著者: sajolida 日付: To: The Tails public development discussion list, Uzair Farooq 題目: Re: [Tails-dev]
Verification extension should not be detectable as per Sjösten, and al.
Uzair! I forgot to put you in copy while sending this to tails-dev...
sajolida: > Someone pointed me to this paper:
>
> http://www.cse.chalmers.se/research/group/security/publications/2017/extensions/codaspy-17-full.pdf >
> ABSTRACT
>
> Browser extensions provide a powerful platform to enrich
> browsing experience. At the same time, they raise impor-
> tant security questions. From the point of view of a website,
> some browser extensions are invasive, removing intended fea-
> tures and adding unintended ones, e.g. extensions that hi-
> jack Facebook likes. Conversely, from the point of view of
> extensions, some websites are invasive, e.g. websites that by-
> pass ad blockers. Motivated by security goals at clash, this
> paper explores browser extension discovery, through a non-
> behavioral technique, based on detecting extensions’ web ac-
> cessible resources. We report on an empirical study with
> free Chrome and Firefox extensions, being able to detect
> over 50% of the top 1,000 free Chrome extensions, including
> popular security- and privacy-critical extensions such as Ad-
> Block, LastPass, Avast Online Security, and Ghostery. We
> also conduct an empirical study of non-behavioral extension
> detection on the Alexa top 100,000 websites. We present the
> dual measures of making extension detection easier in the
> interest of websites and making extension detection more
> difficult in the interest of extensions. Finally, we discuss a
> browser architecture that allows a user to take control in
> arbitrating the conflicting security goals.
>
> The new version of our verification extension should not be detectable
> using this technique.
>
> Uzair: do you want to look into this as you're in the process of
> rewriting a good share of the code of our extension?