Skip to main content

Why a browser extension?

A browser extension is needed to provide functionalities such as auto filling your passwords when visiting known websites, but more importantly to maintain a higher level of security and provide a secure random number generator.

More info

A regular website serves users content in the form of html, javascript, css assets. It may be cached on a content delivery network (CDN) for speed, but everything is coming from one place. In the event of an attacker accessing the server, they may be able to change these assets, such as showing you modified content, or change the application logic.

The solution we opted-for to ensure code integrity was to split the application in two parts:

  1. Server side: the API who serves encrypted data
  2. Client side: the web extension who renders the assets and contains the logic to encrypt/decrypt data.

The web extension is published on browsers extension marketplaces (Firefox, Chrome, Edge). Each of them requires the extension to be cryptographically signed by Passbolt developers with a secret key, to make sure nobody can change that code while it is being transmitted from the marketplace.

Passbolt application and data delivery
fig. Passbolt application and data delivery

Some points you must be aware of:

  • The passbolt login page is rendered by the browser extension. By entering your passphrase, you unlock your PGP private key stored in the local storage of your browser to let the extension communicate with the passbolt API and perform the user authentication with GnuPG protocol.
  • Most of passbolt application (passwords, users, or profile namespaces) isn't rendered by the server but by the browser extension.
  • End-to-end encryption is provided by the browser extension.
End to end security using OpenPGP
fig. End to end security using OpenPGP

References: