3. Technology Curves
3.1 Web Extension Technology
Web extension has the ability to call native binary
code through scripting code in the web browser. For
International Journal of Intelligent Computing Research (IJICR), Volume 10, Issue 3, September 2019 Copyright © 2019, Infonomics Society 1015
the digital signature solution, JavaScript is calling
either a native binary or scripting codes that connect
to CryptoAPI and NSS libraries. In the last two
decades, the web extension technology has evolved
and curved its own survival and compatible lifecycle.
Technologies such as ActiveX, Java Applet, Adobe
Flash and Netscape Plugin Application Programming
Interface (NPAPI) are among the pioneers of web
extension. The challenge of the web extension is the
development is in silos due to the technology and
framework dependencies to the web browser.
For Internet Explorer, the web extension is called
ActiveX technology. It is first released in 1996 Error!
Reference source not found. and designated for
Internet Explorer.
Microsoft has provided a digital
signature solution called as CAPICOM Error!
Reference source not found.. It is a module to sign
data and to verify a digital signature. With few lines
of scripting codes in .NET framework, a user can
access private key stored by CryptoAPI and perform
generation and verification of PKCS#7 based digital
signature. In 2011, Microsoft decided to discontinue
the CAPICOM. This leaves developers with no
option, other than to develop its own proprietary
digital signature solution.
The digital signature solution developed for
Internet Explorer is using ActiveX technology with
C++ as its primary language. The development
involves CryptoAPI library and requires code sign to
secure the distribution. The installation of the solution
is as a series of steps, advised by an offline installer.
It is automated which includes the secure registration
of the ActiveX. However, for security purpose, a user
manual intervention is required to approve the usage
of the ActiveX by clicking the “OK” button on the
site. A user requires to set the site as a trusted site with
a medium security level. Missing these steps lead to
the inability of a user to proceed with the digital
signing and may result in a usability issue. A similar
experience is observed when users engage with
ActiveX technology Error! Reference source not
found.. In the study, users tend to agree on either
secure or non-secure ActiveX installation blindly, and
it creates a bad computing practice and web
accessibility crisis.
In Google Chrome, the first pipeline of web
extension being introduced to developers is a
Netscape Plugin Application Programming Interface
(NPAPI) Error! Reference source not found.. In
2015, for Chrome version 45, Google decided to
remove all NPAPI support plugin permanently.
Google introduced Chrome Extension to access the
operating system features. The Chrome Extension for
the digital signature solution is using C++ language
and JavaScript. The Chrome extension is the first
development experience in understanding the
architecture of web extension with native messaging.
The web extension calls CryptoAPI library and shares
user certificate information with Microsoft certificate
manager. With one time of importing certificate, the
certificate information is available in both Google
Chrome and Microsoft web browser. For installation
and management of chrome extension, Google
provides chrome web store to ensure the trustworthy
of chrome extensions.
For Mozilla Firefox, the web extension is first
based on Netscape Plugin Application Programming
Interface (NPAPI). It is an application programming
interface (API) that allows a plugin development in
C++ language. It first developed for Netscape
browsers, starting in 1995 with Netscape Navigator
2.0. In 2015, add-on technology was introduced for
Mozilla Firefox. It provides a set of simple API that
allows developers to enhance the functionalities of the
web browser. Mozilla provides an add-on SDK which
allows calls of NSS API from JavaScript. NSS API
calls the native NSS library to access the private key
in the hardware token for signing purposes. Since the
development is in JavaScript, the deployment of the
add-on version of the digital signature solution is
preferable than the ActiveX and Chrome extension.
There is no offline installer as the add-on is listed
online as a trusted add-on in the Mozilla Add-ons
(AMO).
Implementation of the digital signature solution,
albeit using different technologies for multiple web
browsers, each produces an average of 1255 lines of
codes. In details, for ActiveX with implementation in
C++ language, produces a total of 1175 lines of codes.
For Chrome extension written with C++ and
JavaScript languages, produces a total of 1484 lines of
code.
For Add-On written in JavaScript, the total line
of codes is 1105.
3.2 Web Browser Technology
A new version of web browser leads to possibilities
of a new version of web extension and new policies
for the web browser. For example, in the development
span of two years, Mozilla Firefox has started with
version 38 and ended with version 57. The version
releases considered as rapid development and based
on the bugs fixed in the Mozilla web browser; the web
extension has completed five iterations of a new
release. The new policies have a direct impact on the
architecture and the design of the web extension. The
following is the real cases derived from the new
release and the new policy of web browser.
3.2
.1. New Release. Mozilla released a compatibility
issue bug number 1241646 for Mozilla Firefox
version 47. In this issue, Mozilla removed unused
token arguments from ‘nsIX509CertDB’ function
which is used to list the user certificates. The issue
leads to halt the add-on when it is executed. This issue
required codes changes and resulted in a new version
of the add-on. Mozilla released a compatibility issue
International Journal of Intelligent Computing Research (IJICR), Volume 10, Issue 3, September 2019 Copyright © 2019, Infonomics Society 1016
bug number 1284946 for Mozilla Firefox version 50.
In this issue, Mozilla has removed three
functionalities in the NSS library, which are
‘nsIX509Cert.getUsagesArray’,
‘requestUsagesArrayAsync’, and ‘getUsagesString’,
which is used to view the content and key usage of the
certificate. The issue leads to halt the add-on when it
is executed. The content ‘Certificate Key Usage’ as in
Figure 2, is removed. This issue required codes
changes and resulted in a new version of the add-on.
Mozilla released a compatibility issue bug
numbered 857627 for Mozilla Firefox version 53. In
this issue, Mozilla has advised the developer, not to
expose the NSS certificate nickname API in the
Personal Security Manager (PSM) interfaces. Based
on the bug, the certificate nickname as shown in
Figure 2 has been updated to “Sarah Othman” which
is a common name from the user’s certificate, as
shown in Figure 3. This issue required codes changes
and resulted in a new version of the add-on.
Figure 2 : Certificate Key Usage
Figure 3 : Certificate Nickname
Every new version of add-on requires signing by
Mozilla. The signing process requires the add-on to be
uploaded. The signing time is varied and dependent
on the number of add-ons in a queue. Thus, as new
developers, it is essential to prepare the stability of the
digital signature solution for every new release of the
web browser by leveraging a web development
platform which is Mozilla Firefox Developer Edition.
3.2.2.
New Policy. The availability of the web
extension technology is dependent on policies set for
the web browser. For Internet Explorer, the ActiveX
technology has been standing for 22 years. In July
2015, the first version of the digital signature solution
(ActiveX) was first released. For the last two years of
its released, minimal changes are performed, since
there is no rapid development performed by
Microsoft. ActiveX is the longest standing web
extension technology. However, ActiveX is not
supported in Microsoft Edge. In 2017, Microsoft
announced the alternative to ActiveX, which are
Microsoft Edge extension with native messaging
Error! Reference source not found.. The
announcement shall open a new development phase
for developing the digital signature, dedicated to
Microsoft Edge.
