The major one that concerns me is who is behind them. Even if we trust that their encryption is not backdoored, there is a lot of information that can be gathered just from the frequency of messages and who they are between.
If it came out that a three letter agency was running one of these networks, it would not suprise me at all.
Essentially, yeah? Unless you calculate the OTPs by pen and paper, you have to use some kind of software, and therefore you have to trust that it is safe. Writing your own like OP is actually a very safe option, because you can trust yourself, but everyone else needs to trust OP.
Attack vectors apply to the add-on itself, it is (potentially) the shady site. OP has the potential to update the add-on later with its own malicious code. This is true of all addons, hence the trust issue.
I dont have any problem with OP advertising their addon, but potential users should be aware of the risks.
I appreciate you have put effort into this, and you have gone out of your way to make it safer, but if the extension were to become malicious at a later date, expanding permissions (and relying on users brainlessly-clicking accept) or using an exploit or sidechannel would undo any of that.
The downside of browser extensions is that they are operating within a massive codebase, and thus have a huge attack surface if they decide to become malicious.
For what its worth, I commend your efforts here, its just near impossible to trust any peice of software not backed by the reputation of an established company/developer.
With all due respect, it doesnt matter what the code is right now. This is an extension that you can update at any point in the future to replace with something malicious.
Trust is near impossible to build in todays internet.
https://www.kaspersky.com.au/blog/dangerous-chrome-extensions-87-million/32170/
Note that a plugin’s malicious functionality can evolve over time in line with its owners’ goals. And the owners themselves may change: there have been cases when malicious features appeared in a previously safe extension after its creators sold the plugin to someone else.
Every day, millions of people discuss oil changes. If an article (was it an article or an ad?) is published on oil changes on X date, it is going to coincide with a large number of unlinked conversations. Today, it was you.
Once is a coincidence, if you can prove a pattern then you should concerned.
They are literally publically claiming that they have a zero day (or at least a zero day level capability). Google/Apple would be all over it trying to fix it. Cyber security researchers would be all over it as well.
NSA can get away with using 0 days for years because they keep quiet about them, and dont use them frivilously.
Almost every OS nowadays has some form of microphone detection right? So if this was on, you would be aware of it? And to jump ahead, even google is incentivised to prevent this company listening in, as they are direct competitor.
I wonder if this company is just trying to fleece advertisers with a made up tech? The “Claim your exclusive territory before your competitor” feels like the high pressure tactics that other scams use?
I might go disable the microphone in my TV remote anyway :/
There was a “quantum safe” encryption scheme proposed that had a non-quantum vulnerability found in it. Perhaps they are hedging against that occuring again? The scheme was rejected in the end so didnt matter to much.
I suspect screen readers and a11y tools hate this as well.