Auto-filling in web browsers on desktops is the result of the mutual working of following three components. They communicate through the local Web Sockets, diminishing the chance of information effluence.
- Main Enpass app- This is the main application that you execute yourself from the launcher and it runs as unique process in OS. Among all the components, only it can access the data from the encrypted Enpass keychain. And when you use the extension for Autofill, make sure that the main app must be running in the background or minimized to the system tray.
- Enpass browser extension- Enpass Extension communicates with the browsers only after verifying their code signature. The action of clicking on Extension icon or pressing the shortcut securely requests the main Enpass app asking for login credentials for that particular domain. In response to that, main Enpass App sends the desired information to Extension for auto-filling.
- Enpass Helper- Enpass Helper always runs in the background as a separate process in OS and responsible for presenting the user interface on the browser to show the list of matching items, taking user inputs for selecting the item for autofill. At any point of time, there is no direct communication between Helper and Extension as it only communicates with the main Enpass app.
The following precautions have been taken to keep the data secure from any unauthorized access.
- Extension Validity Check- When a browser extension tries to connect to main App, we verify the origin of the connection, it must be the unique identifier of our browser extension and browser will not allow any two extensions with the same ID.
- Browser Validity Check- When a browser extension tries to connect to the main app, we also verify its authenticity by checking its code signing signature i.e. browser must be code signed with relevant company’s certificate (i.e Chrome is signed by Google).
Note: Browser Validity Check is not done on Linux as code signing is not available there.
- Same-origin policy- To prevent the attacks like sweep-in, Enpass auto-fills only on the web pages matching with the saved domain/host names. Furthermore, Enpass never automatically executes any scripts on page-loading for auto-filling, rather, first it presents a list of items matching with the same domain/hostname and later executes the script to autofill, once the user has selected the item to autofill with.