Ungoogled-chromium: CryptoTokenExtension - is it necessary or should it be removed?

I had a quick look at the source code. Not a JS expert but from my understanding it is used for hardware 2FA. It's main purpose is for identity verification with a USB hardware authentication device, e.g. Yubikey. In a sense it DOES track you because by definition for 2FA to work you need to use the same device to verify it is you every time.
Now I don't know whether remove it will be a good idea or not. It's basically a tradeoff: either you want to use a hardware authentication device which _can_ track you, or you want the whole functionality gone at all.

The FIDO specification is here: https://fidoalliance.org/specs/fido-v2.0-id-20180227/fido-appid-and-facets-v2.0-id-20180227.html

EDIT: I think a reasonable solution is to make the extension disableable for user.

I had a quick look at the source code. Not a JS expert but from my understanding it is used for hardware 2FA. It's main purpose is for identity verification with a USB hardware authentication device, e.g. Yubikey. In a sense it DOES track you because by definition for 2FA to work you need to use the same device to verify it is you every time.

Thanks for clarifying.
So if things are as you explained, we should probably consider that:

• Not everyone uses such devices

• We should not assume that ungoogled-chromium users (who are supposedly more privacy and security minded) would trust by default a proprietary non-RYF device, even less - being aware of things like BadUSB etc. So I am inclined to think that UC users would rather not need this extension.

• Even if we suppose someone uses such device for some unfortunate reason they can simply be given the option to enable this extension instead of enforcing it for everyone without an option to disable it

Now I don't know whether remove it will be a good idea or not. It's basically a tradeoff: either you want to use a hardware authentication device which _can_ track you, or you want the whole functionality gone at all.

Perhaps there is no need for a trade off. Perhaps it is best to be up to the user to turn it ON or OFF. By default any form of tracking should be OFF, just like any unnecessary functionality.

i second that

The last thing I can recall about CryptoTokenExtension is this: https://github.com/Eloston/ungoogled-chromium/issues/874#issuecomment-559604434. If what I said then still holds, then it isn't useful (especially with Webauthn available), but it doesn't need to be removed either.

If you guys want to patch it out, that's fine by me.

If you guys want to patch it out, that's fine by me.

Can't you add a flag for it?

@emanruse Correct me if I'm wrong, but I think CryptoTokenExtension is already broken because of domain substitution (based on what I said in the issue). We would need to fix that first to make a flag useful.

@Eloston unfortunately I can neither confirm or deny that because I have never used that such 2FA which it is supposed to assist.

But what I am thinking:

If it is "broken" (ungoogled) through domain substitution then it is already dysfunctional. Hence - it can be safely removed and a flag is not necessary at all.

IIUC "fixing" it would mean "googling" it again which would contradict the essence of the current project. Relying on a flag to keep the whole browser ungoogled (as it is expected to be) seems somewhat risky, even if it is "off by default".

Perhaps the best approach (in case the minority who uses 2FA insists on using it with ungoogled-chromium) would be to have the browser itself without the extension (clean and ungoogled) and the extension separate. Then those who want to use it can simply install it, accepting the risk of re-googling part of the browser for themselves only without that influencing anyone else who uses ungoogled-chromium.

What do you say?

If it is "broken" (ungoogled) through domain substitution then it is already dysfunctional. Hence - it can be safely removed and a flag is not necessary at all.

Yes, but leaving it broken is also less work for us too (doing nothing). However, if there are still privacy/security issues with this approach, then we should deal with them.

Perhaps the best approach (in case the minority who uses 2FA insists on using it with ungoogled-chromium) would be to have the browser itself without the extension (clean and ungoogled) and the extension separate. Then those who want to use it can simply install it, accepting the risk of re-googling part of the browser for themselves only without that influencing anyone else who uses ungoogled-chromium.

Unfortunately CryptoTokenExtension is embedded in the browser and can't be easily installed like a regular extension because it uses private extension APIs that aren't available to regular extensions. I don't know what security risks we may run into if we convert CryptoTokenExtension to be an external extension, but it would be a nice solution to this problem.

Of course it is easiest to do nothing but long term: keeping and rebuilding a piece of software which does nothing is a waste of time and power, especially considering the tremendous increase of build time in latest versions. I don't know how much exactly this particular extension adds to the overall build time but multiplied by the hundreds of users - perhaps another thing to consider.

Well either way, I think my time is better spent addressing other longer-term technological issues like automated testing. Not only is this issue not very interesting, I'm not convined many people are affected by this issue.

However, I still welcome others to find a solution if they're interested.