DynaCrypt: Client-side Encryption via Chrome Plugin

Louis_Kirsch · June 14, 2020, 11:25am

Hi all,
I have been hacking this weekend and got a prototype for client side encryption via a chrome plugin ready.
Disclaimer:
I do not take any responsibility for the security of this extension or any data loss due to bugs or mishandling of passwords.
The extension is NOT production ready and has still to be through-roughly tested.

How it works:
It hijacks the XHR communication between the dynalist client and the dynalist server. All outgoing items are encrypted, all incoming items are decrypted.

What is still missing

Quick Dynalist support
Support for bookmarks / document names
Support for shared documents
Support for dates in google calendar
… something else?

The code is open-source and I would appreciate if a security expert could have a look

You can get the extension here (download the crx file): Release Initial prototype · louiskirsch/DynaCrypt · GitHub

Any feedback welcome I would appreciate if some of you could test this out with some test accounts and try to find failure cases.

Just set your encryption password

Then everything should look like normal Dynalist, but all new items are being encrypted.

If you deactivate the plugin you will see just this

With the plugin activated you will see the true content and everybody else (including the server and any hackers) will still see the above.

Also see

Steffen · June 14, 2020, 2:40pm

I’d love to try it out. But doesn’t seem to work with the Brave browser

Louis_Kirsch · June 14, 2020, 2:46pm

As far as I know the brave browser is chromium based and has a similar feature set. Where does the installation / use fail? Any console output?

I just tried it out, you can:

Download the zip from github

image2048×892 126 KB
Unpack it somewhere
Go to brave extensions
Enable developer mode
Select unpacked extension directory

You are good to go with brave

Shida · June 14, 2020, 8:12pm

Very impressive!

Steffen · June 15, 2020, 4:58am

Thank you, the installation worked.
But it seems like I cant set my password?
What should happen after I click “set password”?

Louis_Kirsch · June 15, 2020, 5:03am

Are you clicking the extension while being on dynalist.io ? Then after typing the password and selecting “set password” the page should refresh. Are you on the latest brave browser?

If it doesn’t refresh please open View > Developer > Javascript Console and send me the errors.

Steffen · June 15, 2020, 5:22am

It does not refresh and it is the latest browser.

Do these help?

DevTools failed to load SourceMap: Could not load content for chrome-extension://nkbihfbeogaeaoehlefnkodbefgpgknn/sourcemaps/contentscript.js.map: HTTP error: status code 404, net::ERR_UNKNOWN_URL_SCHEME
DevTools failed to load SourceMap: Could not load content for chrome-extension://nkbihfbeogaeaoehlefnkodbefgpgknn/sourcemaps/inpage.js.map: HTTP error: status code 404, net::ERR_UNKNOWN_URL_SCHEME
DevTools failed to load SourceMap: Could not load content for https://dynalist.io/assets/js/ext/jquery.min.js.map: HTTP error: status code 404, net::ERR_HTTP_RESPONSE_CODE_FAILURE
DevTools failed to load SourceMap: Could not load content for https://dynalist.io/assets/libs/raven.min.js.map: HTTP error: status code 404, net::ERR_HTTP_RESPONSE_CODE_FAILURE
DevTools failed to load SourceMap: Could not load content for https://dynalist.io/assets/js/ext/ext.min.js.map: HTTP error: status code 404, net::ERR_HTTP_RESPONSE_CODE_FAILURE
DevTools failed to load SourceMap: Could not load content for https://dynalist.io/assets/css/theme_scifi.css.map: HTTP error: status code 404, net::ERR_HTTP_RESPONSE_CODE_FAILURE
DevTools failed to load SourceMap: Could not load content for https://dynalist.io/assets/css/app.css.map: HTTP error: status code 404, net::ERR_HTTP_RESPONSE_CODE_FAILURE
DevTools failed to load SourceMap: Could not load content for https://dynalist.io/assets/css/print.css.map: HTTP error: status code 404, net::ERR_HTTP_RESPONSE_CODE_FAILURE
DevTools failed to load SourceMap: Could not load content for https://dynalist.io/assets/js/main.min.js.map: HTTP error: status code 404, net::ERR_HTTP_RESPONSE_CODE_FAILURE

Louis_Kirsch · June 15, 2020, 5:23am

Can you try deactivating your other extensions temporarily? I don’t think the first two errors are from mine.

EDIT: I think there is a bug the first time you load the extension, this should fix it (step 2):

Go to your dynalist with the plugin activated
Refresh the dynalist page manually
Click the extension icon, enter password
Site refreshes and encryption is activated

Steffen · June 15, 2020, 8:01am

That worked! Thank you!

Louis_Kirsch · June 15, 2020, 8:27am

Great!
I was thinking about alternative icons to denote encrypted items, which one do you prefer and think people are less likely to use in their dynalist already:

Steffen · June 15, 2020, 8:39am

I like the first.

Another thing is the whole set password feature. It works but is a bit confusing. Like when it is encrypted, when not, did my password get saved, etc.

Louis_Kirsch · June 15, 2020, 8:40am

Yes that’s fair, I will add UI elements to notify the user about the password being saved.
Also I will add a status element to the Dynalist UI saying ‘Client-side Encryption Enabled’ or similar.

Steffen · June 15, 2020, 9:02am

Cool, sounds great!

Louis_Kirsch · June 15, 2020, 9:27am

Also to be clear: The password is never saved in plain text.
I derive a symmetric key form it which is stored securely using a key storage which only allows for encryption & decryption within the page. An attacker could not extract the key even if it could insert malicious javascript code into the dynalist webpage (which is extremely difficult over https in the first place, but say if you had installed a malicious extension).
Though it could decrypt the documents on the page using the key of course.

CHIANG_E · June 15, 2020, 12:48pm

@Louis_Kirsch
Tested with success. Here are my input though I think you might have already captured them in your todo list.

password input with confirmation
allow password reset/change
change bullet shape to indicate Encryption status (eg from circle to diamond)
any change (intentional/accidental deletion or insertion) made to existing encryption code string (while extension is inactive) leads to permanent “ Could not decrypt”

Louis_Kirsch · June 15, 2020, 12:54pm

Thanks Chiang!

I guess with password change you refer to re-encryption of all data with the new password? This will be tricky to do with the current system – I have to think about how to do this.
What do you mean by password reset?

Same here, sounds great but will need a lot more meddling with the Dynalist code which could turn out to be tricky. Maybe @Shida has ideas how to do this easily.

Yes that’s right and I don’t think I can do anything about this because as you said – the plugin is off. What you can do though if you encounter ‘could not decrypt’ is go into your version history and undo the accidental change.

CHIANG_E · June 15, 2020, 1:04pm

Yes. Say I decided to change password to a stronger one, I was hoping the extension performs updating all existing encrypted text prior to password change, to match the latest password.

A good point!

Louis_Kirsch · June 15, 2020, 1:36pm

It’s tricky because in order to make it secure I would have to copy all your documents in order to discard the version history. In principle I could do that using the API - but it will be a bit of work.

Louis_Kirsch · June 16, 2020, 6:34am

@CHIANG_E @Steffen I have updated the interface

The little lock icons are a bit hacky right now though (basically using css rules) and I think it might slow down the client too much.
Maybe I can try to dig into the core Dynalist code to make it more efficient, otherwise I might have to remove them again.
EDIT: I think I found a more performant way of doing it.

As usual the update is on github ~~https://github.com/timediv/DynaCrypt/releases/tag/1.1~~
Release Updated interface · louiskirsch/DynaCrypt · GitHub

Steffen · June 16, 2020, 3:58pm

I updated, but now i cant decrypt my lists anymore. the new ones