Re: [Tails-dev] Security of postMessage between Tails Verifi…

Delete this message

Reply to this message
Author: sajolida
Date:  
To: Uzair Farooq
CC: The Tails public development discussion list
Subject: Re: [Tails-dev] Security of postMessage between Tails Verification and the download page
Uzair Farooq:
> Here are my findings:
>
> 1. Our extension script is only injected in https://tails.boum.org, so
> unless there's an iframe on the download page there's no way for any
> other hosts to receive message from our extension. Nevertheless, I've
> changed the target from'*' to 'https://tails.boum.org' to be more safe. 
>
> 2. On receiving end we have a check to verify that the source 'window'
> object of the message is same as the 'window' object of the current page
> which essentially means that the site will always reject messages from
> any other page. Nevertheless, I've added an additional check to verify
> that the source of the message is 'https://tails.boum.org'
>
> 3. We have checks in place to verify format/data of the messages passed.
>
> Other than that I don't think there's anything else to be worried
> regarding security.


Thanks for the detailed explanation!

I tested this new version and it works!

I released it for Firefox but not for Chrome.

I tried to modify the check on both sides of the message communication
(postMessage on the extension and receiveMessage on the web page) and I
get errors from Firefox on the console.

For example, to be able to test the extension locally I know have to
patch the code of both the extension and the website (73899ef).

> One thing I want to mention here is that all these
> checks are to prevent attempts from other sites/pages but if user has a
> malicious extension installed, it can easily fake/intercept things


Yeap. We already detected that in our initial threat modeling analysis.
Search "(F)" in:

https://tails.boum.org/blueprint/bootstrapping/extension/