<whitequark>
wpwrak: (origin of browser plugin) browser plugins generally can request access to everything
<whitequark>
many do, like adblocker
xiangfu has quit [Ping timeout: 250 seconds]
xiangfu has joined #qi-hardware
rodgort has quit [K-Lined]
rodgort has joined #qi-hardware
xiangfu has quit [Ping timeout: 244 seconds]
xiangfu has joined #qi-hardware
sandeepkr has joined #qi-hardware
archang has joined #qi-hardware
unclouded has quit [Quit: Leaving]
wpwrak has quit [Ping timeout: 265 seconds]
unclouded has joined #qi-hardware
unclouded has quit [Read error: No route to host]
fengling has quit [Ping timeout: 245 seconds]
fengling has joined #qi-hardware
sandeepkr has quit [Ping timeout: 264 seconds]
fengling has quit [Ping timeout: 245 seconds]
fengling has joined #qi-hardware
pcercuei has joined #qi-hardware
sandeepkr has joined #qi-hardware
sandeepkr has quit [Excess Flood]
sandeepkr has joined #qi-hardware
fengling has quit [Ping timeout: 245 seconds]
jwhitmore has joined #qi-hardware
fengling has joined #qi-hardware
sandeepkr has quit [Ping timeout: 268 seconds]
atommann has quit [Quit: Leaving]
sandeepkr has joined #qi-hardware
archang has quit [Remote host closed the connection]
wpwrak has joined #qi-hardware
jwhitmore has quit [Ping timeout: 250 seconds]
jwhitmore has joined #qi-hardware
<wpwrak>
whitequark: hmm yes, plugins could do anything. but would it be easy for them to use such a WebUSB mechanism ? i.e., do interfaces exists for a plugin to a) run JS while b) passing or bypassing the origin test ?
<whitequark>
that has nothing to do with webusb
<whitequark>
I mean... a plugin can request webusb, a webpage cannot
<whitequark>
wait
<whitequark>
"run JS while"
<whitequark>
a plugin IS in javascript, in every major browser
<whitequark>
and webusb is a javascript binding to libusb essentially
<whitequark>
I don't mean plugins in the sense of arbitrary binary code, that's practically impossible to run in modern browsers and for a good reason
<wpwrak>
(plugin is js) oh, i thought they were native code
<wpwrak>
<-- web tech noob here :)
<whitequark>
errr
* whitequark
looks back
<whitequark>
seems I first called it an "browser extension" which is more correct / what people usually say
<whitequark>
and then DocScrutinizer05 called it a plugin
<wpwrak>
so it wouldn't be possible to make a plugin that intercepts login dialogs and then uses HIDAPI (to avoid the need for a dedicated driver on platforms where that's a problem) to talk to anelok ?
<whitequark>
you're right, the proper name for the thing in JS is an "extension" and a "plugin" is something like flash that's in native code
<whitequark>
and you don't want to ship native code
<wpwrak>
(terminology) perfect ;-)
<whitequark>
anyway, from what i know about webusb is it's libusb
<whitequark>
so you don't even need HID. but I don't know what chrome does on windows about it
<wpwrak>
looks like libusb + bureaucracy
<whitequark>
bureaucracy?
<wpwrak>
the procedure to be allowed to access webusb
<wpwrak>
some more usb descriptors, etc.
<DocScrutinizer05>
sorry, no clue at all here. I use names based on what sounds right to me in this case
<whitequark>
ah, yeah
<whitequark>
speaking of login dialogs, you cannot readily determine what is a "login dialog"
<DocScrutinizer05>
and I never before heard WebUSB
<whitequark>
I would instead add a context menu option "fill in username" "fill in password" since you know the URL
<wpwrak>
plugin + hidapi (or whatever) would still be the way to do until webusb is widely available, right ?
<whitequark>
no
<whitequark>
shipping plugins is a security risk
<DocScrutinizer05>
wait! I have a weird idea since 3.5s
<wpwrak>
(determine) how does the browser do it ? there must be some hints / heuristics
<DocScrutinizer05>
print page to USB printer...
<whitequark>
everyone who is not completely incompetent about infosec is going to dissuade anyone they know from ever installing any plugins
<wpwrak>
so you're saying there is no way without webusb ?
<whitequark>
native app
<whitequark>
(that cannot be poked by a malicious webpage and used to get access to the user's machine)
<wpwrak>
how would a native application intercept login dialogs ?
<DocScrutinizer05>
should work on every brwoser and OS, no?
<whitequark>
why are you talking about "login dialogs"? there are no dialogs
<whitequark>
and it wouldn't
<DocScrutinizer05>
no plugins or anything needed
<whitequark>
it would just make filling forms easier
<wpwrak>
whitequark: i mean pages that contain a login with a password field. however it's implemented.
<whitequark>
wpwrak: it's not implemented in any standardized way
<wpwrak>
DocScrutinizer05: universality would be nice. but may not be within easy reach at the moment.
<whitequark>
DocScrutinizer05: you got some postscript. what now?
<whitequark>
are you going to run OCR on anelok? doubt it
<DocScrutinizer05>
grep for key strings
<whitequark>
there are no strings
<DocScrutinizer05>
(postscript) depends on printer
<whitequark>
depends on the browser
<DocScrutinizer05>
eeew
<whitequark>
and no browsers send raw text
<DocScrutinizer05>
ok nevermind
<wpwrak>
whitequark: i guess one could use a) the heuristics browsers use for this, and b) maybe add an explicit hint that web sites can use. worst-case, call it anelok-* ;-)
<whitequark>
they just take the internal vector model of the page content and send it there
<DocScrutinizer05>
actually it's irrelevant what it sends as long as it has unique fingerprint
<whitequark>
wpwrak: yes, heuristics is what everything uses
<whitequark>
DocScrutinizer05: it sends vector graphics that has literally none of the information you want
<wpwrak>
if it's good enough for google, it shall be good enough for me ;-) so, how to intercept at the level of those heuristics ?
<whitequark>
no text, no info on what the text field is, no explanation of how to navigate into the field
<DocScrutinizer05>
afk
<whitequark>
and there's still the keyboard layout issue
<whitequark>
wpwrak: you can't
<whitequark>
reimplement them yourself
<whitequark>
you get to inject arbitrary JS into the page + a few privileged APIs
<whitequark>
that's it
<wpwrak>
DocScrutinizer05: (fancy and impractical ways to get at page content) pretend to be USB storage and save the html page on that device (-:C
<wpwrak>
whitequark: reimplementing heuristics sound okay. so the apis / mechanisms for doing all this exist. good. that's what i wasn't sure about.
<wpwrak>
now ... how to go from there to talking to anelok ? i would equate "plugin" to "native app" for most purposes, including access to libusb / hidapi / etc. the big exception would be that one has an intrinsic link into the browser while i don't know how the other would talk to our login-interceptor.js
<whitequark>
you aren't shipping a browser plugin
<whitequark>
you're shipping an extension. scrap a page, look for username/password fields in forms, show button in the browser UI. when pressed, send URL to anelok, get back password, fill in ?
<wpwrak>
are they really that reviled ? or is that just your personal opinion ? :)
<whitequark>
they are the single worst offender in web security by a very large margin
<wpwrak>
using what mechanism do i send the URL to anelok ? i.e., how do i get data from the extension (login-interceptor.js) to the usb-attached anelok device ?
<whitequark>
webusb.
<wpwrak>
and if webusb isn't available ?
<whitequark>
then there is no convenient option
<wpwrak>
so, plugin after all, it seems. and webusb as plan A for those who have it.
<whitequark>
that's a moronic strategy. exposing users to a security risk in a security-related device
<whitequark>
though not uncommon in the industry
<whitequark>
on second thought, it doesn't matter, because you can't do that
<wpwrak>
most of the issues of plugins seem to come from them just doing bad things. but a native application would have similar issues. you seem to have said that it was easy for a bad web page to also manipulate the code of a plugin ?
<whitequark>
on windows, plugins are run as "low integrity processes", and on linux they run in a seccomp-bpf sandbox
<whitequark>
essentially
<whitequark>
drive-by malvertising is a very common problem
<whitequark>
you use an ad network to distribute a link to a malware exploit kit. exploit loads plugin, feeds it bad input, escapes from sandbox
<whitequark>
note that NPAPI (the un-sandboxed API for plugins) was completely removed from Chrome and it's click-to-play in Firefox
<whitequark>
"September 2015
<whitequark>
In September 2015 (Chrome 45) we will remove the override and NPAPI support will be permanently removed from Chrome. Installed extensions that require NPAPI plugins will no longer be able to load those plugins."
<roh>
i am not sure why anybody sane should allow a browser hw access that way
<wpwrak>
that looks more similar to webusb though. but still without the origins and stuff
<whitequark>
wpwrak: well, yes, you don't care about origins when you're in an extension
<wpwrak>
roh: the high-level objective is to let your browser look up accounts on anelok when you're about to perform a login. how would you implement it then, without the things we discussed ?
<roh>
wpwrak: then you need an api and some driver layer inbetween.
<wpwrak>
whitequark: ah, that sounds encouraging :)
<whitequark>
wpwrak: on second look I think you're right, chrome.usb is not webusb and I was incorrectly referring to it as such
<whitequark>
I assumed chrome.usb was just webusb exposed to plugins
<roh>
a browser should never have any hw access.. just run it as root if you allow it to access usb.
<roh>
i mean.. it could write to your harddisk then anyhow. so why bother sandboxing anyhing
<whitequark>
wpwrak: that's actually good news for you, I guess
<roh>
i understand what the idea is. and no. one cannot do that properly and secured in a broswer-plugin only.
<roh>
wpwrak: check out how the crypto/account stuff works on browsers and connect that to anelok. so anelok is a crypto-provider for the browser
<whitequark>
roh: no such API to do that
<whitequark>
(which is rather unfortunate, yes)
<roh>
whitequark: huh? how does smartcard stuff work then?
<whitequark>
roh: via a plugin :(
<roh>
whitequark: an it does. ive seen people use it.
<wpwrak>
plugins for the win ! :)
<roh>
no. no 'plugins' in the classic way. it was something native
<whitequark>
and you're lucky if the plugin is not activex
<roh>
whitequark: it worked for every password field and also provided ssl keys
<whitequark>
hm
<wpwrak>
but look at the bright side: if anelok needs to use a particularly dirty mechanism to get its stuff done, that may provide motivation for getting a proper interface from the browser
<roh>
i know who to ask. will do that
<roh>
anyhow.. such a thing is not easy to configure and needs nonstandard software. would not be plugnplay at all
<whitequark>
I've specifically checked just now and both chrome and firefox use a plugin
<roh>
whitequark: i think it was called 'certificate provider'
<whitequark>
or rather, various plugins from various smartcard vendors
<roh>
and its really ugly
<whitequark>
ok I see, yes, they do support this via NSS (on linux) and some windows mechanism
<whitequark>
so that would provide you PKCS#11 capability
<whitequark>
but filling password field means there was /also/ a browser plugin
<whitequark>
the main reason is that some people will deploy shitty plugins that eat tons of CPU and then the people who have to use that complain that Android gets no battery life
<whitequark>
on my galaxy s ii i've installed the flash plugin while that was still possible. actually opening a flash thing caused my phone to become so hot I could not hold it in my hands
<wpwrak>
;-)))
<pcercuei>
why would any sane person do that? :o
<whitequark>
some video player required it, I think
<whitequark>
but I uninstalled it pretty much immediately after, it was completely unusable
<wpwrak>
whitequark: that adobe experience was probably a warning: "you're about to make a pact with the devil. here is a quick demo of what to expect. sure to proceed anyway ?"
<whitequark>
the likely reason for that is when chrome adds extension... the first extension someone implements is an adblocker
<whitequark>
you may want to look into how lastpass on android works
<wpwrak>
apparently 4.3 did something to make it easier
woakas has quit [Ping timeout: 246 seconds]
<whitequark>
ah, 4.3 added exactly an API for autofilling credentials
<whitequark>
hm, looking closer, it appears to be abusing accessibility APIs
<whitequark>
for screen readers and such
<whitequark>
well, close enough
<whitequark>
and LastPass for iOS works by embedding a browser in itself, which it can control, and which shares the cookie storage with the system browser
<whitequark>
that's actually better than I expected
<whitequark>
you'll still have to shell out $100 yearly and go through apple's ridiculous appstore review process
<wpwrak>
(accessibility) do you have a link ?
<whitequark>
your link exactly
<wpwrak>
oh :)
pcercuei has quit [Ping timeout: 240 seconds]
arossdotme-planb has quit [Ping timeout: 256 seconds]
pcercuei has joined #qi-hardware
arossdotme-planb has joined #qi-hardware
woakas has joined #qi-hardware
wildlander has joined #qi-hardware
dandon has quit [Ping timeout: 264 seconds]
dandon has joined #qi-hardware
arossdotme-planb has quit [Ping timeout: 256 seconds]
arossdotme-planb has joined #qi-hardware
jwhitmore has quit [Ping timeout: 244 seconds]
pcercuei has quit [Ping timeout: 240 seconds]
Luke-Jr has quit [Read error: Connection reset by peer]