The security design of the Godslock offline plug-in

The following articles are transferred from InfoQ

In the article Time to ditch add-on password managers and use password manager add-ons instead , we talked about how secure add-on password managers are.

We made a demonstration: inject malicious JS code into a Github webpage that does not require login , and steal the user's Github password by luring the user to click to close the advertisement.

Talk is cheap. Show me the video.

Demo: Inject malicious JS code into a Github webpage that does not require login, and steal the user's Github password by luring the user to click to close the advertisement

In order to demonstrate the effect, the login box and the LastPass fill box are set to be translucent. In actual attacks, it can be set to a very low transparency, invisible to the naked eye.

This demo does not exploit any browser vulnerabilities. If the right vulnerability is exploited, passwords can be stolen automatically without the user having to click.

The vast majority of web pages on the Internet contain a large amount of third-party content, especially advertisements, and it is difficult to guarantee that all content is safe. Once the third-party content contains malicious code, the plug-in password manager may have a risk of compromise.

1. Product demand

Users of the Godslock offline version have long strongly requested the Windows version, bringing the security protection capabilities of the Godslock offline version to Windows. However, the desktop platform does not have perfect sandbox protection . Malware can not only read the data stored in the app, but also steal the master password through Keylogger or scanning memory data. Moreover, desktop platforms are not generally equipped with security chips , and key management is far less secure than smartphones.

A research report published last year by Independent Security Evaluators found that desktop password managers can scan memory to find master passwords. The Washington Post reported on the matter and released a demonstration video .

Video of Security Researcher Adrian Bednarek Extracting 1Password Master Password

There are two common technical solutions for password managers on the desktop:

1. Desktop client

About ten years ago, the PBKDF algorithm began to mature, and the second-generation password manager allowed users to set a master password and convert the master password into a key to encrypt and protect user data, which brought real protection to password management. To this day, most password managers are still based on this technology.

2. Plugin Password Manager

Desktop software can usually remember passwords, and users rarely need to enter passwords again after entering them once. Websites running in browsers often require users to enter passwords, so on the computer side, users mostly use password managers when logging in to web pages.

A plug-in password manager is a password manager client implemented based on browser plug-in technology, and usually keeps cloud synchronization with other platform clients. It not only has the main functions of the desktop client, but also can assist in filling the password box in the web page, so it is very popular among users.

It is not recommended to use the password manager that comes with the browser, most of them belong to the first generation of password managers - managed, unprotected.

After in-depth research, we found that these two technical solutions are not ideal in terms of security. Therefore, instead of using them, an original design of scanning code remote encrypted filling scheme allows users to safely fill in passwords on computer browsers.

2. Technical design

1. No plug-in password manager technology

Most plug-in password managers implement a complete client based on the browser plug-in interface, including modules such as user interface, auto-fill, encryption and decryption, password database storage, and cloud synchronization database.

In addition to the lack of perfect sandbox protection and security chips on the desktop platform itself, the plug-in password manager based on the browser platform also faces more serious security threats:

• Risk of Master Password Leakage

The desktop client can use some underlying system technologies to prevent the Keylogger program from stealing the master password, but the plug-in password manager program based on Web technology cannot access the underlying interface of the operating system and completely relies on the password input box of the browser, which cannot prevent attacks Keylogger.

• browser vulnerability

Data source: CVE Details

The natural networking characteristics of browsers make many vulnerabilities easier to be exploited remotely by hackers. Plug-in password managers based on browser platforms are also vulnerable. Whether hackers plant malicious programs on the operating system or break through the protection of the browser, it is easy for hackers to crack the plug-in password manager.

• Browser plug-in technology exposes an unmanageable attack surface

Security researcher Martin Vigo once demonstrated the method of cracking the LastPass plug-in in Even the LastPass Will be Stolen, Deal with It!, among which there are 4 methods based on the plug-in client.

The plug-in development interface of the browser is based on Web technology, which is very open and flexible. Malicious programs can access and control almost any content on the page through Web DOM/JS (Document Object Model/Javascript). Well-known security researcher Sean Cassidy argues in his blog post Browser Extension Password Managers Should Not Be Used that there is no way to avoid the risks of plug-in password managers.

2. Original plug-in design

design logic

In the process of researching technical solutions, we gradually explored such a design logic:

• Browser-based plug-in technology

The browser plug-in can easily parse the necessary information, such as whether there is a login box in the web page and the current URL; when helping users to automatically fill in the password, DOM/JS technology can also be used to fill in the user name and password in the text box. Therefore, plug-in technology can better help users.

• The plugin does not manage user passwords

Many risks in the security of the browser plug-in platform are difficult to overcome, so the password management is simply not done, and the plug-in is directly used as an extension of the Godslock offline app in the browser. The plug-in does not manage or save user passwords, does not expose this attack surface, and does not leave opportunities for hackers to attack.

It is equivalent to implementing a remote autofill framework based on plug-in technology , rather than a password manager.

• get fill information

The principle of automatic filling is: first obtain the relevant information (URL, etc.) that needs to be filled in the password from the webpage, and then select the corresponding account from the Shensuo offline app. The app has no network permission and cannot access the network, so how to transfer the information obtained from the web page to the app? Instead of adding network permissions to the Shensuo offline app, we changed the way information is transmitted:

a. The plug-in encodes the web page information into a QR code and displays it on the screen

b. Shensuo offline app scans the code to obtain information without using the Internet

• filling

Similarly, how does the offline version of Shensuo without network permissions send the account password selected by the user to the plug-in?

Is it possible to use the camera on the computer to scan the mobile app? Although it is feasible to use a computer camera to scan codes, it is really inconvenient to operate.

All smartphones are equipped with mobile browsers, which can send data to the plug-in through the browser running the H5 web program in the cloud. The sent data is input as a parameter of the H5 web page, and the H5 web page can also easily view the source code, and the user can completely audit the security of the entire data transmission by himself.

system structure

The article " It's time to ditch the plug-in password manager and use a password manager plug-in " introduces how to use the plug-in. Its design principle is as follows:

architecture diagram

Sequence Diagram

1. After the plug-in detects the login box on the page, it generates an elliptic curve key pair (ECC key pair, elliptic-curve public–private key pair) , encodes information such as the public key and URL into a QR code, and displays it on the page.

2. After the user uses the Shensuo offline app to scan the code, the app will let the user choose the account to be filled.

3. After the user selects an account, the Shensuo offline app will:

a. Generate ECC key pair

b. Generate a shared secret using the ECDH algorithm

c. Use the shared key to encrypt information such as user names and passwords

4. The Shensuo offline version app starts the mobile browser, and sends the encrypted data and ECC public key to the plug-in

5. The plug-in uses the ECDH algorithm to generate a shared key and decrypt it to get the username and password

6. The plug-in fills the username and password into the login box

Through the ECDH key negotiation from the app end to the plug-in end, end-to-end encryption is realized to ensure that user passwords will not be stolen by hackers or even internal employees due to cloud transmission.

When using the offline version of Godlock to automatically fill, the user needs to operate twice on the phone. Unlike plug-in password managers, malicious programs on desktops or web pages cannot attack mobile apps.

3. Introduction to plug-in components

plug-in architecture

A typical Chrome browser extension has 4 major components :

• Background ScriptBackground scripts are responsible for handling events and messages
• UI ElementsIncluding the popup on the plug-in icon, and other interface elements
• Content ScriptCan access content in web pages
• Options PageAllow the user to set some option parameters, etc.

Each component is isolated and runs in an independent process to improve security. Components use the message mechanism provided by the plug-in platform to communicate.

The sum of the Shensuo offline version plug-in UI Elementsis Options Pagerelatively simple, so I won't discuss it here. Content Scriptand Background Scriptworks as follows:

Content Script

It is mainly responsible for detecting the login box on the page, and filling the received username and password into the login box. It provides two aspects of security protection:

1. Anti-fraud

While autofill is convenient, it also exposes an attack surface where hackers can use it to steal user passwords. A paper this year, Revisiting Security Vulnerabilities in Commercial Password Managers , focused on the fraud prevention capabilities of some password manager autofills and found that they generally did not do a good enough job. The advanced anti-fraud capabilities of the Shensuo Offline App can effectively prevent these frauds.

The Godslock Offline Plug-in inherits the existing anti-fraud capabilities of the app, Content Scriptcombined with the information on the login page, it also provides more fraud detection capabilities:

• The webpage uses an insecure HTTP transmission protocol, filling and submitting passwords may leak
• The login domain name is inconsistent with the domain name of the current web page, filling and submitting the password may also leak

Why should the login domain name be the same as the domain name of the current webpage?

The account management services of Internet platforms are generally streamlined in content and do not contain third-party content. They implement stricter security audit procedures, and are even in charge of professional independent teams.

The business webpage is mainly functional and rich in content, including many third-party resources and even a large number of third-party advertisements. The development process is not as strict as account management, it is difficult to guarantee the security of all content on the page, and there is a risk of account theft.

2. Anti-cracking

At present, the ECC algorithm is very safe, and it is very difficult to brute force it. On the other hand, quantum computing has shown the potential to crack ECC algorithms in the future. No matter what kind of risk it is to prevent, it is necessary to limit the exposure time of the ECC key, so we set a validity period of 2 minutes for the QR code, and the scanning box will be automatically closed after 2 minutes. If the Shensuo offline app scans the QR code 2 minutes ago, it will prompt that it has expired and will not perform the automatic filling operation.

2 minutes is generally enough for users to take out their mobile phones to scan and fill without fuss; even if quantum computing cracks the ECC algorithm in the future, it is expected to be difficult to crack within 2 minutes, let alone traditional computers.

Background Script

Responsible for key management and receiving encrypted passwords sent by the app, which is the core of the remote autofill framework. Therefore, we have done a lot of security design, including:

• Key management background process isolation

Both key management and cloud communication run in the plugin background process, completely isolated from the front-end page.

This means that the malicious JS code in the page cannot access the encrypted data in the background process through the DOM interface.

• request speed limit

One of the reasons why some password managers leak user passwords in large numbers is that there is no limit to data requests, and malicious code can simulate web page logins and steal passwords from a large number of website users.

To this end, we have designed a request rate limiting algorithm to limit the speed of creating key pairs and QR codes, and directly reject requests that obviously exceed normal operations.

• High Strength Elliptic Curve Cryptography Algorithm

The asymmetric high-strength elliptic curve algorithm is used to negotiate the encryption key to realize the end-to-end (Goslock offline version app end-to-plug-in end) secondary encryption of the filling data, so that even internal employees cannot peek at the filling password.

Usually, the ECC curves that can be selected include P-256, P-384, P-521, etc., taking into account safety and compatibility, we chose ECC P-384.

• The private key cannot be extracted

  const curve = {
    
    name: "ECDH", namedCurve: "P-384"};
  page.keyPair = await window.crypto.subtle.generateKey(curve, false, ["deriveKey"]);

When calling Webcryptothe API to generate a key, set extractablethe parameter false to prohibit extracting the private key.

Even if a malicious program breaks through the browser's process isolation, it still cannot read the non-exportable private key, unless it can further break through the browser's key management protection.

• one time pad

ECC key pairs are not stored and not reused. Not only will each page generate an independent key pair, but the same page will be regenerated every time the scan code box is opened.

The combined Content Script2-minute QR code validity period limit greatly increases the cracking cost. Even if a hacker breaks one encryption, he cannot break another padding.

After the plug-in receives the ECC public key and encrypted data sent from the cloud, the next steps are:

1. Negotiate an encryption key

ECDHA shared key is generated using a standard algorithm AES-256-GCM.

  const curve = {
    
    name: "ECDH", namedCurve: "P-384"};
  const publicKey = await window.crypto.subtle.importKey('spki', keyBytes, curve, true, []);
  const ecdh = {
    
    name: "ECDH", public: publicKey};
  const aes = {
    
    name: "AES-GCM", length: 256};
  const secretKey = await window.crypto.subtle.deriveKey(ecdh, page.keyPair.privateKey, aes, true, ["encrypt", "decrypt"]);

2. decrypt data

After parsing the AES-256-GCMparameters IV(Initial Vector)and ciphertext, call webcryptothe API to get the original text.

const ivBytes = Uint8Array.from(window.atob(encrypted.iv), c => c.charCodeAt(0));  
const cipherBytes = Uint8Array.from(window.atob(encrypted.cipher), c => c.charCodeAt(0));  
const aesParams = {
    
    name: "AES-GCM", iv: ivBytes};  
const bytes = await window.crypto.subtle.decrypt(aesParams, secretKey, cipherBytes);

If the mode is selected AES-256-GCM, it is also possible to verify whether the data has been tampered with during decryption. Compared AES-CBCwith other modes, it further improves security.

Of course, all network communications must use the HTTPS/WSS protocol, adding another layer of security protection.

3. Comparative analysis of security

Most plug-in password managers are a complete cloud synchronization client, and the support of the Godslock offline version for browsers has been disassembled into two components that work together:

• Offline version app of Godlock on the mobile phone: use the security features of the mobile phone system (network authority, sandbox protection, security chip, etc.) to protect user passwords
• Browser plug-in: make full use of the development interface provided by the browser to realize the remote automatic filling framework, ensure the security of communication data and prevent fraud

Decomposing functions and dispersing them on different terminals effectively reduces the attack surface and protects user data security more effectively.

Overall attack surface comparison

attack surface	God Lock Offline App	God lock offline version plug-in	Plugin Password Manager
network	N	Y	Y
persistent storage	Y	N	Y
user-interface	Y	Y	Y
Web DOM	N	Y	Y

The plug-in password manager will expose 4 attack surfaces, while the Godslock Offline App will expose 2, and the plug-in will expose 3.

The Godslock offline app and plug-ins completely separate the two most risky attack surfaces - storing data without networking, and networking without storing data.

So, compared with the plug-in password manager, what improvements has the Godslock offline plug-in made on each attack surface?

1. Cyber ​​attacks

• Malicious codes and malicious plug-ins in web pages may use the security holes of plug-ins to steal passwords stored by users. See Newsletter : LastPass exposes fatal flaw, hackers can steal all your passwords
• Service provider cloud. "Bad employees" inside the service provider, or hackers intruding into the service provider's cloud, may carry out attacks from the cloud. For example, when the plug-in loads the program code in the cloud web page, implanting malicious code may steal the master password/key entered by the user. The user database has already been synchronized to the cloud, so this key is missing.

Are service provider employees also credible?

• Cisco's former programmer "deleted the virtual machine and ran away" five months after leaving the company, and $2.4 million was in vain. Netizens: ruthless!
• Weimob programmers "deleted the library and ran away", evaporated the company's market value by more than 1 billion, and 3 million stores were paralyzed

Although the Godslock offline plug-in cannot completely prevent malicious codes, plug-ins, etc. from stealing the password being filled, it will not leak all the passwords, because they are stored in a more secure mobile phone system and will not be affected by the desktop.

2. Persistent storage

Many other programs running on Windows can read Chrome's stored data, including data stored by add-on password managers, including encrypted password databases, cookies for add-on password manager login services, and other important data.

If the user chooses to save the master password, malicious programs can decrypt all passwords. If it is not saved, all the malicious program needs is a master password. Although the master password should be long, complex, and unique, many users still use weak passwords as master passwords and reuse master passwords. Malicious programs can also use technology to steal the master passwords entered by users Keylogger.

Of course, this is still much more secure than Chrome's own password manager, which doesn't even require a master password.

HackBrowserData, Chinese people should be self-improvement

The Godlock offline plugin does not expose this attack surface.

3. Interface

Sean Cassidy demonstrated a technique in LostPass : using pixels to mimic the interface of a password manager to steal a user's master password.

Phishing attacks often use details that are easily overlooked or difficult to distinguish to mislead users into entering passwords into malicious programs/webpages. Plug-ins that are more integrated with browsers are more likely to be phished by malicious programs. We all know that there are no technical barriers to making this kind of pixel-perfect interface.

The browser does not provide a lot of special interface support for the plug-in, and cannot make the interface of the plug-in password manager special, and cannot help users distinguish and prevent phishing attacks against the password manager . This is embarrassing:

A password manager that should be protected against phishing can also be phished!

The Godslock offline plugin is the same as the App, no account, no registration, no login, no master password, no fish to catch.

4. Web DOM

This is an attack surface unique to browser plugins. The video demonstrated at the beginning is to use the DOM programming interface of the browser to manipulate the interface displayed by the plug-in password manager and steal the user password. If a suitable vulnerability can be exploited, even user action is not required to steal passwords invisibly.

Using the Godslock offline version plug-in to fill in the password requires the user to scan the code manually, so the user must know that he is logging in to the website. It is impossible for malicious programs to launch attacks and automatically steal passwords without the user's awareness.

Other security enhancements

• Anti-fraud capability

The paper " Revisiting Security Vulnerabilities in Commercial Password Managers " uses a variety of fraud methods to attack many popular password managers, and no one can escape all fraud.

The anti-fraud enhanced by the Shensuo offline version plug-in, combined with the advanced anti-fraud on the App side, can effectively identify various frauds mentioned in the paper.

• permission request

Check the plug-in manifest.json, you can see that the offline plug-in of Shensuo requires very few permissions, it cannot read user browsing history, and cannot monitor network communication. Therefore, the Godslock offline version plug-in can neither steal user data, nor leak user privacy because it is hacked.

• connect domain name

Also in manifest.json, many plug-in password managers will declare the connected service domain names, as well as third-party domain names that are not under their control. It is hard to imagine how difficult it is for service providers to ensure the security of many services/domain names, and even third-party services.

The offline version of Shensuo will not connect to third-party services, and only opens a domain name for connection, which is much safer.

4. Summary of safety design

The offline version of Godlock supports desktop browsers. The security design is mainly reflected in the following aspects:

password storage

The plug-in does not save any user passwords, and all passwords are still stored in the more secure mobile phone app-adopting the fourth-generation secure storage design .

More than 95% of security incidents involve the network, and the Godslock offline app remains offline, without exposing the largest attack surface, and is not affected by network-related attacks.

password transmission

The user selects the password to be filled on the mobile phone, the password is encrypted and transmitted to the plug-in, and the plug-in decrypts the password and fills it into the login box. The Godlock offline plug-in uses the following technologies to ensure the security of the transmitted password:

• Key management background process isolation
• Use ECDH high-strength elliptic curve cryptography algorithm to negotiate end-to-end keys
• The private key cannot be extracted
• one time pad
• Adopt AES-256-GCMhigh-strength encryption and prevent data tampering
• The underlying communication adopts HTTPS/WSS
• Limit the key valid time to only 2 minutes

As you know, HTTPS/TLS also widely adopts ECDH/AES to ensure data security, and most password managers cloud synchronization will be based on HTTPS/TLS. The ECDH/AES algorithm implemented by the Shensuo offline version plug-in is more secure than HTTPS/TLS, and a detailed comparative analysis will be made in the next article.

fraud prevention

The Godslock offline version has always attached great importance to anti-fraud capabilities, and has continued this fine tradition in the plug-in, and has made many new designs:

• Users need to manually scan the code

The attack surface of the Web DOM cannot be eliminated, which leaves a lot of opportunities for malicious programs to cheat, but the passwords managed by the Godlock offline app will not fly into the desktop browser out of thin air anyway. The operation of manually scanning the code by the user not only makes the user clearly aware that the password will be sent to the desktop browser, but also limits the speed of sending the password. Programs can be executed millions of times per second, and manual scanning is impossible. Even if users accidentally fall for the scam, this design helps limit the amount and speed of leaks.

• request speed limit
• Inherit the original advanced anti-fraud function of App

When selecting account filling on the mobile phone, the App will clearly display information such as the URL currently being filled, whether a password needs to be filled, etc. If the account that the user chooses to fill has a risk of leaking, a pop-up box will also pop up to remind you. For example, if a user opens a pixel-level reproduction of a phishing website , when the user chooses to fill in the account faceb00k.comon the mobile phone , the app will remind the user that this is a phishing website.facebook

• Detect whether a web page uses an insecure HTTP transport protocol
• Detect whether the login domain name is inconsistent with the current web domain name

, which leaves a lot of opportunities for malicious programs to cheat, but the passwords managed by the Godlock offline app will not fly into the desktop browser out of thin air anyway. The operation of manually scanning the code by the user not only makes the user clearly aware that the password will be sent to the desktop browser, but also limits the speed of sending the password. Programs can be executed millions of times per second, and manual scanning is impossible. Even if users accidentally fall for the scam, this design helps limit the amount and speed of leaks.

• request speed limit
• Inherit the original advanced anti-fraud function of App

When selecting account filling on the mobile phone, the App will clearly display information such as the URL currently being filled, whether a password needs to be filled, etc. If the account that the user chooses to fill has a risk of leaking, a pop-up box will also pop up to remind you. For example, if a user opens a pixel-level reproduction of a phishing website , when the user chooses to fill in the account faceb00k.comon the mobile phone , the app will remind the user that this is a phishing website.facebook

• Detect whether a web page uses an insecure HTTP transport protocol
• Detect whether the login domain name is inconsistent with the current web domain name

In particular, it is pointed out that filling the password through a plug-in cannot prevent the password from being read by a malicious plug-in or a malicious JS script in the web page through the DOM of the web page. In this regard, there is no way to prevent it technically, even if the user manually enters the password, it is also unavoidable.

This article is reproduced from InfoQ, author: Shensuo Offline Version
Link to the original text:
https://www.infoq.cn/article/c4hSUF2MmYROFPllXRe7
Do not reprint without permission