search

tasn / webext-signed-pages

A browser extension to verify the authenticity (PGP signature) of web pages
BSD 3-Clause "New" or "Revised" License
190 stars 12 forks source link

Disable JS for pages with a bad/missing signature #44

Open Alch-Emi opened 2 years ago

Alch-Emi commented 2 years ago

Heya! I'd like to propose that the signed pages web extension should disable JS when a page fails a signature check. This would help protect against the following attack

  1. User logs into the (uncompromised, valid sig) web app, goes about their business, and then closes the app without logging out
  2. The web app is compromised by a malicious attacker interested in user data
  3. The user returns to the web app.
  4. The user's browser has kept their credentials, but not cached the page, and so loads the app from the server
  5. The server sends a malicious web app
  6. The (now malicious) web app uses on-load JS to immediately upload the user's local storage to the attacker's server BEFORE the user can react to the page having a failed signature.
  7. User's credentials are now compromised until the user invalidates them.

This would also add an additional measure to prevent unobservant users who fail to notice an invalid signature from providing credentials to a compromised page.

Note: If this behavior is already present, I'd instead like to use this space to request that this information be added to the extension's README

Thanks for your time!

RokeJulianLockhart commented 1 year ago

I request that this be optional, and by default disabled. I only use this to inform me of when a site is verified, rather than to protect me.

If a user installs this and something as critical as JS is suddenly disabled in most websites, they'll never use the extension again.

Alch-Emi commented 1 year ago

Oh I should clarify: I don't think JS should be disabled on all unsigned pages, since that would make using the web really obnoxious. This would only be necessary for pages that have a signature expected (that is, have a signature listed in the extension preferences), but not received.

The only time a user would be affected by this is if they list a site in their extension settings, but when they go to visit that site, the signature is missing, which would indicate one of three things:

If everything is going well, most users would never see a page with JS disabled

RokeJulianLockhart commented 1 year ago

I agree, then. Seems like a brilliant feature since it means that something indeed has gone wrong, so the worst should be assumed.