How to check the authenticity of a Chrome extension?

前端 未结 2 1761
孤城傲影
孤城傲影 2021-01-08 00:38

The Context:

  • You have a web server which has to provide an exclusive content only if your client has your specific Chrome extension installed.
  • You h
相关标签:
2条回答
  • 2021-01-08 00:55

    I'm sorry to say but this problem as posed by you is in essence unsolvable because of one simple problem: You can't trust the client. And since the client can see the code then you can't solve the problem.

    Any information coming from the client side can be replicated by other means. It is essentially the same problem as trying to prove that when a user logs into their account it is actually the user not somebody else who found out or was given their username and password.

    The internet security models are built around 2 parties trying to communicate without a third party being able to imitate one, modify or listen the conversation. Without hiding the source code of the extension the client becomes indistinguishable from the third party (A file among copies - no way to determine which is which).

    If the source code is hidden it becomes a whole other story. Now the user or malicious party doesn't have access to the secrets the real client knows and all the regular security models apply. However it is doubtful that Chrome will allow hidden source code in extensions, because it would produce other security issues.

    Some source code can be hidden using NPAPI Plugins as you stated, but it comes with a price as you already know.


    Coming back to the current state of things:

    Now it becomes a question of what is meant by interaction.

    If interaction means that while the user is on the page you want to know if it is your extension or some other then the closest you can get is to list your page in the extensions manifest under app section as documented here

    This will allow you to ask on the page if the app is installed by using

        chrome.app.isInstalled
    

    This will return boolean showing wether your app is installed or not. The command is documented here

    However this does not really solve the problem, since the extension may be installed, but not enabled and there is another extension mocking the communication with your site.

    Furthermore the validation is on the client side so any function that uses that validation can be overwritten to ignore the result of this variable.

    If however the interaction means making XMLHttpRequests then you are out of luck. Can't be done using current methods because of the visibility of source code as discussed above.

    However if it is limiting your sites usability to authorized entities I suggest using regular means of authentication: having the user log in will allow you to create a session. This session will be propagated to all requests made by the extension so you are down to regular client log in trust issues like account sharing etc. These can of course be managed by making the user log in say via their Google account, which most are reluctant to share and further mitigated by blocking accounts that seem to be misused.

    0 讨论(0)
  • 2021-01-08 01:07

    I would suggest to do something similar to what Git utilises(have a look at http://git-scm.com/book/en/Git-Internals-Git-Objects to understand how git implements it), i.e.

    Creating SHA1 values of the content of every file in your chrome-extension and then re-create another SHA1 value of the concatenated SHA1 values obtained earlier.

    In this way, you can share the SHA1 value with your server and authenticate your extension, as the SHA1 value will change just in case any person, changes any of your file.

    Explaining it in more detail with some pseudo code:

    function get_authentication_key(){
    
        var files = get_all_files_in_extension,
            concatenated_sha_values = '',
            authentication_key;
    
        for(file in files){
            concatenated_sha_values += Digest::SHA1.hexdigest(get_file_content(file));
        }
    
        $.ajax({
      url: 'http://example.com/getauthkey',
      type: 'post'
      async: false,
      success:function(data){
             authentication_key = data;
      }
        })
    
        //You may return either SHA value of concatenated values or return the concatenated SHA values
        return authentication_key;  
    }
    
    // Server side code
    get('/getauthkey') do
        // One can apply several type of encryption algos on the string passed, to make it unbreakable
    authentication_key = Digest::<encryption>.hexdigest($_GET['string']);
    return authentication_key;
    end
    

    This method allows you to check if any kind of file has been changed maybe an image file or a video file or any other file. Would be glad to know if this thing can be broken as well.

    0 讨论(0)
提交回复
热议问题