I find myself wanting to use online format parsers to quickly decode that production JWT or decode a base64 Authorization header but cannot trust these websites to not leak my information. I thought to myself if only I could cut-off network access to this site, use it offline, and then throw away all browsing data. So I created an extension just for that.
It uses Firefox contextual identities API (Containers) to isolate browsing data and inter-tab communication. Once the site is fully loaded, I then inject bogus proxy settings for any requests leaving that container to effectively cut-off network access. And once I'm done, I simply delete the Container.
Use Cases:
* Parse a live JWT token
* Convert a Base64 Authorization header
* Hash a password
* Parse a Protobuf message
* Submit my name and birthdate to estimate my date of death
Check out the MIT source code on GitHub [1] and install QuaranTab from the Firefox store [2]. If anyone is interested in a discussion, I'd love to chat about:
1. Any ideas on how we could implement this in Chromium? Using private window as a "Container"?
2. Can you come up with an exploit? I posted a 100usd bug bounty [3] if you find one!
3. Is there any way to prove an extension in the store was built from source in GitHub? I am imagining some kind of third-party escrow service managing the Firefox store account and building from specific public git repository.
1. https://github.com/matusfaro/quarantab
2. https://addons.mozilla.org/en-US/firefox/addon/quarantab/
There is an online version [1] but it doesn't submit any data to any servers. It only loads JS for the operations it needs to perform.
You can also download it and run it offline [2]. This is what I do.
I'll leave it up to you to decide if this makes QuaranTab unnecessary or if it's the perfect reason to use QuaranTab.
+1 to Cyberchef, its awesome. If you really have qualms about the URL its trivial to re-host / serve it to yourself offline.
My favorite part is whole recipe feature (Cyberchef builds a URL with the configured processors you use to process data).
I find myself using that a ton to share XPath / JPAth expressions type work with sample data to others by sharing that URL.
Due to the same-origin principle, plain XHR and similar should be out, but what about CORS or script/image embedding with query parameters?
Even so, the irony is only shallow. I haven't yet found a suitable reason not to use such tools if they're not sending out data, regardless of where the tools come from. The FAANG companies are far better at collecting your data, and do so brazenly.
It would certainly be nice to get something ala F-droid for free software extensions like yours (which guarantees source code matches built package IIRC), as a response to your question 3.
I am sure one can create an alternative extensions store in FF and change some config in about:config to use it, though it's likely non-trivial.
It would probably be more successful as a feature added to an existing trusted extension such as Temporary Containers.
Do you have a way to prevent terminal utilities from accessing the network?
$ bwrap --unshare-net --dev-bind / / bash
$ curl google.com
curl: (6) Could not resolve host: google.com
Some things I can do with regular POSIX and GNU tools directly from the CLI, so I'd trust those too on my Debian/Ubuntu systems (where there is usually a guarantee you can get the source code for the binary you are running). It's definitely possible Debian/Ubuntu experience a supply chain attack too, but it's significantly less likely than a random library from github IMO.
Yes! Chrome has a visually similar functionality to Firefox Containers hidden away behind a feature flag [1] at the moment. BUT under the hood it's simply just tab grouping with no isolation. I presume isolation is against Google's interests so we will never see this kind of feature.
As for Firefox's API, the Contextual Identities API [2] that allows you to create/delete containers is amazing and easy to work with as a dev. And it works out-of-the-box, it doesn't need the companion addon Multi-Account Containers (MAC) [3] which really should've been part of Firefox in my opinion.
1. chrome://flags/#tab-groups-save
2. https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/Web...
3. https://addons.mozilla.org/en-US/firefox/addon/multi-account...
Chrome's Profiles are also remembered when you "install an app" (SSB/PWA), so you could have "apps" started in their own profiles.
Firefox's containers are only useful if you want multiple logins to the same service in the same browser window. But I never found that usecase to be very compelling.
Firefox's containers are an often lauded feature, and I don't understand why, given the integration issues or general awkwardness. It's probably a reminiscence of the "Facebook container" extension, which was a bandaid until better site isolation was implemented.
Totally off topic, but curious how this works? Nationality and life expectancy? Sex at birth? Assassins for hire?
2. Exploit idea (not trying for the bounty, just thinking aloud). I wonder if a website could play background music (or a video) with stenographically encoded data, then another tab could listen to it with microphone permissions on and decode it that way. I'm thinking like a fake video conferencing site, or malicious telephony how-to doc that deals with API calls and such and links to a fake password hasher that then plays the audio for the first tab to hear. Convoluted, I know, just an idea.
Interesting, but consider this is a cat-and-mouse game. If you are the only one using this trick it may work for you, but I assume would be easy to overcome. (e.g. keep the page loading forever or until ads are loaded. Have the ads be J-free after page load, ...)
> website could play background music ... another tab could listen
You would need mic access from the other tab, but yes. If you send it over high enough frequency you wouldn't even hear it. You would just have a visual feedback that the tab is playing music.
On a side-note, I recall there was some kind of hardware device pairing (maybe Chromecast?) that used data over voice to establish that you are physically near the other device.
Yeah, that's pretty common in home smart devices. Looks like Google patented one version and Sonos has their implementation too. In my experience it works better than Bluetooth, especially in (2.4 GHz) noisy environments
the same way you can silence the sound output of a tab you should have as simple and reliable a tool to stop communication to either the network, os or both.
i'd love a tool to see which tabs are talking with each other also
Cool idea but probably not that useful and difficult to accomplish. There are many ways to communicate that could be grouped into:
1. tab -> tab (same domain)
2. tab -> tab (different domain)
3. tab -> server -> tab
For #1, there are so many ways to transfer information it would be hard to detect and differentiate whether it's communication or just happens to be using the same resource. (e.g. one sets a cookie or local storage and the other one reads it)
For #3, it would be impossible to detect. Especially if detection is an issue, both tabs could be communicating with unrelated servers which talk with each other.
For #2, it would be the only interesting one as there is limited options (e.g. Broadcast Channel), but at the same time I assume rarely used in practice. And if detection is an issue, they would switch to #3 to avoid it.
Thank you "dz2742" for finding out [1] existing connections including websockets are not terminated and has won 100 USD! This is exactly the type of exploit I was hoping to catch.
Now I have to figure out how to fix that :) And also think about refilling the bug bounty pool without becoming very poor very soon.
If you do want to go down that route, using the blocking `webRequest` to record responses and stick them into storage and then re-serve them from the cache would possibly be the best way to go about it. At that point though I'd probably advise seeing if you could get off of `<all_urls>` as a required permission? And I haven't ever played with blocking network requests for websockets, so I'm not sure if they'd require separate handling.
Just a thought. But regardless, thanks for sharing :)
This is (in theory) part of Mozilla's review process, and depending on how the extension is submitted they can (I've heard) be fairly strict about it. But it's not user-facing at all and I don't know how universally they review source code.
It really needs to be fixed from Mozilla's end though; I don't see much reason to get a 3rd-party involved instead of to lobby Mozilla to add some kind of process on its own that's more prominent. A 3rd-party verification service would be possible (you'd just download the extension from Mozilla's servers and extract it, re-run the build process and check to see if the artifacts matched), and in theory you could even have a completely separate extension store from Mozilla's -- as long as the extensions are signed you can host them anywhere, and there's nothing preventing you from getting other extensions built from source signed. You could have a pseudo-F-Droid addon store that distributed Mozilla-signed extensions you've pulled from Git and built yourself.
But... I mean, I just feel like it's something we should lobby Mozilla to do, they're in the best position to do it and in the best position to have the most impact if they do.
This only works if you have one tab of this website, since tabs of the same website can message each other (and exfiltrate data).
Also useful for debugging frontend bugs in "destructive" operations in production :)