ChromeGalvanizer – Harden your browser against extension backdoors and exploits (opens in new tab)

(github.com)

101 pointsmandatory6y ago37 comments

37 comments

28 comments · 8 top-level

squarefoot6y ago· 5 in thread

Being a FF user I can't use it, but it made me think about the dangers of extensions being hijacked. It would be nice to have as a browser builtin feature a domain based whitelist that enables access to extensions according to a trust level, so that for example any new encountered domain can be accessed by all extensions by default, but if I assign say my bank domain a level of N, only extensions whose trust level exceed that N number would be able to access its data while others would be bypassed, then a fixed maximum value of say 10 would mean all extension bypassed for the paranoid. Probably even a trusted/not tusted flag would suffice, but just in case one wants to differentiate between locally written and installed extensions that can't self update, then official and non official ones. Doable?

gnicholas6y ago

One way to accomplish this is to just use private windows for your banking or other critical sites, and then don't let extensions run in private windows. You can configure this per extension in Firefox and Chrome.

throwaway_pdp096y ago

A simpler, if perhaps unnecessarily heavyweight way of doing this is to have separate accounts on the same computer. My email has its own account, and allows cookies there (it's gmail). I have to switch accounts to do mail but that's not so bothersome, perhaps even an advantage for some as it might help not jumping every time a mail arrives.

Using private X in the browser requires trusting the browser, this way you can have the OS isolate processes which has to be stronger.

lazyeye6y ago

Why not have two different browsers installed. One for banking etc and the other for everyday use with all the plugins installed.

namibj6y ago

Consider filing an enhancement request: https://bugzilla.mozilla.org/enter_bug.cgi?product=DevTools

You'd not want to simplify it too much in it's core, though. That'd exclude advanced configurations outright.

dumpHero26y ago

I use Edge (the latest version) for my banking related work. The experience is same as chrome, and I don't have any browser extensions installed there.

miles6y ago· 4 in thread

Just tested in Windows with a registry file generated via the linked web interface[0]. Dark Reader was not prevented from accessing sites that should have been excluded based on the imported policy, even after a reboot. Has anyone successfully tested Chrome Galvanizer?

[0] https://thehackerblog.com/galvanizer/

szhu6y ago

I tested the following on Mac:

1. Block "(star)" from accessing "(star)://mail.google.com"

2. Install the config

3. Go to chrome://policy/ and click "Reload policies"

4. Open Gmail. Dark Reader doesn't work anymore.

miles6y ago

Thanks very much - will test on macOS next.

EDIT: It must be me, as I am still not having any luck. I just tested in a slightly older macOS VM (10.12) with Google Chrome 81; even after installing the profile, Dark Reader continues to work on sites that should be excluded.

mandatoryOP6y ago

Author here, can you provide the generated policy for me to take a look at?

miles6y ago

Thanks very much for replying.

Here is the generated reg file:

  Windows Registry Editor Version 5.00
  
  [HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome]
  "ExtensionSettings"="{\"*\":{\"runtime_blocked_hosts\":[\"*://ycombinator.com\",\"*://boh.com\"]}}"

Tested in a new Windows 10 x64 (2004) VM with a new install of Google Chrome 81.

1 more reply

superasn6y ago· 3 in thread

I've made it a rule to right click all chrome extensions icons and then set them to "This can read and change data > On www.example.com" on sites I really intend to use them. This prevents them from reading all sites but also prevents the annoyance of reloading the page every-time you need to use the extension. Also some extensions like Likepass inject some really ugly HTML into form fields (it also takes care of that)

It's a pretty useful feature that many people miss.

tjbiddle6y ago

Phenomenal! Thank you!

I've personally just switched from Chrome to Brave. Funnily enough, Chrome was causing my computer to seize all the time while Brave does not, even though it's still built on Chromium. But I took the opportunity to go ahead and clear out a number of extensions. Feels so much better. Your browser can really get cluttered over the years!

tobylane6y ago

That's a good feature, but not applicable to my setup. What I'd like is more limitations, say Grammarly can only run on pages with textareas.

miles6y ago

This. Is. Epic. Completely missed it. Thank you so much.

jamieweb6y ago· 3 in thread

It's a challenge to weigh up the risk of not using an adblocker versus the risk of the extension getting compromised.

I guess that solutions like DNS-level blocking or custom hosts files are a fair balance, but I still like the DOM-based per-element control found within adblock extensions.

And then I see people with like 20 extensions installed...

ocdtrekkie6y ago

Ultimately it's a trust tradeoff. Extensions should only be installed from incredibly trusted "I'd give this entity my passwords and my bank info for safekeeping" level trust. Because that's essentially the access a lot of browser extensions have.

The easiest way to protect your browser from exploits is to disable or whitelist extensions. At the office we block all but a small handful of extensions we've vetted, and we're very hesitant to add more without very good cause. Do this at home too.

sitkack6y ago

Even for extensions you trust, if their domain expires, it can be minutes later that it is pushing an update.

Actually ... Chrome extensions should have a trust policy wrt domain age, meaning a newly refreshed domain (via expiration) shouldn't be able to push an update for X days.

edit, forgot to mention that this applies to all plugin systems, many which provide vectors of attack against programmers, many of whom can affect global infrastructure.

So VSCode, IntelliJ, etc can be used to inject code into the client as well.

2 more replies

dogma11386y ago

Adblockers are still useful to block annoying scripts and softpaywalls.

Yes I know no-script exists but it breaks many if not most websites and after a few weeks of managing exceptions most users would disable it and heck few weeks is likely generous most uses would disable it after a few hours if not minutes.

tchaffee6y ago· 3 in thread

I open Chrome once in while for testing or on the rare occasion something only works there, so maybe this is useful for those occasions. But if you're serious about security and privacy shouldn't you be avoiding Chrome as your regular browser?

jamieweb6y ago

I can see where you're coming from on the privacy bit, but from a security point of view, Chrome/Chromium is generally a well-secured browser.

Yes it's not written in a memory-safe language, but drive-by exploits and attacks that escape the sandbox are exceedingly rare in Chrome, even if you're running an older version.

Of course if you add extensions and Flash to the mix, the security is degraded, but with a normal Chrome install it's fairly hard to do something bad in one tab that will negatively impact another.

cl3misch6y ago

On malicious extensions and stealing login credentials specifically, what's bad about Chrome?

judge20206y ago

Since it's the more popular browser for non-tech people (i'd imagine firefox leans more towards tech/privacy-conscious people than 'normal' users), it's probably the first one targeted for auto-extension installation by malware.

dsun1796y ago· 2 in thread

This sounds great, I will try. Is it somehow possible to restrict the internet access of a single extension? For example I have an add-http-header extension that has no reason to create connection to an outside server.

gnicholas6y ago

Not sure if this answers your specific question, but you can limit the sites that an extension can run on. I recently discovered that Chrome offers this feature (right click the extension icon and select Manage Extension to access), and it saved me from having to build a site whitelist feature for my extension. [1] It already has a blacklist feature, and I was going to build a whitelist feature due to user requests. Then I discovered that this functionality is built into all Chrome extensions.

Unfortunately it doesn’t seem to exist on Firefox.

1: https://chrome.google.com/webstore/detail/beeline-reader/ifj...

Thorrez6y ago

If it can modify the DOM or even display its own HTML-based UI, that might be hard because it can embed an external image, and the loading of that image would contact an external website.

PappaPatat6y ago

> Using Chrome Galvanizer, you can protect yourself from attacks like this by specifying specific sites that one or all of your extensions can no longer access. For the MEGA case, if users had created a policy restricting access for the MEGA extension to access amazon.com, live.com, github.com, google.com, myetherwallet.com, mymonero.com, and idex.market then they'd be protected from the attack.

You might as well turn off the internet for some.

1cvmask6y ago

Who uses this?

j / k navigate · click thread line to collapse

37 comments

28 comments · 8 top-level

squarefoot6y ago· 5 in thread

gnicholas6y ago

throwaway_pdp096y ago

Using private X in the browser requires trusting the browser, this way you can have the OS isolate processes which has to be stronger.

lazyeye6y ago

Why not have two different browsers installed. One for banking etc and the other for everyday use with all the plugins installed.

namibj6y ago

Consider filing an enhancement request: https://bugzilla.mozilla.org/enter_bug.cgi?product=DevTools

You'd not want to simplify it too much in it's core, though. That'd exclude advanced configurations outright.

dumpHero26y ago

I use Edge (the latest version) for my banking related work. The experience is same as chrome, and I don't have any browser extensions installed there.

miles6y ago· 4 in thread

[0] https://thehackerblog.com/galvanizer/

szhu6y ago

I tested the following on Mac:

1. Block "(star)" from accessing "(star)://mail.google.com"

2. Install the config

3. Go to chrome://policy/ and click "Reload policies"

4. Open Gmail. Dark Reader doesn't work anymore.

miles6y ago

Thanks very much - will test on macOS next.

mandatoryOP6y ago

Author here, can you provide the generated policy for me to take a look at?

miles6y ago

Thanks very much for replying.

Here is the generated reg file:

  Windows Registry Editor Version 5.00
  
  [HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome]
  "ExtensionSettings"="{\"*\":{\"runtime_blocked_hosts\":[\"*://ycombinator.com\",\"*://boh.com\"]}}"

Tested in a new Windows 10 x64 (2004) VM with a new install of Google Chrome 81.

1 more reply

superasn6y ago· 3 in thread

It's a pretty useful feature that many people miss.

tjbiddle6y ago

Phenomenal! Thank you!

tobylane6y ago

That's a good feature, but not applicable to my setup. What I'd like is more limitations, say Grammarly can only run on pages with textareas.

miles6y ago

This. Is. Epic. Completely missed it. Thank you so much.

jamieweb6y ago· 3 in thread

It's a challenge to weigh up the risk of not using an adblocker versus the risk of the extension getting compromised.

I guess that solutions like DNS-level blocking or custom hosts files are a fair balance, but I still like the DOM-based per-element control found within adblock extensions.

And then I see people with like 20 extensions installed...

ocdtrekkie6y ago

sitkack6y ago

Even for extensions you trust, if their domain expires, it can be minutes later that it is pushing an update.

Actually ... Chrome extensions should have a trust policy wrt domain age, meaning a newly refreshed domain (via expiration) shouldn't be able to push an update for X days.

edit, forgot to mention that this applies to all plugin systems, many which provide vectors of attack against programmers, many of whom can affect global infrastructure.

So VSCode, IntelliJ, etc can be used to inject code into the client as well.

2 more replies

dogma11386y ago

Adblockers are still useful to block annoying scripts and softpaywalls.

tchaffee6y ago· 3 in thread

jamieweb6y ago

I can see where you're coming from on the privacy bit, but from a security point of view, Chrome/Chromium is generally a well-secured browser.

Yes it's not written in a memory-safe language, but drive-by exploits and attacks that escape the sandbox are exceedingly rare in Chrome, even if you're running an older version.

Of course if you add extensions and Flash to the mix, the security is degraded, but with a normal Chrome install it's fairly hard to do something bad in one tab that will negatively impact another.

cl3misch6y ago

On malicious extensions and stealing login credentials specifically, what's bad about Chrome?

judge20206y ago

dsun1796y ago· 2 in thread

gnicholas6y ago

Unfortunately it doesn’t seem to exist on Firefox.

1: https://chrome.google.com/webstore/detail/beeline-reader/ifj...

Thorrez6y ago

If it can modify the DOM or even display its own HTML-based UI, that might be hard because it can embed an external image, and the loading of that image would contact an external website.

PappaPatat6y ago

You might as well turn off the internet for some.

1cvmask6y ago

Who uses this?

j / k navigate · click thread line to collapse