Security of native messaging?

2019-02-20 04:12发布

问题:

I have a NPAPI plugin for sign-in data on website.

I want to replace it by Native Messaging technology. I have read the documentation, but I have a question : Is this technology safe?

Can hackers catch data in transfer from JavaScript to native host app and back?

Edit: merging in a better-worded question:

  • How secure is stdio data transfer ?
  • Is there a way for man-in-middle attack for such data transfer ?

回答1:

It is, in principle, possible to inspect stdio calls made by an executable.

For instance, on Linux systems, you can use strace for that purpose. I don't know a similar Windows tool, but it's conceivable that it exists.

That would be akin to attaching a debugger to the browser/native host itself, and can only be done by someone who has access to the local machine with the same user credentials or administrative access. In particular, the user running Chrome can do it - just like he/she can use Dev Tools to inspect and intercept the data at the JavaScript side.

So, yes, in principle that can be intercepted, but only by someone will full rights to execute/debug code on the system it's running on, and OS takes care not to allow normal users to inspect processes of other users in this way.



回答2:

You realize, of course, that Native Messaging will ONLY work within the bounds of the machine: With native messaging the browser will communicate with your host application over stdin/stdout.

So what exactly is the problem here? If the Hackers are capable of listening to your stdin/stdout they are already on your machine - you've already lost.