I heard the TPM can be used for DRM purposes. But currently is there a way to access this module through the browser? or is it simply for native applications.
The only thing I came across searching was tpm-js, but this tutorial seems to be for js running outside the browser.
Has there been demonstration of TPM access to identify users through the browser?
Related
I am a Linux user and was unhappy to discover that HDCP protection on websites such as vhx.tv is preventing me from viewing the content in perfectly legitimate contexts because all Linux browsers lack HDCP support. Since HDCP was "broken" years ago, in terms of master key leaking, any device could theoretically authorize itself against an HDCP check.
Hypothetically, what is preventing someone from either writing a browser extension or creating a custom firefox build that overrides the DRM API in this way?
Why is there no such project, is it just a lack of interest or is there a hard technical barrier that is preventing this? How can anyone say that HDCP was "broken" if not even legitimate users can circumvent it when they wish to do so (eg. to watch DRM content on Linux)?
DRM systems are not within the browsers control usually, they are self-contained blobs, and the only way to get licenses (and therefore the content keys) is by using the DRM module to do a license acquisition operation.
Getting the license and decrypting and displaying the content happens within the DRM component (outside the purview of the browser) and can therefore not be accessing from a browser extension. The only way to get around that, would be to create an unauthorised version of the DRM module, get that loaded in the browser, and not have the server side code discover that the DRM module has been altered. This is generally very hard, and that is really what makes the DRM module work.
I am trying to implement linking of the desktop app to the mobile counterpart for my project. The assumption is that the mobile app is secure and the desktop app simply needs to link the session to mobile for convenience.
In my research I came across the QRLjacking exploit. It is a social engineering exploit that isn’t much different from getting users to reveal their passwords.
The interesting thing is that Signal app does not appear to be vulnerable to QRLjacking exploit, despite the fact that they too link the desktop to mobile via QR code.
I am trying to figure out what is the secret sauce the Signal applies. Luckily, the code is here: https://github.com/signalapp/Signal-Desktop
Based on my analysis, here is what I think they do:
The user registers mobile device. The device sends signed pre-keys
to the Signal server
The user can chat with other Signal users using the end to end encrypted protocol, but what is more interesting to me is how they prevent QR vulnerability when linking to desktop.
User installs the desktop app. First thing to note is that it is a JavaScript app packaged using electron. This makes it difficult to use in social engineering techniques. The installation package can be signed and verified to be trusted.
Upon installation, the desktop app generates the pre-keys and sends them to the server.
The desktop uses its own public key to check with the server if it is linked to mobile. If not, proceed to step 6.
Send the public key to the server under a UUID key. The server stores it. The UUID is used for QR code.
The user lifts up his mobile device and scans the QR code with the signal app.
The mobile app uses the QR code to download the desktop app's public key.
The mobile app sends an encrypted confirmation message to the desktop app, which the desktop app verifies using it's private key.
The desktop app app asks the user to name this desktop app, typically this is the name of the host it is running on. The desktop app sends this message to the mobile (encrypted, of course).
On the mobile, the linked device now shows up. At any time the user can remove the linked device, which becomes immediately known to the desktop.
I do not believe the server is used to retain messages at all. I think the desktop synchronizes with mobile on-demand.
In summary, the QRLjacking exploit is mitigated by Signal in the following manner:
The app is not browser-based and is instead installed. The installation package can be signed and verified with a certificate.
The desktop app can also securely store keys locally, not on the server. That makes it difficult to pursue a social engineering attack since that would require physically taking over the machine the desktop app is running on.
Is my analysis correct?
I want to create a webpage that will access the USB port of the client. Intent is to configure the hardware connected the USB port. I can do a desktop application because the configuration option is different for different hardware. connected and I need to pull this code dynamically from the server. I am not a web programmer. It will great to find the best way to do this.
It ends up that I am attempting to write an app that performs something similar. What I am doing, instead is writing both the web server and the web page. Use something simple, like DLib for the web server, to serve the data to the end user.
This is how it works:
The web server handles the USB connection. If written in C++ or some other native language, you will have much more control over the device. The web page is then loaded from the web server that you have written. In the web page, you can have some sort of javascript worker, etc. to constantly pull new data from the server and push data from the web interface to the USB device. This also adds a layer of protection because you can ensure that the user has not made any modifications to the web page.
The main drawback to this possibility is that you will be required to install the server on the client's machine. However, this can be circumvented by writing this as a applet that can be embedded within the page!
It is possible to write a browser plugin that communicates with USB devices. An example of an app that does that is MyTrezor.com, but unfortunately I don't think you can see the source of their plugin.
Another option might be to use the chrome.usb or chrome.serial Javascript API, but this means your app would only work in Google Chrome, and it would have to be installed as a Chrome packaged app, a special thing that looks more like a native app than a web page.
I just came across Google Native Client
Now, it looks really interesting that they ported Quake to run on a Browser and you can run C++ code on a browser to process things more quickly, but I am trying to understand, what is the practical usage of NaCl?
What is the vision behind this by Google? To run software as a service on their "cloud" OS..err browser?
For example: Run Photosphop CS 5 on your browser?!
Anything you can do with ActiveX, but far more secure.
Elaboration:
Google Native Client allows you to run machine code locally and natively, but sandboxed insofar as only allowing access to protected memory regions and disabling exploits in the machine code relating to processor errata (certain sequences of machine code operations which act strangely on particular processors). Additionally, certain APIs are available (such as OpenGL) and there is interprocess communication with Javascript running with the page, allowing webapps which have a fast, powerful native backend.
It would be quite difficult to use the Win32 API to generate any native windows or controls with Google Native Client, whereas it'd be probably a bit easier with ActiveX. However, ActiveX is generally used with things like "Quake Live" to provide a fast, native experience for the player, and additionally for Internet Explorer 'plug-ins' -- the Flash plug-in is ActiveX, for instance, and uses native code (i.e., the plugin is compiled to machine code).
What are some platform-specific API's that web browsers use to securely save passwords with reversible encryption on local systems?
Since they must be able to reproduce the exact characters to pass up to a web site, the data can't be a one-way hash. My initial thought is there are system methods which utilize your current authentication data to perform encryption/decryption, but do not give access to applications to read it (your system login data) directly. I'm wondering what these are on different platforms (Windows, Linux, OS X) and how well they protect the information if the hard drive is accessed directly; i.e. a stolen laptop hard drive is placed into another computer or analyzed via a Live CD.
Here's how google chrome does it. Looks like they use CryptProtectData on windows.