[Tails-dev] Verification extension should not be detectable …

Delete this message

Reply to this message
Author: sajolida
Date:  
To: The Tails public development discussion list
Subject: [Tails-dev] Verification extension should not be detectable as per Sjösten, and al.
Someone pointed me to this paper:

http://www.cse.chalmers.se/research/group/security/publications/2017/extensions/codaspy-17-full.pdf

ABSTRACT

Browser extensions provide a powerful platform to enrich
browsing experience. At the same time, they raise impor-
tant security questions. From the point of view of a website,
some browser extensions are invasive, removing intended fea-
tures and adding unintended ones, e.g. extensions that hi-
jack Facebook likes. Conversely, from the point of view of
extensions, some websites are invasive, e.g. websites that by-
pass ad blockers. Motivated by security goals at clash, this
paper explores browser extension discovery, through a non-
behavioral technique, based on detecting extensions’ web ac-
cessible resources. We report on an empirical study with
free Chrome and Firefox extensions, being able to detect
over 50% of the top 1,000 free Chrome extensions, including
popular security- and privacy-critical extensions such as Ad-
Block, LastPass, Avast Online Security, and Ghostery. We
also conduct an empirical study of non-behavioral extension
detection on the Alexa top 100,000 websites. We present the
dual measures of making extension detection easier in the
interest of websites and making extension detection more
difficult in the interest of extensions. Finally, we discuss a
browser architecture that allows a user to take control in
arbitrating the conflicting security goals.

The new version of our verification extension should not be detectable
using this technique.

Uzair: do you want to look into this as you're in the process of
rewriting a good share of the code of our extension?