[OTR-dev] Is there security risks on developing OTR addons for web browsers ?

Ian Goldberg ian at cypherpunks.ca
Wed Sep 25 21:07:37 EDT 2013


On Wed, Sep 25, 2013 at 10:15:29PM +0100, Mohamed Akram Tabka wrote:
> Hi all,
> I'm thinking about developping an OTR addon for handling OTR
> discussions on web browsers. Is it really secure ?
> Does really browser extensions for crypto operations pose threats to
> users security?
> 
> If it is not recommended to develop crypto addons for browsers please
> tell me.
> 
> All bests,
> A.

One of the trickiest bits is in ensuring that when the user types
plaintext, it goes *straight* into the plugin, and no (for example)
Javascript on a web page can intercept that plaintext.

Here's an example of the problem:
https://tails.boum.org/doc/encryption_and_privacy/FireGPG_susceptible_to_devastating_attacks/

So at the very least, the plugin would have to have chrome (a specially
decorated type of input window, perhaps?) that is unforgeable by web
content.

   - Ian



More information about the OTR-dev mailing list