Skip to content

Releases: lexansoft/ethereum-chrome

Prove of concept

19 Feb 19:53
@lexansoft lexansoft
0.0.3
433fb5c
Compare
Choose a tag to compare
Prove of concept Pre-release
Pre-release

Ethereum Chrome Extension ( PoC )

This is just an experiment. It is not a released product in any way. It is just a discussion in form of Code-not-Talk

Do we really need a separate browser for the Ethereum DAPP's? I do not know, maybe not. Wouldn't be better to make the normal browser recognize such applications and treat them properly? I am sure Occam would agree with that.

So I tried to investigate the possibility for the Chrome Ethereum extension. Here is my report.

Install the extension

Go to the extension page: Ehereum-Chrome and click "Add to Chrome"

Then open the settings/extensions page and allow the Ethereum plugin to access local files:

allow_files

Allow personal services in geth

To make the extension work we need to allow geth processing the personal requests:

geth --rpc --rpcapi "db,eth,net,personal,web3"

Test page

I created a small test page that performs some simple tests. You can download the page from this repository: Test Folder Do not forget the etherid.js file, it will be used too.

Open the test page from your local drive. You should see this:

test_page

The test page does following:

  1. It checks that the web3 object is available in the page
  2. It checks that the web3 object, in fact, uses the plugin provider
  3. It gets the current Gas price and shows it
  4. It gets the information about the last synced block and shows its number.
  5. Finally, it tries to call a contract. I use the EtherID contract for testing. The page first calls the static method to get the information about the domain "test" and then it calls the transaction trying to change one of the domain ID. Such transaction requires unlocking the account. The extension holds the transaction from sending it to geth and starts blinking the ethereum icon:

eth_icon

Click on the icon. You will see the confirmation dialog:

confirmation_dlg

Then if you put the proper password and click confirm, then the account will be unlocked and transaction go through:

confirmed

It works!

Comments

Security

Of course, the main concern is security. Is it secure to pass the password to the chrome extension?

Chrome does a good job of separating the context of the extension from the pages. I think it is impossible to inrefere with the extension form pages directly.

The extension is written in JavaScript and Chrome has an ability to debug the extensions. That means you can easily open the extension in the debugger and actually see the password you sent. Is it a concern? I would say some concern for sure, but you understand that to do it someone should get access to your Chrome and actually play with the debugger.

Another point, the password is sent through the JSON-HTTP interface. It is not much secure. The mist and wallet now use the IPC communication with node and that is much more secure. The problem is, I cannot find any way to establish the IPC connection from the Crome extension. Maybe someone has an idea how to do it?

Another big concern is the unlocking the account itself. I was kind of surprised to realize that in mist when you send a transaction, it unlocks the account first for 2 seconds and then submits the transaction itself. I do the same in this extension now. But, isn't it a stupid things to do? Imagine a script submitting fraudulent transactions every 500ms directly to your node. Once the mist unlocks the account for 2 seconds some of them will go through. I think we have to transmit password with the transaction and account should not be generally unlocked at all. But, again, this is not the extension problem.

Blinking icon

Why blinking icon? Why not inject the dialog into the page and actullay open the confirmation dialog? The answer is simple. Yes, it is possible, but how you can be sure that the dialog requesting your password is in fact form the extension? Some fraudulent websites can emulate look and feel of such dialog.

The icon is the only little guranteed element of the extension. If you see the dialog as the extension popup you can be sure it is the extension who asks you the password.

Of course it would be perfect if the extension can open the popup itself, but Chrome does not allow it.

What next

I have some hope for the Chrome Native Client. Even if it does not help with the IPC connection, it will be much more secure. Stay tuned, I will be posting more.

Discussion

My main intention is to start the discussion and if you have anything to say or comment, please feel free to do it. I will post the link to this document to redit and Ethereum forum.

Thank you.

Alex Na

Assets 2
Loading