How does the Chrome/Firefox Extension work? Is it secure?


Strongbox integrates through an AutoFill extension for Firefox and Chromium browsers. Safari uses a different system-level mechanism. You may have noticed this on your browser plugin or add-on store. This provides a super convenient way to fill in your credentials inline in your browser. It's also very secure, much more so than plain old copy/paste. Below we provide a synopsis of how this mechanism works at a technical level, and the design choices we made during development.

Native Messaging

We use Native Messaging for communications between the browser and Strongbox. This uses stdin/stdout as the channel. This is local on-device only IPC (inter process communication). No open ports.

To use Native Messaging, Strongbox must install a "manifest" file on your Mac specifying which browser extension it can communicate with. Without this no Native Messaging communication is possible and this cannot be done by a browser extension install alone. This means an attacker needs to be able to write to your Mac using an App or by physical access before they can use Native Messaging. Strongbox does this when you install it from the App Store. If you don't have Strongbox installed, the Strongbox browser extension that you install won't be able to use Native Messaging. So, you need both Strongbox Pro and the browser extension installed before communication across this channel is possible.

Unix Local Domain Socket

For technical reasons (browsers launch a new process for each message) this goes through a small proxy helper app called "afproxy". Afproxy then communicates with Strongbox using a Unix Local Domain socket for IPC. So, again local/on-device interprocess communication. No TCP/IP or networking sockets/open ports.

End to End Public Key Encryption

To avoid casual snooping we also encrypt all traffic end to end using asymmetric encryption (e.g. public/private key pair, ephemeral) with a technique called a "Crypto Box" or a "Secret Key Box". You can read a bit more on that here.

Open Source

The code underlying all of this functionality can be found in our usual location on Github here. Please feel free to inspect and/or suggest changes/improvements using the tools there.

Baseline Security Assumptions and Threat Models

Our baseline assumption is that we are working on a secure device, and we consider all bets to be off if there's malicious code running on your device. It is extremely difficult if not impossible to protect against any kind of threat in that situation. If your machine is already compromised, or an attacker is capable of running arbitrary code locally, then there are easier ways to get your secrets than hacking the IPC mechanism of an already unlocked database, e.g. keyboard monitoring, screen recording, in-memory debugging/dumping etc.

As you can see from the above, we go above and beyond to make it very difficult for a casual attacker to intercept your secrets. Indeed, by definition, if an attacker defeats the above barriers then they are no longer a causal attacker. It is possible for a (very) dedicated attacker to develop a program that pretends to be say Chrome and request passwords using this mechanism. This would be a special form of malware but you'd have to have it on your system and you'd have to allow it to run, and the database would have to be already unlocked. This is an unlikely scenario, but of course it's possible, just as a special case of the more general point above about running malicious code on a compromised system. This is in a different league of sophistication than a random app reading your clipboard or capturing screenshots.

Opt Out

If you have any concerns around any of this, if it simply doesn't fit your personal threat model or security scenario, you can switch this functionality off completely:

Preferences > Advanced > Enable Third Party AutoFill > Switch OFF

or possibly (depending on your version):

Preferences > Advanced > Chrome & Firefox AutoFill Extension > Switch OFF


We hope this helps to assuage any fears you may have, and answer any questions. We hope you'll love the new AutoFill extension on your favourite browser. Alternatively, if it's not for you, that's fine too.

Feb 6, 2023