[OTR-dev] Is there security risks on developing OTR addons for web browsers ?
Ian Goldberg
ian at cypherpunks.ca
Wed Sep 25 21:07:37 EDT 2013
On Wed, Sep 25, 2013 at 10:15:29PM +0100, Mohamed Akram Tabka wrote:
> Hi all,
> I'm thinking about developping an OTR addon for handling OTR
> discussions on web browsers. Is it really secure ?
> Does really browser extensions for crypto operations pose threats to
> users security?
>
> If it is not recommended to develop crypto addons for browsers please
> tell me.
>
> All bests,
> A.
One of the trickiest bits is in ensuring that when the user types
plaintext, it goes *straight* into the plugin, and no (for example)
Javascript on a web page can intercept that plaintext.
Here's an example of the problem:
https://tails.boum.org/doc/encryption_and_privacy/FireGPG_susceptible_to_devastating_attacks/
So at the very least, the plugin would have to have chrome (a specially
decorated type of input window, perhaps?) that is unforgeable by web
content.
- Ian
More information about the OTR-dev
mailing list