XCF-Babble / babble

说都不会话了。
GNU General Public License v3.0
66 stars 9 forks source link
chrome-extension encryption firefox-addon privacy-protection

Babble Browser Extension

CircleCI Language Grade: javascript

说都不会话了。

Babble is a platform agnostic browser extension that allows for easy encryption and decryption of text data across the web. With Babble, users can create encryption keys from passwords, encrypt text with any of these keys, and decrypt any ciphertext they have a key for. Babble is meant to be dead simple to use, so people of all backgrounds have the ability to encrypt sensitive data on any service.

A list of supported websites can be found here.

Installation

You can install Babble for Chrome from Chrome Web Store, or for Firefox from Firefox Add-ons. You can also download the extension from GitHub Releases.

Demo

Encryption

Decryption

How it works

Key Management

Click the key icon inside of the Babble popup and you'll be brought to the Babble Keystore. From there, you can add, search, select, edit, and delete key-base pairs.

Encryption and Encoding

Encryption can begin when you type into the textbox inside of the Babble popup. For supported sites, the encrypted text will be automatically filled into the webpage's textbox. Hitting Ctrl+Enter will trigger sending the message from the webpage. For unsupported sites, you can click the copy icon and paste the encrypted text to the textbox you want. The popup can also be activated by Alt+Shift+Z.

Babble uses Argon2i algorithm to generate a 256-bit encryption key (with salt BabbleBabbleBabb). The key derivation process is slow (takes about 0.5-2s in the browser) to prevent brute force attack. The encryption algorithm is ChaCha20-IETF-Poly1305. The cipher text is then (byte-by-byte) encoded to UTF-8 characters using a 256-character base. The default base is 256 Chinese characters taken from a frequency table. You can use whatever base you'd like, as long as it's 256 UTF-8 characters and only contains unique characters.

Decryption

Decryption can begin when the unlock icon inside of the Babble popup is clicked. This action launches the element picker, highlighting the DOM element under the cursor purple. The extension will walk the DOM starting at that element looking for data to decrypt. Decryption can also be activated by Alt+Shift+D.

Babble operates under the assumption that every website is running hostile JavaScript. To that end, when the element picker is started, an iframe is created whose source is a web accessible resource. All ciphertext targeted for decryption is transferred to the iframe, where it is then decrypted and displayed to the user. Web accessible resources are utilized because they have unique protocols (chrome-extension:// on Chromium or moz-extension:// on Firefox), and protect our plaintext from being exfiltrated by malicious Javascript the on page by the same-origin policy.

Key Exchange

In the keystore page, users can generate a keypair, share it with a correspondent, and both parties derive the same passphrase (UUID) using Elliptic-curve Diffie-Hellman ephemeral (ECDHE). Point multiplication is done on Curve25519 and the shared UUID is computed by UUID(hash(secret || publicKey1 || publicKey2)). It is not unheard of for different keypairs to produce the same point on the curve, so the public keys are hashed with the shared secret to produce a more secure output (per the libsodium recommendation). The resulting UUID is to be used as a source for key derivation.