Native Messaging: How to check Native App C++ by Javascript?

[Tuấn Trần]

Hi,

I have an application in windows using Native Messaging technology! According to the article: https://developer.chrome.com/extensions/nativeMessaging#native-messaging-client=> My app have 2 part: 1 Extensions and 1 Native App written C++. 

My problem is: 

- My NativeApp only accept specifies in manifest file  => So, I can ensure exactly what's Extension can communicate with Native App. => It's ỌK!

- BUT Extension does not know exactly Native App that it's communicating! I mean because Extension find Native App through registry key => attacker can change this registry and point to attacker's Native App => Extension will connect with attacker's Native App 

=> So, Is there way Extension or Javascript can check Native App is fake?

=> OR, How to Extension specifies exactly Native App that can communication with Extension?

Thanks!

[Antony Sargent]

If the attacker can modify the registry, they can probably also modify your native binary on disk and/or the chrome binary itself, so I personally would not worry about this too much. 

However, if your threat model really somehow includes registry access but not being able to read/modify your native binary or chrome's, I suppose you could do something like have a public/private keypair where the native app binary has a copy of the private key and the extension has a copy of the public key, and at the beginning of your communication protocol the extension issues a challenge to the native binary to sign something with its private key. 

--
You received this message because you are subscribed to the Google Groups "Chromium-Extensions-Announce" group.
To unsubscribe from this group and stop receiving emails from it, send an email to chromium-extens...@chromium.org.
To post to this group, send email to chromium-...@chromium.org.
Visit this group at https://groups.google.com/a/chromium.org/group/chromium-extensions/.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/chromium-extensions/235bb202-f110-4b92-a744-523c4863a795%40chromium.org.
For more options, visit https://groups.google.com/a/chromium.org/d/optout.