Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Qubes OS browser extension for passwords and passkeys #9695

Open
DemiMarie opened this issue Jan 8, 2025 · 6 comments
Open

Qubes OS browser extension for passwords and passkeys #9695

DemiMarie opened this issue Jan 8, 2025 · 6 comments
Labels
C: other P: default Priority: default. Default priority for new issues, to be replaced given sufficient information. security This issue pertains to the security of Qubes OS. T: enhancement Type: enhancement. A new feature that does not yet exist or improvement of existing functionality. ux User experience

Comments

@DemiMarie
Copy link

How to file a helpful issue

The problem you're addressing (if any)

Password management in Qubes OS is non-trivial and not (inherently) phishing-resistant. Browsers on Qubes OS do not support passkeys.

The solution you'd like

Qubes OS should provide a browser extension that implements password and passkey management. The browser extension would use Native Messaging to communicate with a daemon (written in Python or Rust) that in turn communicates with the vault VM over qrexec. Passkeys can be stored in software (default) or a hardware token (needed for attestation).

The value to a user, and who that user might be

All users willl benefit from better password management and from native passkey support.

Completion criteria checklist

(This section is for developer use only. Please do not modify it.)
@DemiMarie DemiMarie added T: enhancement Type: enhancement. A new feature that does not yet exist or improvement of existing functionality. ux User experience security This issue pertains to the security of Qubes OS. P: default Priority: default. Default priority for new issues, to be replaced given sufficient information. labels Jan 8, 2025
@andrewdavidwong andrewdavidwong mentioned this issue Jan 9, 2025
Open
@ben-grande
Copy link

Demi, isn't this issue two things, the server side and the client side? Shouldn't they be two issues to not limit the server side and client side implementation to one design?

The title specifies the client implementation:

Qubes OS browser extension for passwords and passkeys

But that would limit to only configured browses to use that, an not other browsers or local applications. That is limiting the usage of this tool. Can it be not specific to browsers? Or are you talking about a specific key that is used only in browsers such as Android device being used as a security key?

@DemiMarie
Copy link
Author

DemiMarie commented Jan 9, 2025
edited
Loading

A better approach would be the following:

  1. A cross-VM implementation of proposed XDG Credentials Portal implementation.
  2. A cross-VM password manager interface:
  3. Browser support for 1 and 2, either by native support in browsers or a browser extension and native messaging host. This part is not specific to Qubes OS at all.
  4. A pure-software passkey implementation.

It would be simpler to implement 3 directly in terms of a Qubes OS-specific interface, but this would not integrate with or advance the broader Linux desktop ecosystem. I would prefer for Qubes OS to not do everything itself.

@marmarek: Is it okay to use D-Bus as a cross-VM wire protocol, if the D-Bus server is written in a memory-safe language?

@marmarek
Copy link
Member

marmarek commented Jan 9, 2025

@marmarek: Is it okay to use D-Bus as a cross-VM wire protocol, if the D-Bus server is written in a memory-safe language?

No.

@DemiMarie
Copy link
Author

@marmarek: Is it okay to use D-Bus as a cross-VM wire protocol, if the D-Bus server is written in a memory-safe language?

No.

Is this because of parsing complexity? To clarify, this would be a peer-to-peer connection, without a broker involved.

@marmarek
Copy link
Member

marmarek commented Jan 9, 2025

Is this because of parsing complexity? To clarify, this would be a peer-to-peer connection, without a broker involved.

That is one reason, yes. But also audit complexity, hard to write strict policy and many more. For password manager like service it really doesn't need to be this complex, you more or less need a request with some service id (website URL?) and response with username+password.

@andrewdavidwong
Copy link
Member

A better approach would be the following:

  1. A cross-VM implementation of proposed XDG Credentials Portal implementation.

  2. A cross-VM password manager interface:

  3. Browser support for 1 and 2, either by native support in browsers or a browser extension and native messaging host. This part is not specific to Qubes OS at all.

  4. A pure-software passkey implementation.

Sounds like it might make sense to turn this into a GitHub project and create separate issues for each part.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
C: other P: default Priority: default. Default priority for new issues, to be replaced given sufficient information. security This issue pertains to the security of Qubes OS. T: enhancement Type: enhancement. A new feature that does not yet exist or improvement of existing functionality. ux User experience
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@marmarek @DemiMarie @andrewdavidwong @ben-grande