QubesOS / qubes-issues

The Qubes OS Project issue tracker
https://www.qubes-os.org/doc/issue-tracking/
543 stars 48 forks source link

[Contribution] qubes-app-split-browser #2469

Open andrewdavidwong opened 8 years ago

andrewdavidwong commented 8 years ago

Community Dev: @rustybird PoC: https://github.com/rustybird/qubes-app-split-browser Announcement thread: https://groups.google.com/d/topic/qubes-users/SEWwjHj4Byk/discussion

rustybird commented 8 years ago

I'd be happy to add Makefile.builder and be a guinea pig for the Qubes community repository or whatever. :)

The Debian packaging is reproducible when using a new enough dpkg, if that matters. Not sure about the Fedora packaging.

rustybird commented 4 years ago

Anyone (@fepitre?) interested in reviewing Split Browser for inclusion into qubes-repo-contrib? The code looks alright to me nowadays.

fepitre commented 4 years ago

@rustybird sure I can have a look too in the next days.

andrewdavidwong commented 4 years ago

@rustybird, any chance of making this compatible with Chromium/Chrome?

rustybird commented 4 years ago

any chance of making this compatible with Chromium/Chrome?

Ideally, the browser-side code (currently Mozilla AutoConfig) would be rewritten as a WebExtension and then used for both Firefox- and Chromium-based browsers. And I do have a proof of concept lying around from >2 years ago; not even tested with anything besides Tor Browser back then, but it already seemed surprisingly tricky due to:

  1. WebExtension limitations: They can't override standard browser hotkeys. For some functions there's a good alternative (instead of overriding the "add bookmark" hotkey, the extension can handle "bookmark added" events), but some will just have to use worse hotkeys.

  2. WebExtension bugs: Tor Browser doesn't distinguish WebExtensions from websites in that both are blocked from talking to localhost (i.e. the qrexec service). I had to wedge in an ugly "native messaging" shim script relaying messages back and forth.

  3. Browser vendors just hell-bent on making it as hard as possible for the operating system to silently install an extension. Plus, ever more restrictive code signing / distribution channel requirements. I don't know what the situation is today - probably still doable with Firefox ESR (vs. mainline Firefox) and Chromium (vs. Chrome), but what a headache!

  4. Having to redesign how Split Browser configures the browser - things like setting the download directory.

I don't much use Chromium myself, so it hasn't been too appealing to work on this... even though it's such a a glaring omission.

DemiMarie commented 4 years ago

Native messaging is the endorsed way to relay messages between a browser extension and native code. When it comes to hotkeys, perhaps an X11 program in the browsing VM could handle this?

DemiMarie commented 4 years ago

Also, the current handling of logins seems to leave a lot to be desired. From my perspective, a better approach would be to somehow interface with the website DOM, just as browser’s built-in password managers do.

rustybird commented 4 years ago

Native messaging is the endorsed way to relay messages between a browser extension and native code.

Well, I know you can't just open a plain TCP connection, but a WebSocket to localhost should have worked nicely - if not for that Tor Browser bug. Maybe almost a drop-in replacement of websocat for socat in the qrexec service.

Native messaging isn't too bad, but it adds some indirection: split-browser-disp qrexec service launches browser, which launches gnarly native shim (from the old PoC), which talks to split-browser-disp.

When it comes to hotkeys, perhaps an X11 program in the browsing VM could handle this?

Yeah, xbindkeys or something. The only affected hotkeys are Alt-b (Open bookmarks) and Ctrl-Shift-u (New Identity), so maybe it's also not too bad to just change them.

Also, the current handling of logins seems to leave a lot to be desired. From my perspective, a better approach would be to somehow interface with the website DOM, just as browser’s built-in password managers do.

Anything that touches the DOM would have to carefully avoid being fingerprintable tho? With the current approach (dumb autotype) it hopefully looks like any other external* password manager, as far as the website can tell.

* Not integrated via a browser extension

DemiMarie commented 4 years ago

How do most password managers handle this?

rustybird commented 4 years ago

Avoiding fingerprinting? I don't know if that's even a goal for mainstream browser extensions. (Assuming you mean password managers that integrate via a browser extension.)

Perhaps it's actually easy, there are protections like Firefox's Xray vision. But that looks more geared towards preventing untrusted page information from being transfered too freely to the trusted extension environment. I can't find anything about the opposite direction. It's an unusual threat model, and I'm definitely not an expert, so the idea of interacting with the page DOM at all makes me nervous.

DemiMarie commented 4 years ago

No, I meant how do most password managers (such as KeePassXC) integrate with browsers?

rustybird commented 4 years ago

For KeePassXC, you can use their browser extension or autotype.

fepitre commented 4 years ago

@rustybird is it tested on both R4.0 and current devel R4.1?

rustybird commented 4 years ago

is it tested on both R4.0 and current devel R4.1?

Yes, it works on both.

BTW I just renamed the Git repo to qubes-app-split-browser (from qubes-split-browser).

fepitre commented 4 years ago

Yes I was about to tell that I would do that when forking into QubesOS-contrib. Builds are ok on tested dists: archlinux, bullseye, centos8 and fc33. I finish the review soon and I notice here for it and build done on contrib.

fepitre commented 4 years ago

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256

Validated https://github.com/rustybird/qubes-app-split-browser/commit/d4ba6b2faa021925fe45c60b4b47768599570d53 -----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEn6ZLkvlecGvyjiymSEAQtc3FduIFAl/EzjUACgkQSEAQtc3F duJ/uhAAp4m1vaTrAHIXlWMCJaVaw4akP8CNIgrU+ZctSriN8ePgbe3rKhzfN5BL FX3NQ0QlSm9TMNEVMb1uWKlRm77FGmIcboBAmS2nqx8oehGQVLELxFmDPL+qNxAv T6lKt8VWikVsM0LNuOJDnsiNqUiTFlqlFjsSwBKHMFaNINt1EUppAVhT1ta7cF6q wB/aDv7iOIbHXxzX1R+UPMZoBsEr2qa8oFomMupUU3903JhHs+sSqnl8Kxm75dhn Kf8qEbKhCSgMSSjJXvZV1giT4dV/WCqkjBt4u7pSOvVLqM9/WN0Zz/ntMmSVImsS pb3Q9EGNkvjp6QHNcVHLJDFCcTGccfqGgE5Bp9MxonmONICeOCzF8ah/Ga2U8LQ9 toT3BVWfuklm287fqiyoFYgGMR9GHj/bmaGhq7bUYWmZiT4316LTGv5glpXOZYxP A0NSMi/Ocl/v52sJcnYMRaun1ezKkhFeQfOI5juXaEidKCozq/t93EPXId0XCssB GXKvoKDsNCjXyeOWivMVf3lUvUh3RUaOY/Xj4EttoTHRVDIftdF5ux7C42U71QI8 Qko7TZpuJa3Wff0veA31mU8lyErk0aLBBJdJxVw7JhT2DuyAg2pGZeIyg1jZz/53 FTg9E8m4SeBzk8RXsEypumIMOfjQTCgHd/tEvaFTkwWzmWnMZSY= =v9DY -----END PGP SIGNATURE-----

rustybird commented 4 years ago

Thank you @fepitre!

Someone posted a bounty on this issue three years ago, when it was titled "Integrate Rustybird's qubes-split-browser". Feel free to collect it.

fepitre commented 4 years ago

Thank you @fepitre!

You are welcome. You can check current built packages here: https://github.com/QubesOS-contrib/updates-status/issues

Someone posted a bounty on this issue three years ago, when it was titled "Integrate Rustybird's qubes-split-browser". Feel free to collect it.

I would let @marmarek @andrewdavidwong manage this.

andrewdavidwong commented 4 years ago

Someone posted a bounty on this issue three years ago, when it was titled "Integrate Rustybird's qubes-split-browser". Feel free to collect it.

I would let @marmarek @andrewdavidwong manage this.

I'm not in a position to collect money on behalf of the project (no access to deposit accounts or anything), so I'll leave this to @MiCh and @marmarek. Let me know if I can do anything to help.

andrewdavidwong commented 4 years ago

@fepitre, so what's the next step here?