Hello @pasbbolting As you are learning, Passbolt has two parts to the app - the backend API on the server, and the front-end client-side private-key-holding extension. Many are surprised to learn how much of the UI is actually coming from the extension, and not the server.
Well, you could stay away from using the browser altogether. Browser use of passbolt = using the extension.
I’m not sure if I understand this correctly, but your question may reflect you think that the passbolt browser use is not actually the extension itself. Passbolt installations will actually only share information with properly authentication API requests (whether from the approved passbolt extension or another source of your choosing and creation).
It is possible to use Passbolt without an extension, but this would allow working only with the backend API, either via command line, or endpoint calls via the web (internal or external networks). Other than setup UI, the rest of passbolt’s UI code is in the extension (broad generalization and mostly true).
When it comes to the safety of extensions in general, I can’t really argue for or against the point. However, the Passbolt extension is Cure53 reviewed for security so if by “extension team” you mean the passbolt developers, the good news is it’s open source and if your security requirements demand a review of the code itself passbolt makes that possible. You can make the best judgment for your team on this point.
The quote from Passbolt Help | Why do I need a browser extension? does not go into details but the cryptographic functions of encrypting/decrypting actually happen in the extension. The code for these functions is not getting pulled from an external source but is in the extension itself. There are many other security considerations like this.
When I first started with passbolt, I figured it would mostly be served from the server. But now I see it as more of an extension app, calling to a server for encrypted data to be sent, which it then decrypts on the client side. Both parts of the app (backend API and extension) are well developed and equally important in the security picture.
It is also important to note that one should always be very very careful what extensions are installed and what permissions are being granted to that extension. I imagine many organizations make it a policy to not permit installation of non-approved extensions.
Thanks for for asking the good questions! Follow up questions are invited, if you have more.
Please read Passbolt - Security White Paper for all the specifics.
