A couple of weeks ago, I described the Adversary in the Middle (AitM) family of attacks on this post: Starkiller Phishing Kit: Why MFA Fails Against Real-Time Reverse Proxies . Enticed by the structure of the attack itself, the first thing that came into my mind was: how can we protect a regular internet user? Someone who does not care about “threat agents” and “threat models”, but simply wants to use their machine to pay a parking ticket without giving the credentials of their bank to some weird guy three thousand kilometers away? Here we go - I started my RustRover, and off I went coding. So, no macOS hardening today. It’ll be back soon. Introduction I always found the idea of writing an extension for a browser a challenge, because: I hate JavaScript. With a passion. I tried several ones - very few have a real meaning. In general, they enlarge attack surfaces. Nevertheless, with the idea of thwarting an attack aimed at an user that is culturally unprepared against it, and potentially unprotected, the only logical place where the protection could happen is the browser. Obtorto collo I started reading some documentation. I discovered that the world of browsers is quite heterogeneous and there is nothing such as standards. Firefox To avoid the dispersion of my (very little amount, nowadays) resources, I decided to focus only on one browser - the one I like the most: Firefox. The good news is that several other browsers I use (LibreWolf, Mullvad) are Firefox Based - so write once, run in many places. Good. I was tempted to support also Chrome and Safari. Firefox exposes more APIs than Chrome, including the access to webRequest . With blocking. Turns out that Chrome has decommissioned this feature in MV3. MV3 is also where Chrome has removed the support for webRequestBlocking which is - incidentally - what I plan to use to block requests. Finally, there’s the legend that Chrome developers have to fork over 5 bucks to Mountain View just to get started. I wasn’t in the mood to find out if it’s true. As for Safari - Safari is the outsider. I like it - I already said it a few times, but Apple does not make developer’s life easy. Believe me - they just don’t. Safari extensions must be distributed within the App Store, within a macOS app wrapper. Signed, notarised, Apple reviewed. For a free tool, that’s overkill. Several limitations on the API seal the deal - some API I planned to use may not be there. So… So the answer for Apple Users must be something else (which I am writing, but that’s material for another discussion). TBA Lore - what’s in a name: ElectricEye If you strolled for some time on this blog, you know that I often use Heavy Metal, Maths, or paradox references. It’s just a matter of avoid christening something like my exceptional extension - which I find boring. My first two programs are named after a Black Sabbath and a Megadeth song. Aradia’s workflow is modeled after Mercyful Fate’s “Come to the Sabbath” lyrics. My cat’s name is Sabbath and no, I don’t use that name in my passwords, save your time. Long story short, this time was Judas Priest’s Electric Eye I’m made of metal My circuits gleam I am perpetual I keep the country clean Hopefully this guy will keep “Zia Maria”’s transactions clean. And safe. While the attacker strives to be an invisible spy, EE is the eye that peers deeper—spotting the proxy before it can ever touch Zia Maria’s data. Technical Analysis The blueprint - how EE works First, and foremost, how it does not work. I am not a fan of blacklist. They’re inherently broken. If IT Security has a mantra, it is “Kill ‘em all, let God sort them out”, or better “Block ‘em all, allow only few well-known good ones”. Blacklists are broken by design. While you strive to find all the domains in which I deploy my evil proxies, I spawn 5 more. 10 more. The only limit is the cost of buying them - but again: I saw domains available for $3… Long story short - a blacklist would be late. Always. There must be a better approach - and the better approach is always about structure . The Nature of Things never lies. A web page works mainly at three levels: DNS, HTTP headers, DOM. There’s a fourth layer in the AitM attack: TLS. In each of these, the AitM leaves breadcrumbs that can be followed. Precious hints. Several independent layers that must converge to a precise set of circumstances to confirm an AitM. Miss one — no problem. Miss all of them? That’s your attacker. DNS - the URL Here my analysis is quite simple: High entropy : an algorithmically generated domain name such as xk4f9q2m . evil . com have high entropy. Surely, way higher than bancaintesa . it or vodafone . co . uk . Punycode / homograph : аrаdia . zone vs. aradia . zone . Can you spot the difference? let’s look at the bytes: String xxd аrаdia . zone 00000000 : d0b0 72 d0 b064 6961 2e7 a 6 f6e 65 .. r .. dia . zone aradia . zone 00000000 : 6172 6164 6961 2e7 a 6 f6e 65 aradia . zone Good luck spotting out that thing only with your eyes. T...