Project

General

Profile

Feature #14787

Verification extension should not be detectable as per Sjösten, and al.

Added by sajolida almost 2 years ago. Updated 4 months ago.

Status:
Resolved
Priority:
Low
Assignee:
Category:
Installation
Target version:
Start date:
10/04/2017
Due date:
% Done:

0%

Feature Branch:
Type of work:
Research
Blueprint:
Starter:
Affected tool:
Verification Extension

Description

See:

This is about preventing "browser extension discovery, [done] through a non-behavioral technique, based on detecting extensions’ web accessible resources"

History

#1 Updated by intrigeri over 1 year ago

  • Affected tool changed from Download and Verification Extension to Verification Extension

#2 Updated by intrigeri over 1 year ago

What's the status here? Was it an explicit deliverable of the porting work?

#3 Updated by sajolida over 1 year ago

  • Assignee deleted (uzairfarooq)
  • Priority changed from Normal to Low

Status quo: I've raised the topic on tails-dev@ on October 4 pointed Uzair to it on October 5:

https://mailman.boum.org/pipermail/tails-dev/2017-October/011761.html

We got no answer from Uzair since then.

This was not part of the features of the previous extension and so it should not be considered as part of the porting work.

I'm deassigning this from Uzair and moving it as a Low priority ticket since we have nobody to do this work.

#4 Updated by u 11 months ago

  • Description updated (diff)

#5 Updated by sajolida 9 months ago

  • Assignee set to sajolida
  • Target version set to Tails_3.11

I'll check this out as the maintainer of the verification extension.

#6 Updated by sajolida 7 months ago

  • Target version deleted (Tails_3.11)

#7 Updated by sajolida 5 months ago

  • Status changed from Confirmed to In Progress
  • Assignee changed from sajolida to u
  • Target version set to Tails_3.13
  • QA Check set to Ready for QA

I removed with 65ac7f2 the declaration of web_accessible_resources that we had in our manifest since the first commit. Now release in version 2.3.

Today I have in Chromium in Tails: chrome-extension://gaghffbplpialpoeclgjkkbknblfajdl/resources/images/icon128.png.

Ulrike: Can you double-check my analysis (and report how much time you spent on this)?

#8 Updated by u 4 months ago

sajolida wrote:

I removed with 65ac7f2 the declaration of web_accessible_resources that we had in our manifest since the first commit. Now release in version 2.3.

Nice!

Today I have in Chromium in Tails: chrome-extension://gaghffbplpialpoeclgjkkbknblfajdl/resources/images/icon128.png.

Ulrike: Can you double-check my analysis (and report how much time you spent on this)?

web_accessible_resources are resources in the form of files that are packed in the extension and that can be declared in manifest.json if they need to be accessible by the website that the extension is interacting with. The resources in our folder are merely icons of the extension, but our webpage does not make use of them, we are not injecting any of these elements into the website. Entirely deleting this declaration is hence a very good idea, regardless of the fingerprinting issue.

I otherwise confirm the random URLs of extensions that should prevent this fingerprinting.

#9 Updated by u 4 months ago

  • Status changed from In Progress to Resolved
  • QA Check deleted (Ready for QA)

Also available in: Atom PDF