Jump to content
Enpass Discussion Forum

Traditional Windows Beta with Edge extension


Hemant Kumar
 Share

Recommended Posts

Hi guys,

As we have mentioned in our blog-post that Edge browser extension will not be part of stable releases. We will keep the beta-stream of Traditional Windows as updated as stable stream with an additional, most in-demand feature: Edge Browser extension. The newly released Enpass Beta 5.3.1 is similar to stable Enpass 5.3.0. You can download the Edge supported Beta version from here and Edge extension from here & follow the steps mentioned in readme.txt . Before using the beta version, you should be aware of risks involved by:

Disabling isolation of Edge browser: To strike down the Issue of Microsoft Edge browser (where being a UWP App, it doesn't allow any other App to connect to it on same machine through loopback), we have to disable the network isolation of Edge using the following command.

CheckNetIsolation LoopbackExempt -a -n="Microsoft.MicrosoftEdge_8wekyb3d8bbwe"
Warning: As per Microsoft, the use of above command to overrule the Network capabilities of Edge browser is not a general practice and is not recommended for normal users as it can make the Edge browser vulnerable.

Format of Websocket origin: When edge extension connects to Enpass app via websocket, the websocket origin set by Edge is in somewhat a non-standard format https://EnpassPasswordManager_nt7fcssrybz1j:0. Ideally it should be

ms-browser-extension://EnpassPasswordManager_nt7fcssrybz1j:0

Being in the https protocol format, it might lead an attacker to run an attack site on a machine that resolves to our extension ID by DNS spoofing and installing its self-signed root certificate authority on your computer. If a request come from Edge browser runing that attack site will look like an authentic request to Enpass. If you PC is already in so much control of a bad guy that he can install self signed root certificate and run a site on your machine (which requires administrator permission), you are already at potential risk. Although it is not so easy for anyone in a control environment, but as a user of Enpass, we want you to be aware of this issue.

Keep using Enpass and stay secure!

Link to comment
Share on other sites

  • 2 weeks later...

We haven't seen anything on the Edge Extension for a while. Are you making any progress on the Edge Extension integration? Hoping you are getting some help from Microsoft. Love Enpass and hope you can get past the obstacles with the extension. Thx

  • Like 1
Link to comment
Share on other sites

On 23.8.2016 at 7:01 PM, JeffB said:

We haven't seen anything on the Edge Extension for a while. Are you making any progress on the Edge Extension integration? Hoping you are getting some help from Microsoft. Love Enpass and hope you can get past the obstacles with the extension. Thx

I also would be interested, how the current suited the engages is.

LastPass also has solved this problem.

  • Like 1
Link to comment
Share on other sites

Benqer, I think you will find that LassPass is an internet-based service, so all of the traffic, while encrypted, flows on the Internet. Enpass' store is local, and the only traffic on the Internet is if you choose to sync. I prefer the Enpass solution and sure will wait for their solution. I love Edge but if I need the browser integration, I will use Opera for now. I, thankfully, can remember most of my passwords and can look up the others in Enpass when I have to.

Link to comment
Share on other sites

I did choose to sync as I am using Enpass on multiple devices and I've been trying Lastpass as well as Enpass. I do prefer the level of control over where my encrypted data goes with Enpass, and I like the idea of the Windows app version which uses Hello, but it is currently no use since the extension needs the desktop version. The Lastpass extension runs without needing a desktop application and it decrypts locally. Enpass hasn't made that work, and they haven't replied here for 3 weeks either so they don't seem to care about it much. I had decided to go with Enpass, with the hope they would fix these issues, but my hopes are fading.

Link to comment
Share on other sites

I don't think there's much that they could say to be honest. Everything is well explained in this topic and in the blog post. New APIs are needed for the extension to be secure, and before that the extension cannot be release as GA.

Moreover, saying that "they don't care about it" is just unfair. Enpass support has always been great and it's clear they're commited to getting this extension out for everyone. They know and we know there's no solution for now. But despite that, Enpass decided to release a beta of the extension so that it can be used if someone wants to try it.

I think we should say thanks to Enpass instead of blaming them for something they cannot do, given that they want to keep the security high and an uniform approach for extensions.

Edited by Matteo
Link to comment
Share on other sites

Actually I was referring to my question from August 3rd asking if I had the right version, and also the question from kLy about if there is a way to stop Edge asking about it every time. Neither of those got an answer, and they seem straightforward.

And I would like to know if they are committed to doing an extension still. I don't think Microsoft is going to change the API soon, so I think the question is, will Enpass look at other approaches or just say they can't do anything until the API changes? I read the blog post as saying they can't do anything which suggests the extension is a long way away. I am using it, but I'm not very happy with having to tell edge to enable it every time.

I know the desktop version is free, but I have paid for the one for my Windows mobile phone so I'm not prepared to just say thanks. I would pay for the extension if that helped.

Link to comment
Share on other sites

Oh, one more thing - I don't really have a problem with Enpass saying they need different APIs to do what they want to do and that they won't do an extension for Edge before getting those, but I would like them to say that explicitly. Then I could decide to switch to a different browser (although my chrome extension isn't working at all at the moment).

Link to comment
Share on other sites

If you still need an answer to your question, the latest extension version is still 5.2.2.

And for the other one (Edge keeps disabling the extension), that's something related to the Edge app, so the question needs to be asked to someone at Microsoft. But I suspect there's no solution to that, because only extensions coming from the Store are considered "signed".

Anyway, the blog post says

Quote

Edge extension of Enpass will stay in Beta due to couple of issues.

[...]

Unfortunately, we don’t have any official APIs to connect Edge extension with Enpass app installed on same machine.  

It seems clear to me that the extension will work for everyone only with future versions of Edge, when "official APIs" will allow the kind of communication they need.

Also, take note that Microsoft isn't accepting extensions in the store yet, so even if it was ready, it couldn't be submitted or published.

  • Like 2
Link to comment
Share on other sites

Hi @jane,

Enpass core is SQLCipher (open-source) and unfortunately, there is no SQLCipher javascript SDK available that can be used in browser extensions. So, We can't provide a standalone browser extension. 

We have already applied for inclusion of our edge extension in windows store but there is no reply from Microsoft. Probably, because use of above listed workarounds. 

Ideally, an UWP app and its companion Edge extension would be a killer solution in Windows sandboxed environment. It is only possible if Microsoft provide above listed APIs. We have reached out to Microsoft about these and they said "this is something we are investigating for a future update".

We have all eyes and ears open and will start the work as soon as APIs will be available. 

Link to comment
Share on other sites

Thanks for the update Vinod. All the browser extensions (such as Chrome) need to use the desktop version currently, is that correct? I assume that your plan would be that all could use the UWP app once you get the api support?  That would be great.

Link to comment
Share on other sites

  • 2 weeks later...

Did something change with Windows 10/Edge/Enpass Beta recently? Suddenly, I can't get the extension to work anymore. It happens on 2 Windows 10 machines I have here. When I click the Enpass button in Edge, it tells me that it cannot connect to Edge. But it was working until yesterday or so. I've also re-run the "LoopbackExempt" command on both machines with no luck.

Anyone else having the same issue?

Link to comment
Share on other sites

3 hours ago, Anshu kumar said:

Hi @Matteo,

I'm sorry you are having issues with the Edge extensions. We just re-tested this issue in our lab and unable to reproduce it. Please share your Windows 10 build version (along with version of Edge). Also, let me know if you have recently updated your system or installed any software.

It's weird but... it solved by itself on both machines. Thanks anyway!

Link to comment
Share on other sites

  • Admin unpinned this topic

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

×
×
  • Create New...