<  Technical explanations

Operating and security principles of the browser extension

Compatibility

The browser extension is compatible with most commonly used browsers on MacOS, Windows and Linux (see the downloads page for more details).

The browser extension is not compatible with iOS and Android. On these platforms, UpSignOn offers the autofill built into the operating system. Follow the instructions on the settings page to configure this feature.

Connecting to the application

In all that follows we will call application the UpSignOn desktop software (or heavy client) and browser extension the software (or addon) installed specifically in each browser (Google Chrome, Firefox, Microsoft Edge, etc.)

To maximize the security of your data, we have designed the browser extension as an additional, non-standalone brick. The UpSignOn application (the desktop software) must be installed for the browser extension to work.

All cryptographic operations on vaults are performed in the application. The extension can only reflect the locked or unlocked status of a vault in the application. The extension thus benefits from the automatic locking features in case of inactivity and in case of session locking.

Websocket communication

Concretely, the browser extension connects via websocket to the application that listens to requests coming only from the computer (localhost).

Communication encryption

All exchanges between the application and the extension are encrypted so that no other application installed on your computer can have access to the data exchanged. The encryption algorithm used is AES-CBC-256 + HMAC-SHA256. NB, these algorithms were chosen according to current cryptographic standards and the implementations available in browsers.

Authorization procedure

The encryption and authentication keys used for these exchanges are configured during the initial authorization procedure of the browser extension.
Authorizing a browser extension requires unlocking a vault (any vault).

Revocation

At any time, the user can decide to revoke the authorization of an extension from the dedicated page in the application settings.
In addition, the authorization of an extension is associated with the vault used at initialization. When this vault is deleted in the application, the associated extensions are immediately revoked.

Special case of Windows RDS servers

On Windows RDS servers where multiple users can use UpSignOn simultaneously, each user sees a status of the application and of the extension that is specific to him. Each user must authorize his browser extension. The extension uses a different port for each user and data exchange between the extension and the application of different user sessions is not possible.

Special case of Linux

Configuring browser extensions requires the upsignon: protocol to be associated with the UpSignOn application and to be working correctly. See installation instructions on the page dedicated to Linux.

Security and limitations of autofill

In the following, we will call popup the browser extension window that opens when clicking on the UpSignOn icon in the browser menu bar. We will call injected content the bubbles displaying content added by the UpSignOn extension in a web page.

Just-in-time principle

The browser extension, whether its popup or its injected content, only has access to the real passwords when a password field must be filled in. In other words, when the extension displays '*******' for a password, the browser and the web page do not see the real underlying password, which therefore remains protected.

Autofill conditions

Filling in a website form is fully automatic (i.e. without user action) only in the following cases:

  • there is only one account in your vault that could match this form
  • the URL of the account registered for this site in your vault is valid
  • the domain name of the page is strictly the same domain or a subdomain of the URL registered for this account in your vault. NB: the extension can recognize root domains, including those composed of multiple roots and will not fill in a password if the domain name of the registered account is composed only of root domains.

Non-filling cases

The browser extension will not fill a form automatically or semi-automatically (i.e. triggered by a user action), if:

  • the form is added to the page via an iframe that is not a direct child of the main page
  • the form is added to the page via an iframe whose domain name is not identical to the domain name of the main page (this case poses security issues and is not yet handled)
  • if the way the form is coded does not allow the login and password fields to be identified
  • if the website publisher has implemented mechanisms to prevent automatic filling by robots

We advise developers to consult our recommendations on login forms.

When neither autofill nor forcefill works, the user still has the option to copy-paste the login and password from the extension popup.

<  Technical explanations