[OTR-dev] Browser extensions for OTR

[garulf]

Il 27/06/2012 22:28, Ian Goldberg ha scritto:
> On Wed, Jun 27, 2012 at 12:54:06PM -0700, Chris Ballinger wrote:

>>
>> Would it be possible/feasible to write browser extensions (Chrome, Safari,
>> FF) that use Emscripten (LLVM to JS compiler) to compile libotr, and then
>> hook into the DOM for Gmail or Facebook (or possibly any two user-defined
>> text fields?) for "seamless" in-browser OTR?
> 
> Lots of people have considered that, but there's a major obstacle: how
> do you know the libotr plugin is actually being used, and it's not just
> sending plaintext to GTalk?  As far as I know, there's no "secure
> chrome" mechanism extensions can use to confirm to the user that the
> text is being typed directly to the extension, and that other javascript
> running on the same page can't intercept the keystrokes.
> 
>    - Ian

I start to write a firefox add-on of this kind some time ago [0] [1]. I
used jsctypes to use the C libotr from firefox. I hook facebook DOM and
insert an iframe inside (content, plaintext and keystrokes should be
protected by js same origin policy).

I also planned to insert even a custom image (always stored in the
client pc) so that website (or someone tampering connection) can't
"mimic" the add-on iframe.

The major problem is that the DOMs of facebook and gmail are always
changing and is very difficult to adapt the add-on every time (firegpg
had the same problem).Even gmail js is very difficult to understand (at
least for me). My add-on isn't complete but can be a start point for
libotr jsctype mapping that is almost finished.


Garulf

[0] http://gitorious.org/fireotr
[1] http://lists.cypherpunks.ca/pipermail/otr-dev/2011-June/001183.html