What if Facebook is the adversary?

[mvirkkunen]

So, your marketing website lists Edward Snowden himself as as example of somebody who might be using this add-on. Therefore I'm assuming you claim protection against an adversary who could potentially get websites such as facebook.com to do their bidding.

As far as I can tell this extension does everything via content scripts that share the DOM context with the surrounding webpage, has the user type their messages into the same DOM structure Facebook has access to, and even stores the encryption key in a DOM attribute.

What's to stop a Facebook employee subpoenaed by a government (or just any evil employee) from adding a little extra function to the chat part at facebook.com to grab and store your messages as you're typing them before they get encrypted, or just steal the entire encryption key?

[fb39ca4]

The text entry field could be inside an iframe of a different domain and the encryption code would run in there, only communicating the cipher text to the main page. Similarly, the decrypted messages on the other end would be displayed in iframes.

[ndrwy]

Maybe some ideas to prevent DOM monitoring can be gathered from Mailvelope: https://www.mailvelope.com/help

"Clicking on the Compose button will open a new popup with a separate editor. This ensures that the e-mail creation and encryption process is completely isolated from the webmail provider."

[maxisme]

@fb39ca4 great idea! I have tested this and two problems arise:

1. Facebook seem to monitor key presses on the window which will include the iframe(?) so surely having it makes no difference?
2. Need to be able to automate the submission of a string on facebook automatically. See this

@ndrwy I do not want to make the user have to succumb to any changes to the facebook interface other than setting the session password.

@mvirkkunen very valid points. We should be able to identify if facebook are purposefully monitoring any of our created DOMs. Do you think that the method in which @fb39ca4 suggests, is a good one?

[mvirkkunen]

@maxisme Using an iframe from another origin would put same origin restrictions into effect, and the surrounding page would not be able to access the DOM (or mostly anything else) in the frame, assuming the security model in the browser works. You would just need to be careful to have no secrets (i.e. no plaintext messages, no encryption keys) outside of the iframe.

Trying to identify monitoring isn't really worth doing when you should just make the relevant bits inaccessible to the surrounding page.

[maxisme]

@mvirkkunen Okay perfect! Thank you. Working on it now.

I would pay a lot of money for someone to figure out how to automate the enter key on facebook. I am so tired of trying to figure it out! 👎