New Personal Blog

Hello there, I am be starting a new blog where I will share interesting things I learned or discovered. My experience covers the end to end story of serving applications on the web. I expect my articles will focus on web request processing, application security, and cryptography.

A quick interactive demo

Some of these posts will include interactive scripts too! All the while, this site is secured with CSP. For example, check out this password: generated at runtime: |@=Ic]GNO]Pu You can even

If you inspect the page and request, the javascript is secured with an integrity check that looks like integrity="sha256-kpkugwzFBi0GptFAEIHR92bmQ42Euvn0X1D1Sn/UqP8=". This is included in both the HTML and in the CSP header.

CSP is ineffective against extensions

While I had just mentioned this site is secured with CSP, it turns out that extensions can break these rules. For example, a chrome extension like Violentmonkey can run a script on this page. It does not have to inject a script tag into the HTML at all. It just runs!

This can be used for good. 1Password tampers with navigator.credentials.get to add their own passkeys implementation, see Passkeys: the future of authentication in 1Password.

navigator.credentials.create = t =>
  (null == t || delete t.signal,
    window.postMessage({
      name: "create-credential",
      data: JSON.stringify(t, ((e, t) => n(t)))
    }, "*"), new Promise((t => e = t))
  ),
navigator.credentials.get = e =>
  (null == e || delete e.signal,
    window.postMessage ({
      name: "get-credential",
      data: JSON.stringify(e, ((e, t) => n(t)))
    }, "*") , new Promise((e => t = e))
  )

From ./inline/injected/webauthn-listeners.js

And it can be used for bad. In Matt's Encrypting Data in the Browser Using WebAuthn, he demonstrates the new Pseudo-random function extension (prf) in WebAuthn. The key material stored in first (a poor name in my opinion) may be intercepted by a browser extension with a man-in-the-middle attack. One recommendation is "Please use incognito". Except incognito can have extensions too. Lastly, a user story that begins with "Please effectively log out" is not a great one.

It would be great if browsers had an official authenticator registration capability and then they locked down all modification of navigator.credentials. My guess is this will not happen. The surface area is just so small. Yet, so are a lot of things in security.

So yeah, look forward to a few things here and there. Maybe I'll add a small capture the flag in one of my next articles.

Oh, and I have RSS now.