search

gcarq / inox-patchset

Inox patchset tries to provide a minimal Chromium based browser with focus on privacy by disabling data transmission to Google.
BSD 2-Clause "Simplified" License
364 stars 26 forks source link

CryptoTokenExtension - need or not? #25

Closed survo closed 7 years ago

survo commented 8 years ago

What is the CryptoTokenExtension?

gcarq commented 8 years ago

AFAIK the CryptoTokenExtension implements the U2F standard for two factor authenticaton with hardware devices.

EDIT: I didn't try to remove it, but I think it is not needed if you don't use such devices.

gcarq commented 7 years ago

I'm closing this issue, feel free to reopen if you have further questions.

Lesik commented 6 years ago

I have some questions, please.

There isn't much info about this CryptoTokenExtension online, the most prominent Ask Ubuntu answer says:

On the other hands... it IS a tracking tool

While taking this sentence with a grain of salt as with most Ask Ubuntu answers, I wonder if there is any tracking threat coming from this extension? Is it proprietary? Why can't it be disabled even if you don't utilize 2FA? If it's such a core functionality that it can't be disabled, why is it an extension and not part of the browser?

Eloston commented 6 years ago

@Lesik My knowledge of CryptoTokenExtension is limited, but I might be able to provide some more insight:

I wonder if there is any tracking threat coming from this extension?

I highly doubt the component itself will proactively or unnecessarily send identifying data about you anywhere.

I am suspecting the answer is referring to how the whole 2FA process allows you to be tracked, which is a given since it's an authentication method using a very strong fingerprint (i.e. the hardware key).

Is it proprietary?

I can say with 99% certainty that it is open source due to the binary pruning process in building ungoogled-chromium. I also haven't seen anything binaries download while building or running Chromium (that aren't intentional).

Why can't it be disabled even if you don't utilize 2FA? If it's such a core functionality that it can't be disabled, why is it an extension and not part of the browser?

I think the suffix "Extension" in CryptoTokenExtension may be a bit misleading here. It is technically an "extension" due to where it runs, how it runs, and what it uses to run. However, this extension is only one component of the implementation of the U2F standard. I suspect there is some JavaScript or HTML functionality that is easier to implement in a specialized extension, which then talks through exclusive private chrome APIs (like the Webstore app has) to send data to the browser component that interfaces with the hardware key.

My knowledge of these kinds of extensions are limited, but I don't think anything bad will happen by disabling this extension if you don't use U2F. However, I don't think there's much of a reason to do so unless you're worried about it being exploited in some manner.

Please keep in mind that this is all speculation. We would need to look through the code for CryptoTokenExtension and the U2F implementation to be certain.

ghost commented 5 years ago

@Eloston but still, this extension creates an identification code for each computer, based on it's hardware. Isn't there any plans to remove it?

Eloston commented 5 years ago

@MrOCR Do you have information on what CryptoTokenExtension uses from the hardware to create an identification code, and an explanation of how this extension can be used by a webpage?