[HN Gopher] Keybase Browser Extension Insecure
___________________________________________________________________
Keybase Browser Extension Insecure
Author : zdw
Score : 57 points
Date : 2021-10-10 15:13 UTC (7 hours ago)
(HTM) web link (www.grepular.com)
(TXT) w3m dump (www.grepular.com)
| wobblyasp wrote:
| Seems like a bit of a stretch. You really shouldn't be putting
| anything extremely sensitive into a browser anyway, and Keybase
| calls it out themselves. Yes, it's missing from the extension
| page, but that's really the only "mistake" they've made.
| akerl_ wrote:
| So why does Keybase inject the textbox there? Injecting an
| input for a secure chat app into an insecure location is going
| to make people who trust keybase misunderstand the security
| profile of that input.
| wobblyasp wrote:
| Is there another location they could? I'm not familiar enough
| with extension development to speak confidently but my
| understanding was that you had to manipulate the DOM if you
| wanted to impact I/O of the page
| akerl_ wrote:
| Per the post, if you click the button right in the browser
| menu bar, it spawns a chat window that's outside the page
| DOM
| captn3m0 wrote:
| Other than the post recommendation, using a secure "blank"
| iFrame hosted on their own domain might have worked as
| well, depending on their threat-model.
| anonypla wrote:
| Just one answer: https://keyoxide.org/
|
| It's such a good maintained alternative to keybase
| tragictrash wrote:
| Anything you type into a webpage can be seen by anyone who
| controls the content being delivered. Not news, this title is
| clickbait.
| philsnow wrote:
| Just stop using browser extensions.
|
| No you don't need a JSON prettifier that has full powers and can
| read data from web pages on any domain. You don't need a thing to
| help you to compose English prose better (or maybe you do but
| don't use the extension).
|
| The browser is the modern operating system, and we have made it
| trivial to allow users to pwn themselves with two clicks.
| matheusmoreira wrote:
| Yeah. All extensions are potential malware. The only extensions
| I trust are uBlock Origin and those made by the EFF.
| userbinator wrote:
| All _software_ is potential malware. Sometimes the definition
| of malware depends on whether you 're the user or not!
| faeyanpiraat wrote:
| wym
| captn3m0 wrote:
| The "JSON prettifier" example is exactly what compromised my
| browser once, long ago. I only found out because I noticed the
| "this extension is no longer available on the Chrome store"
| mention on the chrome://extensions page or something of the
| sort.
|
| It was silently ex-filtering list of all URLs I visited against
| a unique identifier.
| sp332 wrote:
| "exfiltrating"
| least wrote:
| > Just stop using browser extensions.
|
| > The browser is the modern operating system...
|
| This is kind of like advocating to only use vendor-provided
| software on your actual operating system because any third
| party software might be insecure (ignoring the fact that the OS
| itself may be as well). Some people might be able to do that
| but the overwhelming majority of people would not find that
| tenable, so suggesting that one just not is neither productive
| nor realistic.
| userbinator wrote:
| I see it as yet another piece of propaganda from the
| corporate-totalitarianism side of the war on general-purpose
| computing. They started squeezing people into the browser,
| then they slowly castrate the browser and turn it into
| another tool of control. No userstyles, no userscripts, no
| extensions, _no URLs_... All in the name of "security", of
| course... and people will blindly believe.
|
| The frog continues to cook slowly.
| alisonkisk wrote:
| How is your argument different from "don't use software to
| solve problems"?
| dcsommer wrote:
| What about password managers? The browser built-in ones aren't
| always the best choice.
| zorked wrote:
| Why not?
| mook wrote:
| As far as I know, none of the browser-provided password
| managers let you sync outside of an internet-connected
| account system. I can sync my passwords over my local
| network just fine.
| ViViDboarder wrote:
| I think that technically Firefox does, but it's not easy
| to run your own account and sync server.
| mynameismon wrote:
| 1. Lack of a master password, so anyone who knows the
| password to your laptop knows all your passwords
|
| 2. Inability to access them anywhere, anytime
|
| 3. Possibility of compromise in case of compromise of
| system[1]
|
| 4. No sharing
|
| 5. Absolutely terrible password generation (a string of
| random characters)
|
| [1]: https://null-byte.wonderhowto.com/how-to/hacking-
| windows-10-...
| faeyanpiraat wrote:
| What's wrong with a string of random characters?
| johnebgd wrote:
| People really do need additional functionality beyond what the
| browser provides.
|
| The browser should offer the user controls on what data plugins
| can remit from the computer.
| raesene9 wrote:
| I'm interested to see that Keybase is actually still maintained.
| After the Zoom Acqui-hire, they seemed to have moved on (last
| entry on their blog https://keybase.io/blog is May 21 2020) but
| there's activity on the GH repos, although nothing like the pace
| it used to develop
| (https://github.com/keybase/client/graphs/contributors).
| joecool1029 wrote:
| Further discussion of this from yesterday:
| https://news.ycombinator.com/item?id=28814210
___________________________________________________________________
(page generated 2021-10-10 23:01 UTC)