Existing password management frameworks fall short of providing adequate functionality and mitigation strategies against prominent attacks. Unfortunately, the architecture of these frameworks is not aligned with the distributed nature of web applications and is vulnerable to credential theft attacks by network-side, e.g. TLS Proxy in the Middle (TPitM), or front-end, e.g. cross-site scripting (XSS), eavesdropping adversaries.
Browser-side frameworks, HTML Autofill and Credential Management API, are inherently vulnerable to XSS-credential theft. ByPass, a manager-to-server paradigm, is inherently vulnerable to TPitM-credential theft. Furthermore, all of the aforementioned frameworks employ an inaccurate app-to-credential mapping strategy, domain-based credential mapping, and might inadvertently divulge user's credentials to unintended (e.g. deceitful) web applications. We propose Berytus, a novel browser-based governance framework that mediates between web applications and password managers to orchestrate secure and programmable authentication sessions. It is positioned between the web application and the password manager, operating natively in the browser, and providing an API for each party. Berytus harmonises multiple password manager usage by requiring available password managers to register with it. Present frameworks do not couple specialised security facilities with their approach, rather their credential transfer security depends on the application of standardised security measures in the web/browser landscape to mitigate against prominent attack vectors, e.g. Content Security Policy for XSS mitigation. Conversely, the Berytus architecture equips web applications with certified app-specific cryptographic keys to streamline an authenticated and accurate app-to-credential mapping strategy.
Furthermore, Berytus mediates an authenticated key exchange between the web application and the password manager to achieve app-level end-to-end encryption of credentials, which as we show, can streamline a confidential credential transfer communication that is immune to credential theft attacks via phishing, XSS, malicious browser extension code injection and TPitM. To assess the feasibility of Berytus, we extend Firefox to incorporate Berytus and develop Secret*, a Berytus-compatible password manager for programmable authentication and registration sessions. We make our code artefacts publicly available, provide a comprehensive security and functionality evaluation and discuss possible future directions.
