Feature #14787

Verification extension should not be detectable as per Sjösten, and al.

Added by sajolida 2017-10-04 16:07:13 . Updated 2019-03-12 17:25:57 .

Status:
Resolved
Priority:
Low
Assignee:
Category:
Installation
Target version:
Start date:
2017-10-04
Due date:
% Done:

0%

Feature Branch:
Type of work:
Research
Blueprint:

Starter:
Affected tool:
Verification Extension
Deliverable for:

Description

See:

This is about preventing “browser extension discovery, [done] through a non-behavioral technique, based on detecting extensions’ web accessible resources”


Subtasks


History

#1 Updated by intrigeri 2017-11-18 10:52:33

  • Affected tool changed from Download and Verification Extension to Verification Extension

#2 Updated by intrigeri 2017-11-18 10:53:05

What’s the status here? Was it an explicit deliverable of the porting work?

#3 Updated by sajolida 2017-11-29 12:55:11

  • Assignee deleted (uzairfarooq)
  • Priority changed from Normal to Low

Status quo: I’ve raised the topic on tails-dev@ on October 4 pointed Uzair to it on October 5:

https://mailman.boum.org/pipermail/tails-dev/2017-October/011761.html

We got no answer from Uzair since then.

This was not part of the features of the previous extension and so it should not be considered as part of the porting work.

I’m deassigning this from Uzair and moving it as a Low priority ticket since we have nobody to do this work.

#4 Updated by Anonymous 2018-08-17 06:34:59

  • Description updated

#5 Updated by sajolida 2018-10-10 23:02:29

  • Assignee set to sajolida
  • Target version set to Tails_3.11

I’ll check this out as the maintainer of the verification extension.

#6 Updated by sajolida 2018-12-10 15:39:56

  • Target version deleted (Tails_3.11)

#7 Updated by sajolida 2019-02-13 22:12:55

  • Status changed from Confirmed to In Progress
  • Assignee deleted (sajolida)
  • Target version set to Tails_3.13
  • QA Check set to Ready for QA

I removed with 65ac7f2 the declaration of web_accessible_resources that we had in our manifest since the first commit. Now release in version 2.3.

Today I have in Chromium in Tails: chrome-extension://gaghffbplpialpoeclgjkkbknblfajdl/resources/images/icon128.png.

Ulrike: Can you double-check my analysis (and report how much time you spent on this)?

#8 Updated by Anonymous 2019-03-12 17:25:41

sajolida wrote:
> I removed with 65ac7f2 the declaration of web_accessible_resources that we had in our manifest since the first commit. Now release in version 2.3.

Nice!

> * According to https://developer.chrome.com/extensions/manifest/web_accessible_resources they should be blocked by default now in Chrome.

> * According to https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/manifest.json/web_accessible_resources these URLs have a unique and non-guessable elements to prevent fingerprinting in Firefox.
>
> Today I have in Chromium in Tails: chrome-extension://gaghffbplpialpoeclgjkkbknblfajdl/resources/images/icon128.png.
>
> Ulrike: Can you double-check my analysis (and report how much time you spent on this)?

web_accessible_resources are resources in the form of files that are packed in the extension and that can be declared in manifest.json if they need to be accessible by the website that the extension is interacting with. The resources in our folder are merely icons of the extension, but our webpage does not make use of them, we are not injecting any of these elements into the website. Entirely deleting this declaration is hence a very good idea, regardless of the fingerprinting issue.

I otherwise confirm the random URLs of extensions that should prevent this fingerprinting.

#9 Updated by Anonymous 2019-03-12 17:25:57

  • Status changed from In Progress to Resolved
  • QA Check deleted (Ready for QA)