Privatebin webextension

[jroger2001]

Hi,

In order to fight censorship, I'd like to write a Firefox webextension wich relies on privatebin to prevent big social medias to be aware of what is displayed on their pages.

The privatebin extension would :

1. Detect privatebin.net links (or any domain specified by the user in the extension parameters) in the loaded page (already tested).
2. Download the cyphered payload from the server
3. Decypher the payload (webextension are written in javascript).
4. Display the clear message just under the link in the social media page.

Later, a filter would have to be set on server side to block direct requests from social medias IP (they have the link with the key in their databases, we don't want them to inspect the message content).

I know that I am naïve when it comes to encryption and computer security. What I am describing may not be achievable or not desirable, which is why I am just putting this simple idea before you.

Thanks for reading.

[rugk]

Technically

I am somewhat experienced in WebExtensions, and I'd say, sure, what you want to do is technically totally feasible, in theory. The hardest part that is not easily estimable as it is a problem being potentially infinite, may actually be supporting the different social media sites. Anyway, that's a thing that could be made modular, so contributors can take it and add support, following the FLOSS spirit.

But, practically?

Anyway, but let's take a step back. Aka, ask yourself: what problem does this extension solve? What do I want to achieve?
The thing is, I see practical problems here.

I'd like to write a Firefox webextension […] to prevent big social medias to be aware of what is displayed on their pages.

Okay, good aim. It's basically the big non-functional requirement of privacy (in the context of/on social media).
This easily slides into security and we'd need to talk about threat models here… to make a long story short, however, the big issue I see is, what makes social media websites prevent scraping the content from their own sites?
Technically? Nothing.

And this problem is not solvable, in a browser environment. At least not easily. You'd either need to embed some iframe, preferably with a custom background color, to differentiate it from fake (messages) – again I touch the question whether that would be in your threat model? This idea comes from Mailvelope, which e.g. does it like this…
Or you'd have to make big UX compromises, by using a popup window or similar things, where they really cannot access the data – as it is outside their reach (website) inside the WebExtension. That is surely possible. However, sounds not really what you'd want for a social network.

The last security side-note: As in 99% of the caes with PrivateBin MITM attacks are of course possible, the social media provider could just intercept the PrivateBin and create a new (fake) one. Or, after all, what prevents social media orgs to just query the link itself and just access the paste data – without modifying it?

The question also stands why one would use PrivateBin as an intermediary? What advantage does it have? Okay, it works for users without the web extension, they can just click the link…
One disadvantage would in any case be, you won't get it to work on mobile apps – which 80% of the users likely use, nowadays (wild guess).

Implementation notes

Anyway, if you'd wanted to do sth. like this, some hints/notes:

• We have an API and documented encryption format: https://github.com/PrivateBin/PrivateBin/wiki/API
• And reference third-party clients: https://github.com/PrivateBin/PrivateBin/wiki/Third-party-clients
• As WebExtensions are basically websites/use the same technology stack, the easiest way, however, may be to just reuse the PrivateBin client code somewhat (unfortunately this is not really extracted into a library. Doing that, may be a first good step, however, that would also be beneficial for similar projects and the PrivateBin main project, IMHO. (Open an issue for that though, first, to discuss the details.)
• Edit: The actually easiest solution, it just came to mind, may be to just convert the link to an iframe that is embedded in the website at the position. The good thing would be that this would be it, you'd have to do nothing with encryption or so, as of course the website is loaded as usual and it's done there. Also iframes are AFAIK quite secure from outside influence due to being a new origin (ref Same-Origin policy, but see the Mailvelope example above again.). The bad thing: It likely would look ugly.
• A hard issue may also be detecting PrivateBin links, as there are of course many instances, and supporting only one would be sad. (for a first implementation yes, I'd prototype it with one, but in production that may need fiddeling with a clever RegEx or so matching the – actually, rather not very unique – URL schema)
• Technically the CORS header could be problematic and in case of an iframe different CSP/X-Frame-Options headers, but a WebExtension could be made to circumvent that (aka remove these by intercepting the requests).

The question would be whether all that effort would be worth it. IMHO, this could be a fun project, sure. Tinkering with a prototype may be cool and absolutely do if you want to learn something or so. But in a productive use, I am unsure how usable and effective (in achieving the stated aims) it would be. But that is just my personal opinion.