Why does Safari extension use both WebSocket and Safari Extension Companion?

tienthanh411
tienthanh411
Community Member

I wonder why the Safari extension does not use only Safari Extension Companion. I couldn't find any document explaining how Safari Extension Companion works, but if it works the same way as Chrome's native messaging, it is probably more secure than WebSocket.


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

Comments

  • @tienthanh411,

    It doesn't actually use both, for now it is WebSockets only.

    Rudy

  • tienthanh411
    tienthanh411
    Community Member
    edited October 2017

    @rudy From what I understand, the extension uses WebSocket only for key exchange. After the key exchange, all data is transferred using Safari Extension Companion.

  • @tienthanh411,

    Nope, Safari Extension Companion is not used at all. All communication for Safari occurs over WebSockets.

    Rudy

  • tienthanh411
    tienthanh411
    Community Member
    edited October 2017

    @rudy Then I don't understand how passwords are transferred to the browser. I used Wireshark to capture all packets on the Loopback interface and I could see only the key exchange. I am pretty sure that no data is sent over WebSockets when I access my passwords via the extension interface. Unless the extension have direct access to the password vault, it cannot access the passwords without some communication with the native app.

    The reason why I am asking this is I am concerned about my passwords transferring over network channels like WebSocket. I was quite happy with the 1Password extension on Chrome because all communication is done over native messaging and was expecting something similar on Safari.

    I'd really appreciate if some explanations are provided.

  • @tienthanh411,

    I know with absolute certainty that the extension is sending the data over WebSockets after the initial handshake where the browser extension and 1Password mini establish their mutual authentication, they then encrypt all remaining traffic between the browser extension and 1Password mini.

    This is slated to be retired in the near future, to be replaced with a Safari App Extension.

    Rudy

This discussion has been closed.