Hello there, I am be starting a new blog where I will share interesting things I learned or discovered. My experience covers the end to end story of serving applications on the web. I expect my articles will focus on web request processing, application security, and cryptography.
A quick interactive demo
Some of these posts will include interactive scripts too! All the while, this site is secured with CSP. For example, check out this password: generated at runtime: |@=Ic]GNO]Pu
You can even
If you inspect the page and request, the javascript is secured with an integrity check that looks like integrity="sha256-kpkugwzFBi0GptFAEIHR92bmQ42Euvn0X1D1Sn/UqP8="
. This is included in both the HTML and in the CSP header.
CSP is ineffective against extensions
While I had just mentioned this site is secured with CSP, it turns out that extensions can break these rules. For example, a chrome extension like Violentmonkey can run a script on this page. It does not have to inject a script
tag into the HTML at all. It just runs!
This can be used for good. 1Password tampers with navigator.credentials.get
to add their own passkeys implementation, see Passkeys: the future of authentication in 1Password.
navigator.credentials.create = t =>
(null == t || delete t.signal,
window.postMessage({
name: "create-credential",
data: JSON.stringify(t, ((e, t) => n(t)))
}, "*"), new Promise((t => e = t))
),
navigator.credentials.get = e =>
(null == e || delete e.signal,
window.postMessage ({
name: "get-credential",
data: JSON.stringify(e, ((e, t) => n(t)))
}, "*") , new Promise((e => t = e))
)
From ./inline/injected/webauthn-listeners.js
And it can be used for bad. In Matt's Encrypting Data in the Browser Using WebAuthn, he demonstrates the new Pseudo-random function extension (prf) in WebAuthn. The key material stored in first
(a poor name in my opinion) may be intercepted by a browser extension with a man-in-the-middle attack. One recommendation is "Please use incognito". Except incognito can have extensions too. Lastly, a user story that begins with "Please effectively log out" is not a great one.
It would be great if browsers had an official authenticator registration capability and then they locked down all modification of navigator.credentials
. My guess is this will not happen. The surface area is just so small. Yet, so are a lot of things in security.
So yeah, look forward to a few things here and there. Maybe I'll add a small capture the flag in one of my next articles.
Oh, and I have RSS now.