如何检查Chrome扩展的真实性？ [英] How to check the authenticity of a Chrome extension?

问题描述

上下文：

• 只有当您的客户端安装了特定的Chrome扩展程序时，才有必须提供独家内容的Web服务器。
  
• 您有两种可能性提供Chrome扩展程序包：
  
  
  
  
  1. 在Chrome网上应用店中
  
  
  2. 从您自己的服务器
  
  

问题：

• 有很多解决方案可以让您知道已安装Chrome扩展程序：
  
  
  
  
  1. 使用内容脚本加载网页时插入元素。
  
  
  2. 使用 Web Requests
  发送特定的标题到服务器 a>。
  
  3. 等等
  
  



• 但似乎没有解决方法来检查Chrome扩展程序是i与您的网页互动是真实的。


• 确实，任何想要查看和复制Chrome扩展程序的源代码的人，似乎都无法知道当前的Chrome扩展程序是否与您的网页是您发布的网页或其他人的克隆版本（可能有所改动）。


• 您似乎只能知道某些Chrome扩展程序正在以预期的方式与您的网页进行交互，但您无法验证其真实性。
  

解决方案？

• 一个解决方案可能包含使用Chrome扩展包中包含的信息，并且不能被其他人修改或复制：
  
  
  
  
  1. 将Chrome扩展程序的ID发送到服务器？但是如何？
     
     
     
     
     • ID必须由您和您的JavaScript代码发送，并且似乎无法通过内部Chrome功能执行此操作。
     
     
     • 因此，如果其他人只是向您的服务器发送相同的ID（某种Chrome扩展程序的ID欺骗），那么您的服务器将认为他的Chrome扩展程序是一个真正的ID！
     
     
  
  
  2. 使用打包应用程序时提供的私钥？但是如何？
     
     
     
     
     • 似乎无法以编程方式以任何方式访问或使用此密钥！
     
     
  
  



• 另一个解决方案是使用 NPAPI插件，并嵌入像GPG等认证方法。但这种解决方案并不可取，主要是因为它的 API的文档。
  
• 是否有其他解决方案？

注释

这个问题试图引发真正的安全问题Chrome扩展程序的API：如何在与您的服务进行交互时检查Chrome扩展程序的真实性。
如果有任何缺失的可能性或任何误解，请随时在评论中提问。

很遗憾地说，但由于你提出的这个问题本质上是无法解决的，因为一个简单的问题：你不能相信客户端。由于客户端可以看到代码，所以你不能解决问题。

来自客户端的任何信息都可以通过其他方式复制。这与尝试证明当用户登录其帐户时实际上是用户而不是其他人发现或被给予其用户名和密码的相同问题。

<互联网安全模型是围绕2方试图沟通而建立的，没有第三方能够模仿，修改或倾听对话。如果没有隐藏扩展的源代码，客户端与第三方变得难以区分（复制中的文件 - 无法确定哪个是哪个）。

如果源代码被隐藏起来就成了一个完整的故事。现在，用户或恶意方无法访问真实客户端知道的秘密，并且所有常规安全模型都适用。然而，Chrome会在扩展中允许隐藏源代码，这是值得怀疑的，因为它会产生其他安全问题。

一些源代码可以像您所说的那样使用NPAPI插件隐藏，但它带有您已知的价格。

---

回到事物的当前状态：

现在它成为一个什么是交互。

如果交互意味着，当用户在页面上时，您想知道它是否是您的扩展或其他的，那么您可以获得最接近的信息就是列出您的页面在此处 部分的 app a>

这将允许您在页面上询问是否使用

  chrome.app.isInstalled 
  

这会返回布尔值，显示您的应用程序是否是否安装。该命令记录在此处

然而，这并不能解决问题，因为扩展可能已安装，但未启用，还有另一个扩展模拟与您的网站的通信。

此外，验证在客户端，所以使用该验证的任何函数都可以被覆盖以忽略此变量的结果。

如果交互意味着制作XMLHttpRequests，那么你运气不好。如上所述，由于源代码的可见性，无法使用当前方法完成。

然而，如果限制您的网站对授权实体的可用性

我建议使用常规的身份验证方式：让用户登录后可以创建会话。这个会话将被传播到扩展所做的所有请求，所以你需要定期的客户端登录信任问题，如账户共享等。当然，这些可以通过让用户通过他们的Google账户登录来管理，这些账户大部分都不愿意通过阻止似乎被滥用的账户进行分享和进一步减轻。

The Context:

• You have a web server which has to provide an exclusive content only if your client has your specific Chrome extension installed.
• You have two possibilities to provide the Chrome extension package:
  1. From the Chrome Web Store
  2. From your own server

The problem:

• There is a plethora of solutions allowing to know that a Chrome extension is installed:
  1. Inserting an element when a web page is loaded by using Content Scripts.
  2. Sending specific headers to the server by using Web Requests.
  3. Etc.

• But there seems to be no solution to check if the Chrome extension which is interacting with your web page is genuine.
• Indeed, as the source code of the Chrome extension can be viewed and copied by anyone who want to, there seems to be no way to know if the current Chrome extension interacting with your web page is the one you have published or a cloned version (and maybe somewhat altered) by another person.
• It seems that you are only able to know that some Chrome extension is interacting with your web page in an "expected way" but you cannot verify its authenticity.

The solution?

• One solution may consist in using information contained in the Chrome extension package and which cannot be altered or copied by anyone else:
  1. Sending the Chrome extension's ID to the server? But how?
     • The ID has to be sent by you and your JavaScript code and there seems to be no way to do it with an "internal" Chrome function.
     • So if someone else just send the same ID to your server (some kind of Chrome extension's ID spoofing) then your server will consider his Chrome extension as a genuine one!
  2. Using the private key which served when you packaged the application? But how?
     • There seems to be no way to access or use in any way this key programmatically!

• One other solution my consist in using NPAPI Plugins and embed authentication methods like GPG, etc. But this solution is not desirable mostly because of the big "Warning" section of its API's doc.
• Is there any other solution?

Notes

This question attempts to raise a real security problem in the Chrome extension's API: How to check the authenticity of your Chrome extension when it comes to interact with your services. If there are any missing possibilities, or any misunderstandings please feel free to ask me in comments.

解决方案

I'm sorry to say but this problem as posed by you is in essence unsolvable because of one simple problem: You can't trust the client. And since the client can see the code then you can't solve the problem.

Any information coming from the client side can be replicated by other means. It is essentially the same problem as trying to prove that when a user logs into their account it is actually the user not somebody else who found out or was given their username and password.

The internet security models are built around 2 parties trying to communicate without a third party being able to imitate one, modify or listen the conversation. Without hiding the source code of the extension the client becomes indistinguishable from the third party (A file among copies - no way to determine which is which).

If the source code is hidden it becomes a whole other story. Now the user or malicious party doesn't have access to the secrets the real client knows and all the regular security models apply. However it is doubtful that Chrome will allow hidden source code in extensions, because it would produce other security issues.

Some source code can be hidden using NPAPI Plugins as you stated, but it comes with a price as you already know.

---

Coming back to the current state of things:

Now it becomes a question of what is meant by interaction.

If interaction means that while the user is on the page you want to know if it is your extension or some other then the closest you can get is to list your page in the extensions manifest under app section as documented here

This will allow you to ask on the page if the app is installed by using

    chrome.app.isInstalled

This will return boolean showing wether your app is installed or not. The command is documented here

However this does not really solve the problem, since the extension may be installed, but not enabled and there is another extension mocking the communication with your site.

Furthermore the validation is on the client side so any function that uses that validation can be overwritten to ignore the result of this variable.

If however the interaction means making XMLHttpRequests then you are out of luck. Can't be done using current methods because of the visibility of source code as discussed above.

However if it is limiting your sites usability to authorized entities I suggest using regular means of authentication: having the user log in will allow you to create a session. This session will be propagated to all requests made by the extension so you are down to regular client log in trust issues like account sharing etc. These can of course be managed by making the user log in say via their Google account, which most are reluctant to share and further mitigated by blocking accounts that seem to be misused.

这篇关于如何检查Chrome扩展的真实性？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！