how much secure the communication between Extension and Nativehostclient is?
48 views
Skip to first unread message
Vikas Pushkar
Jun 21, 2016, 4:48:01 AM6/21/16
to Chromium-Extensions-Announce
i am using chrome extension which talks to NativeClient through stdio. i am worrying if this stdio communication could be hacked or used by some mallicios user.
could someoen comment on it please.
could someoen comment on it please.
Antony Sargent
Jun 21, 2016, 3:46:42 PM6/21/16
to Vikas Pushkar, Chromium-Extensions-Announce
Are you referring to chrome extensions native messaging? (https://developer.chrome.com/extensions/nativeMessaging)
Or Native Client? (https://developer.chrome.com/native-client)
The names are confusingly similar, but the technologies are completely different.
On Tue, Jun 21, 2016 at 1:48 AM, Vikas Pushkar <vikasku...@gmail.com> wrote:
i am using chrome extension which talks to NativeClient through stdio. i am worrying if this stdio communication could be hacked or used by some mallicios user.
could someoen comment on it please.
--
You received this message because you are subscribed to the Google Groups "Chromium-Extensions-Announce" group.
To unsubscribe from this group and stop receiving emails from it, send an email to chromium-extens...@chromium.org.
To post to this group, send email to chromium-...@chromium.org.
Visit this group at https://groups.google.com/a/chromium.org/group/chromium-extensions/.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/chromium-extensions/a9e4741f-c33b-46d0-b975-773bf4be8e61%40chromium.org.
For more options, visit https://groups.google.com/a/chromium.org/d/optout.
Vikas Pushkar
Jun 21, 2016, 11:24:28 PM6/21/16
to Antony Sargent, Chromium-Extensions-Announce
Nativemessaging
Antony Sargent
Jun 22, 2016, 1:54:31 PM6/22/16
to Vikas Pushkar, Chromium-Extensions-Announce
Ok, in that case the communication channel between your extension and the native messaging host should be as secure as any two processes communicating on your local machine where one forks the other and writes into the file descriptor for its stdin and reads from the file descriptor for its stdout. In other words, it should be reasonably secure against other user accounts on the OS but not against native binary malware running as the same user account (or higher privileged account such as administrator/root).
Vikas Pushkar
Jun 23, 2016, 1:30:52 AM6/23/16
to Antony Sargent, Chromium-Extensions-Announce
Exactly, it's an IPC using named pipe,right. I think it should be secure from the web side, anyone has access to the system with higher or the equal privileges can hack it but I think a malicious user through Internet should not be able to hack it. Fingers crossed.
Back me up with more data, if you could.
Thanks for the reply.
Antony Sargent
Jun 23, 2016, 8:46:04 AM6/23/16
to Vikas Pushkar, Chromium-Extensions-Announce
Back me up with more data, if you could.
About all I think I can offer is a pointer to the source code where this is implemented in chrome. You'd want to look at the files named native*.{h,cc} in chrome/browser/extensions/api/messaging here:
The most interesting classes are probably NativeProcessLauncher, NativeMessageProcessHost, and NativeMessagePort.
Reply all
Reply to author
Forward
0 new messages