Can I refuse Browser add-on?

Hi I have self-hosted passbolt on Rocky 8.5

Trying to make myself a client account (web interface as usual), and it really wants me to install the browser extension but I definitely dont want the browser extension.

Is there a way to disable it forcing me to do this?
And also is there a way to stop passbolt from sharing information with the browser extension if it is installed?
Browser extensions are minus safety.

I see other people interested in this going forward:

I’m not sure about the reasoning:
“to ensure the integrity of the cryptographic code and provide a secure random number generator.”
because if you have an extension team that goes bad and puts malcious code in their browser extension then what stops that extension from viewing activity from the passbolt extension?

Hello @pasbbolting As you are learning, Passbolt has two parts to the app - the backend API on the server, and the front-end client-side private-key-holding extension. Many are surprised to learn how much of the UI is actually coming from the extension, and not the server.

Well, you could stay away from using the browser altogether. Browser use of passbolt = using the extension.

I’m not sure if I understand this correctly, but your question may reflect you think that the passbolt browser use is not actually the extension itself. Passbolt installations will actually only share information with properly authentication API requests (whether from the approved passbolt extension or another source of your choosing and creation).

It is possible to use Passbolt without an extension, but this would allow working only with the backend API, either via command line, or endpoint calls via the web (internal or external networks). Other than setup UI, the rest of passbolt’s UI code is in the extension (broad generalization and mostly true).

When it comes to the safety of extensions in general, I can’t really argue for or against the point. However, the Passbolt extension is Cure53 reviewed for security so if by “extension team” you mean the passbolt developers, the good news is it’s open source and if your security requirements demand a review of the code itself passbolt makes that possible. You can make the best judgment for your team on this point.

The quote from Passbolt Help | Why do I need a browser extension? does not go into details but the cryptographic functions of encrypting/decrypting actually happen in the extension. The code for these functions is not getting pulled from an external source but is in the extension itself. There are many other security considerations like this.

When I first started with passbolt, I figured it would mostly be served from the server. But now I see it as more of an extension app, calling to a server for encrypted data to be sent, which it then decrypts on the client side. Both parts of the app (backend API and extension) are well developed and equally important in the security picture.

It is also important to note that one should always be very very careful what extensions are installed and what permissions are being granted to that extension. I imagine many organizations make it a policy to not permit installation of non-approved extensions.

Thanks for for asking the good questions! Follow up questions are invited, if you have more.

Please read Passbolt - Security White Paper for all the specifics.

1 Like

There is blog post on this topic that might be interesting to understand why passbolt requires an extension to work: