Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How should I securely store passwords and use http auth in a chrome extension

I'm making a chrome extension that requires fetching an xml file from a secure server.

I'm currently using XMLHttpRequest() to make a call to the server

https://username:[email protected]

which returns an xml object that I can parse and display. I want this extension to be available for more than just my hobby use, so it needs an options page to set and store the username and password.

How should I store the user password in chrome so that it is secure? chrome has a localStorage global for each extension that allows extension authors to store data, but it is stored in plain text. it doesn't allow extensions to access the 'remember my password' storage(with good reasons).

and is there a more secure way to do http auth? My current way of doing things requires passing the username/password in plain text in the url each time the function is called, even if the the authentication session hasn't expired.

like image 748
Charles Ma Avatar asked Dec 25 '09 07:12

Charles Ma


2 Answers

The problem with asking for a key is that it means that you'll have to prompt each time at startup (if you store the key, you have the same problem). This may be an OK tradeoff if what you're protecting is especially sensitive.

In general, Chrome takes the philosophy of trusting the OS to protect the user's profile where this data is stored, so if you use local storage to store passwords, it's no different than what Chrome is doing today with password autofill, browser history, etc.

like image 141
Erik Kay Avatar answered Sep 27 '22 16:09

Erik Kay


An idea: ask the user for a key, which you can use to symmetrically encrypt the values before putting them in localStorage. You could also generate a unique key per client based on certain unique aspects of his machine/browser/etc.

like image 34
Traveling Tech Guy Avatar answered Sep 27 '22 17:09

Traveling Tech Guy