Browser extensions are additional software that need to be install in the browser. They communicate through the local Web Sockets with Enpass app. Each extension needs to be paired with user intervention diminishing the chance of information effluence. All information is exchange through an encrypted channel with a common key derived using SRP handshake for each session.
The following precautions have been taken to keep the data secure from any unauthorized access.
- Extension Validity Check- When a browser extension tries to connect to main Enpass App, we verify the origin of the connection, it must be the unique identifier of our browser extension and browser will not allow installation of any two extensions with the same ID.
- Browser Validity Check- When a browser extension tries to connect to the main Enpass app, we also verify its authenticity by checking its code signature i.e. browser must be code signed with relevant company’s certificate (i.e Chrome is signed by Google). If a browser is code signed and not in our whitelist, an additional confirmation is required whether it should be allowed to connect to Enpass or not. Note: Browser Validity Check is not done on Linux as code signing is not available there.
- Pairing- Browser extension need to initiate a SRP handshake with a pairing code displayed. User have to manually enter that pairing code into Enpass. If the pairing code matches, both Enpass app and browser extension will be having a common secret at the end of handshake. Further communication will be encrypted with that common secret. Browser extension will also store a provided pairing key for further sessions. It is stored in extension sandbox. User can opt not to store next session pairing key, in that case browser need to pair for every browser session.
- Same-origin policy- To prevent the attacks like sweep-in, Enpass auto-fills only on the web pages matching with the saved domain/host names. Furthermore, Enpass never automatically executes any scripts on page-loading for auto-filling, rather, first it presents a list of items matching with the same domain/hostname and later executes the script to autofill, once the user has selected the item to autofill with.