3. Technology Curves 3.1 Web Extension Technology Web extension has the ability to call native binary code through scripting code in the ...
3. Technology Curves
3.1 Web Extension Technology Web extension has the ability to call native binary code through scripting code in the web browser. For International Journal of Intelligent Computing Research (IJICR), Volume 10, Issue 3, September 2019 Copyright © 2019, Infonomics Society 1015 the digital signature solution, JavaScript is calling either a native binary or scripting codes that connect to CryptoAPI and NSS libraries. In the last two decades, the web extension technology has evolved and curved its own survival and compatible lifecycle. Technologies such as ActiveX, Java Applet, Adobe Flash and Netscape Plugin Application Programming Interface (NPAPI) are among the pioneers of web extension. The challenge of the web extension is the development is in silos due to the technology and framework dependencies to the web browser. For Internet Explorer, the web extension is called ActiveX technology. It is first released in 1996 Error! Reference source not found. and designated for Internet Explorer.
Microsoft has provided a digital signature solution called as CAPICOM Error! Reference source not found.. It is a module to sign data and to verify a digital signature. With few lines of scripting codes in .NET framework, a user can access private key stored by CryptoAPI and perform generation and verification of PKCS#7 based digital signature. In 2011, Microsoft decided to discontinue the CAPICOM. This leaves developers with no option, other than to develop its own proprietary digital signature solution. The digital signature solution developed for Internet Explorer is using ActiveX technology with C++ as its primary language. The development involves CryptoAPI library and requires code sign to secure the distribution. The installation of the solution is as a series of steps, advised by an offline installer. It is automated which includes the secure registration of the ActiveX. However, for security purpose, a user manual intervention is required to approve the usage of the ActiveX by clicking the “OK” button on the site. A user requires to set the site as a trusted site with a medium security level. Missing these steps lead to the inability of a user to proceed with the digital signing and may result in a usability issue. A similar experience is observed when users engage with ActiveX technology Error! Reference source not found.. In the study, users tend to agree on either secure or non-secure ActiveX installation blindly, and it creates a bad computing practice and web accessibility crisis. In Google Chrome, the first pipeline of web extension being introduced to developers is a Netscape Plugin Application Programming Interface (NPAPI) Error! Reference source not found.. In 2015, for Chrome version 45, Google decided to remove all NPAPI support plugin permanently. Google introduced Chrome Extension to access the operating system features. The Chrome Extension for the digital signature solution is using C++ language and JavaScript. The Chrome extension is the first development experience in understanding the architecture of web extension with native messaging. The web extension calls CryptoAPI library and shares user certificate information with Microsoft certificate manager. With one time of importing certificate, the certificate information is available in both Google Chrome and Microsoft web browser. For installation and management of chrome extension, Google provides chrome web store to ensure the trustworthy of chrome extensions. For Mozilla Firefox, the web extension is first based on Netscape Plugin Application Programming Interface (NPAPI). It is an application programming interface (API) that allows a plugin development in C++ language. It first developed for Netscape browsers, starting in 1995 with Netscape Navigator 2.0. In 2015, add-on technology was introduced for Mozilla Firefox. It provides a set of simple API that allows developers to enhance the functionalities of the web browser. Mozilla provides an add-on SDK which allows calls of NSS API from JavaScript. NSS API calls the native NSS library to access the private key in the hardware token for signing purposes. Since the development is in JavaScript, the deployment of the add-on version of the digital signature solution is preferable than the ActiveX and Chrome extension. There is no offline installer as the add-on is listed online as a trusted add-on in the Mozilla Add-ons (AMO). Implementation of the digital signature solution, albeit using different technologies for multiple web browsers, each produces an average of 1255 lines of codes. In details, for ActiveX with implementation in C++ language, produces a total of 1175 lines of codes. For Chrome extension written with C++ and JavaScript languages, produces a total of 1484 lines of code.
For Add-On written in JavaScript, the total line of codes is 1105. 3.2 Web Browser Technology A new version of web browser leads to possibilities of a new version of web extension and new policies for the web browser. For example, in the development span of two years, Mozilla Firefox has started with version 38 and ended with version 57. The version releases considered as rapid development and based on the bugs fixed in the Mozilla web browser; the web extension has completed five iterations of a new release. The new policies have a direct impact on the architecture and the design of the web extension. The following is the real cases derived from the new release and the new policy of web browser. 3.2
.1. New Release. Mozilla released a compatibility issue bug number 1241646 for Mozilla Firefox version 47. In this issue, Mozilla removed unused token arguments from ‘nsIX509CertDB’ function which is used to list the user certificates. The issue leads to halt the add-on when it is executed. This issue required codes changes and resulted in a new version of the add-on. Mozilla released a compatibility issue International Journal of Intelligent Computing Research (IJICR), Volume 10, Issue 3, September 2019 Copyright © 2019, Infonomics Society 1016 bug number 1284946 for Mozilla Firefox version 50. In this issue, Mozilla has removed three functionalities in the NSS library, which are ‘nsIX509Cert.getUsagesArray’, ‘requestUsagesArrayAsync’, and ‘getUsagesString’, which is used to view the content and key usage of the certificate. The issue leads to halt the add-on when it is executed. The content ‘Certificate Key Usage’ as in Figure 2, is removed. This issue required codes changes and resulted in a new version of the add-on. Mozilla released a compatibility issue bug numbered 857627 for Mozilla Firefox version 53. In this issue, Mozilla has advised the developer, not to expose the NSS certificate nickname API in the Personal Security Manager (PSM) interfaces. Based on the bug, the certificate nickname as shown in Figure 2 has been updated to “Sarah Othman” which is a common name from the user’s certificate, as shown in Figure 3. This issue required codes changes and resulted in a new version of the add-on. Figure 2 : Certificate Key Usage Figure 3 : Certificate Nickname Every new version of add-on requires signing by Mozilla. The signing process requires the add-on to be uploaded. The signing time is varied and dependent on the number of add-ons in a queue. Thus, as new developers, it is essential to prepare the stability of the digital signature solution for every new release of the web browser by leveraging a web development platform which is Mozilla Firefox Developer Edition. 3.2.2.
New Policy. The availability of the web extension technology is dependent on policies set for the web browser. For Internet Explorer, the ActiveX technology has been standing for 22 years. In July 2015, the first version of the digital signature solution (ActiveX) was first released. For the last two years of its released, minimal changes are performed, since there is no rapid development performed by Microsoft. ActiveX is the longest standing web extension technology. However, ActiveX is not supported in Microsoft Edge. In 2017, Microsoft announced the alternative to ActiveX, which are Microsoft Edge extension with native messaging Error! Reference source not found.. The announcement shall open a new development phase for developing the digital signature, dedicated to Microsoft Edge.
No comments