Chromium/Chrome Extension?

[mic...@yanovich.net]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Hello everyone,

I know at one time there was a Perspectives Chrome/Chromium extension that was
available on the Google Play Store a while back. It seems to be removed now,
because if I remember correctly it didn't work because Chrome/Chromium didn't
expose the SSL certificate information to their extension sandbox.

I was wondering, if there has been any progress on getting a Chrome/Chromium
extension to work? and if there might be a way around the obvious roadblock to
possible accomplish this?


This extension is the primary reason I still use Firefox, and while I love
Firefox, their plugin support for HTML5 and Flash videos are abysmal compared
to Chrome's.

Thank you.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCgAGBQJVErs3AAoJEKBpQL3CDq4dVv0P/1UwvpicIQV7QdKiBcTqTaT/
h3/wT+eQ7q24vA3M6ROTJJ64JoYW1j2o2RmkgpRbWEJBJ4ZvMPYP/zqAHH56eAA7
hKglunMz1/C6DWGQKZTb8bcDknbz9TlgwhFuVad9MzzfKDv29FWdZMRmjJeXL+MJ
JCLWrGWPqqp7SHb9uaZCqnNoFraVi1bSPfRP1/X1T7stePDh+A2JX4Z/TGQ0MmMU
/SYEcKi66AkGFoeiK/yCK7BObJVpG3o1Xl//F/5YhYBejbyn5Ovtbc76czrsCocu
gmK5Uv0pZqpwLvjfiHdv6+0EdR77zxaQJhudK8QxUWGHd6OAmfbosfrap/Q/chBj
LCLBoyghDL++pH0tiZe6jMGdKxZ/XGwUkPzqtUBl7my0T+OAB5U1XHJAPndM1B27
3Vc5X3Nw/Yh7PSBghrGDPnw1t6w+4dkurnZHYoHNlUPwDOw0XMatK+fuZsMte/NL
JiGDN1iZN+0rZt9aTV+bewhkgSVqqioFYi5nEGdXGkrZ0Za07oBMXsqkFNUq2+BC
PqPN0djKVSUuLexpDj8XJ9sS05WDd1sKy9Z+RxPocMq59k7l/wX/jvAOXiz8m/DQ
nMRYVuNgt1lyfK/KDtAsjpa/zfQUuF54OJ8nbmTaoMP1im1lXHlJl620Vm+kjaPb
4wRk+g9fuylc501Mou6w
=+1YU
-----END PGP SIGNATURE-----

[Von Welch]

Here's the issue capturing the request to the Chrome team: https://code.google.com/p/chromium/issues/detail?id=49469

It has been marked as "Won't Fix."

Von

--
You received this message because you are subscribed to the Google Groups "perspectives-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to perspectives-dev+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[mic...@yanovich.net]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

On 03/25/2015 11:26 AM, Von Welch wrote:
> Here's the issue capturing the request to the Chrome team:
> https://code.google.com/p/chromium/issues/detail?id=49469
>
> It has been marked as "Won't Fix."
>
> Von

Aww, I didn't realize the problem was left as "Won't Fix." :-(

Thank you.


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCgAGBQJVEtTBAAoJEKBpQL3CDq4dREkQAK7Gq6kmhyNWiDBsLeBFi9T+
f7pyZ/gFpAXvHEe++MhQ+FFbdUcwGvpgskn8wZ1gD2e+hFRWEvGh/lpxbVYCDT4Q
ehKjUXCu4U+nluK9irJP6M1RBETfPa7JAv2DmZ8RoQPPb7V1qdAmSRtKc79iN/u6
db7SnDIpCvlzhKbyHA6YeKJTsiLqyFtAJkKbDjcuc+u71L80X1GcZQrPaSXRapIi
7xS5DcP8jFctx6oLlgXxqvtRBsZfvPYWeCEvz1FDlMksd26d/2ih9BQWcj03X98d
fQ47B5r9eJO8qzpgJ+di3NkgjZSDUJE0LQfvJUlgArgQbr+bxav8ArqTRY3J9Ci7
0L2D5xahmlJi7zfUYVdHJx0IIgrwsrPG2iSfcWNevOdxJ2CvKf36tkrDLkjL8gaj
ZWLK7+Luzwq31NDhA+uaRBqaXwDVhSuVV++MXAGi4n9x/3ZLSST9VWfnwMoVuEHP
OQDno1xz06rRH+QtnXciUt88HEb0/6UHubaKjVAYa1dvFAE/A95GDuTRDSqlLP2H
mPDx/lqPStnlFbdzCqvYKlcU6RlilIHv7xlZjIeUiAO909IUWTWrqHkaPALiEqCQ
/FySQifMxLqKi0NjRPXzIgQ0MKVvZh5Z3Ed74PgyauczdXXt5uJwM8roXQOhCnTJ
e+TEJ3fcdIN98RQk0nDW
=KVnl
-----END PGP SIGNATURE-----

[Dave Schaefer]

Hi Michael, thanks for reaching out

>This extension is the primary reason I still use Firefox

Wow, thanks. I am very flattered :) I will do my best to continue to make it worthy of your support.

>I was wondering, if there has been any progress on getting a Chrome/Chromium
extension to work?

Expanding the existing Firefox extension to also work inside Chrome requires several steps to generalize and extract browser-specific code and resources. Some of those steps are documentid in this ticket - https://github.com/danwent/Perspectives/issues/75

However, even if all of that work were completed tomorrow, there is still the blocking issue that AFAIK there is no way for any Chrome extension to retrieve information about certificates for a browser connection. Von's link is correct - this was the tracking issue and it has unfortunately been recently marked as "Won't Fix".


I am hopeful about Ryan Sleevi's comment on bug 107793[1] where he says "I don't deny there is interest in observing the certificate data passively ... I'm just deeply concerned about the code complexity cost here, which increases the opportunity for both performance and security bugs". That is certainly a valid concern. However, closing all of the current bugs tracking the idea does give the impression that it is not currently being considered.

Perhaps it will take a deep dive into understanding Chrome's network API to fully spec this out? I don't currently know enough about Chrome's networking to write that code, but it's definitely something I would be interested in investigating once Perspectives is in better shape.

Don't worry - if and when we are able to port Perspectives to Chrome we will definitely be shouting from the rooftops! :)



[1] https://code.google.com/p/chromium/issues/detail?id=107793#c20

[Doc Flay]

I can see their point, but as most users install extensions from the google catalogue they are supposed to check and maintain, they can disallow extensions that do not pass their tests.

A reason I don't trust Chrome is because it means trusting only google to get things right with certificates.

I have been testing Vivaldi browser since before public releases, and even once it is finished, things like this are actually more likely to make me not use it as a main browser.

It also limits the functionality of other useful SSL related extensions such as Calomel and HTTPS Everywhere, which can both override FF settings (big reason why they are useful), and probably why Calomel has not been ported.

Possibly I have a suggestion worth looking at.

I wonder if Perspectives can be built into the browser so it becomes a known factor for the devs ?

Vivaldi are still at Alpha stage, and are trying to make a browser aimed at the geeks and power users

If it can be grafted in and shown to be a valuable asset, maybe the Chrome devs will think again (probably not).

To compliment Perspectives I have already posted my suggestion in their forum, that the new browser have a similar ability with DNS lookups, as DNS poisoning is usually difficult to spot.

I suggested that their new browser be able to use multiple DNS and specifically DNSSEC, thus bypassing the ISPs DNS with known trusted servers (I do this anyway).

Similar Low/Med/High security profiles could be used like Perspectives, based on exactly the same idea of agreement, but again it would work well to have it all as core code.

I could try asking one of the devs if they could look at integrating Perspectives (and if it is possible anyway).

What do you think ?

[Dave Schaefer]

Hi Doc, sorry for the very late reply on this. Thanks for your
interest in the project!

I am not sure if browsers want something like Perspectives to be
included by default, but I appreciate you raising the question on our
behalf! Currently I would have several privacy and security concerns
about including Perspectives code as-is. I believe we need to make
sure Perspectives has the option of always using https for all client
traffic, and we need to upgrade from MD5 hash fingerprints to SHA256
(or SHA512). Having more client caching so that people can re-use
notary data without having to send another query would be very useful
too.

I have documented a plan for many of these fixes on the Perspectives
Roadmap wiki page[1] and will continue to work toward implementing
them. Perhaps by the time these fixes are in place we'll have figured
out a solution for porting Perspectives to browsers like Chrome.

Hope that helps!


[1] https://github.com/danwent/Perspectives/wiki/Perspectives-Roadmap

[Doc Flay]

My pleasure entirely to use your fine addon.

Well it turns out I may have been somewhat prophetic.

Happily it seems Avira were thinking the same as me regarding the use of certain security extensions and APIs as part of a default browser.

They invited me to beta test their new chrome-plated baby, and for an "out of the box" secure experience, I have been pleasantly surprised.

It comes with HTTPS everywhere, and their own anti-tracking and URL protection with the Avira Browser Security extension.

I have been informed they intend to integrate Privacy Badger and their sandbox next.

They want the web browser to become the fingers of the security machine, reporting every threat and exploit it sees, without the user having to be geeky enough to recognise threats that need reporting.

AV will block threats they recognise locally, but do not tend to automatically report the source. You normally get blocked at source because the URL is already known.

This will add an extra layer to any AV as it is all done in the browser and remotely.

Perspectives and HTTPS Everywhere both use the normal browsing activity of a user as their workforce.

Between Avira browser and Perspectives, they would generate a very useful cross-referable data pool, created with the modern power of crowd-sourcing.

Note: These default Avira extensions are not visible in the extensions list, so users cannot remove them.

Now the big revelation came due to my direction/content of my posts.

To do this properly, the browser is going to be open source.

I guess it has to be that way or there is no way users could trust that the extensions were correct and the browser does what is says it will.

So it seems there may well be space in a security focused browser for your project to become a standard, and that you can verify it's integrity.

Importantly as the source would be available, it may be easier to bypass Googles lockdown of the security system ;)

And yes, I have already discussed the value of Perspectives over in the Avira beta site.

I'm not sure I explained it well, as they referred me to the HTTPS Everywhere extension being their certificate validation system.

To me they overlap complement each other as they show different problems.

HTTPS Everywhere would not necessarily spot a man in the middle with a "valid" cert, whereas Perspectives shows "One of these things is not like the other" (and in a very clear way).

Perhaps once they release the first public code, and you can see if it will help you overcome Googles limitations with the regular build, you may be able to put Chrome in your to-do list.

Until something changes I understand there is not a lot you can do about it