue three years ago, when it was titled "Integrate Rustybird's qubes-split-browser". Feel free to collect it.

I would let @marmarek @andrewdavidwong manage this.

[andrewdavidwong]

Someone posted a bounty on this issue three years ago, when it was titled "Integrate Rustybird's qubes-split-browser". Feel free to collect it.

I would let @marmarek @andrewdavidwong manage this.

I'm not in a position to collect money on behalf of the project (no access to deposit accounts or anything), so I'll leave this to @MiCh and @marmarek. Let me know if I can do anything to help.

[andrewdavidwong]

@fepitre, so what's the next step here?