Guide | Google Extensions - Crypto Token [What it Does]

nomadic

As we have all seen here on the forum, the Crypto Token setting under Google Extensions in the Privacy section has caused several issues. Many users disable it without heeding the warning that it could break Google services, but that isn't what this post is about.

There has been some discussion about what the extension actually does, but I have seen that some misunderstanding is still present, so this post is here to talk about that.

---

Figuring out what the Crypto Token extension does

Since it is an actual extension that is just internal to Chromium, the first place to look could be the manifest file.

The description field leaves us just as confused as before, but the manifest does have a unique permission we can look up.

"permissions": [
    "cryptotokenPrivate",
     ...

Looking up that permission brings us to this page: https://cljdoc.org/d/binaryage/chromex/0.8.4/api/chromex.ext.cryptotoken-private

Which says this:

chromex.ext.cryptotoken-private
 
chrome.cryptotokenPrivate API that provides hooks to Chrome to be used by cryptotoken component extension. In the context of this API, an AppId is roughly an origin and is formally defined in the FIDO spec

• available since Chrome 41

Looking into what the "FIDO spec" mentioned in the description, the Fido Alliance website shows up, which helps give us a better understanding of what the extension could do.

The FIDO Alliance has published three sets of specifications for simpler, stronger user authentication: FIDO Universal Second Factor (FIDO U2F), FIDO Universal Authentication Framework (FIDO UAF) and the Client to Authenticator Protocols (CTAP). CTAP is complementary to the W3C’s Web Authentication (WebAuthn) specification; together, they are known as FIDO2.
 
All FIDO protocols are based on public key cryptography and are strongly resistant to phishing.

--

There are also StackExchange posts, like here, that discuss its function.

--

And then there is the final confirmation of the answer that can be found through internal discussions in the Chromium bug tracker.

It's [Crypto Token Extension] externally connectable to allow any 3rd party site to use U2F tokens. This capability is currently being used by Facebook, GitHub, and others.
 
At some point we intend to replace this approach with a real API, in particular the WebAuthn API currently being implemented by ___ and ___.

---

Answer to what the Crypto Token actually does

In short, the extension is like an API that websites can use for user authentication that relies on public key cryptography as defined by specifications from the FIDO Alliance.

The spec also involves U2F, which is why you will see people here on the forum mentioning two-factor authentication in relation to the Crypto Token extension.

---

So why does Vivaldi need this extension to login to Google services and other browsers like Firefox do not?

The reason is that Firefox and other non-Chromium browsers put in their own implementation of the FIDO alliance spec.

The way Chromium based browsers allow this functionality is through the Crypto Token extension.

If the Chromium bug tracker discussion from above is to be believed, the Crypto Token extension might be phased out soon in favor of the WebAuthn API.

From May 21, 2019:
WebAuthn has been shipped for a while now. Is this extension going away soon?
 
I expect to send an announcement in the next couple of weeks to blink-dev and security-dev saying that it's time for sites to move to Webauthn. However, cryptotoken is still regularly used by a number of major sites and so I'm not setting a deadline for removal at this time. I expect it to be a couple more years before we could think about removing it.

We can already see that U2F functionality has actually been moved away from the Crypto Token extension to the WebAuthn API.

---

Conclusion

So while it seems like another scary Google service being forced into Chromium browsers, it is really about secure login with web servers in the same vein as HTTPS which also makes use of public key cryptography (at least in the initial communication, before faster cryptography techniques can be used).

There could be some Google tracking incorporated into the extension, you can check the source yourself if you feel like investigating, but some websites besides Google services, like GitHub and Facebook, could also be affected by disabling this extension until it is finally phased out and replaced by Chromium's WebAuthn API.

It also doesn't have relation to Cryptocurrencies or Blockchains other than that both involve cryptography, which is what the Crypto in "Crypto Token" stands for.

---

If you think I got anything wrong, feel free to let me know. This is just what I could find with a bit of searching around for an answer.

--
ModEdit: Title

Pathduck

Excellent article and really well researched! This is the kind of thorough detective work that's needed to dispel some of the scare-mongering about this specific component.

Like many others I also disabled the component once the option was in Vivaldi. And everything seemed to be perfectly fine without it - I could use Google services without any problem. Only until I was testing some other users claiming they could no longer log in to Google, and so I cleared all cookies from G and, hey presto, the same happened to me. I even created a bug report (VB-75407, now probably closed...) because I was kind of peeved off at needing the component to sign in to Google, when Firefox users did not need it. But what I didn't think about then was that Firefox obviously has its own component that does the exact same thing.

It really adds to the confusion that the user actually needs to clear cookies, not just sign out, before they see the error caused by disabling the component. My guess is that it creates and saves some encrypted hash value when triggered, either as a cookie or other data.

Because of all the issues it's caused, some might say it was a mistake to allow users to disable such a critical component. But then again, I think it's great that Vivaldi would actually trust us to do so and I hope they will still give us the option. After all some users want nothing to do with Google at all so for them it's (probably) fine - until other sites start requiring the same for logins :smiling_face_with_open_mouth_closed_eyes:

greybeard

Well whatever it is supposed to do it doesn't work for me.

I can log into my main Grumble mail account with no problem with crypto-token disabled. But I cannot log into my secondary account with crypto-token either enabled or disabled. No matter if I restart the browser, reboot or power off/on after changing the setting.
Also I cam log into fb, github, Wordpress and many other sites without problems using Vivaldi. To log into my secondary account at grumble I must use FF. It works fine.

but make no mistake about it: the company [google] is now engaging in blockchain. “This is one of our first validators, but we have many crypto customers,” says Allen Day, Developer Advocate for Google. “We had already made Bitcoin, Ethereum and six other cryptocurrencies’ data available through our public dataset program. This is the next step.”
Source: https://www.forbes.com/sites/coryjohnson/2020/05/27/google-goes-blockchain/?sh=46e0f4b06593

So grumble is indeed using this (at least partly) for grumble, apple, bitcoin, etc payment options which are of no value to me.
You can't have these payment options without blockchain (as far as I know).
Even in the Chromium bug report you mentioned it does not seem like those tracking this had the background to understand the process which is going on here.
I am no programmer but my inclination is that crypto-token and the WebAuthn API are conflicting with each other somehow.

I can see no other reason why I cannot use Vivaldi to access both grumbleMail accounts.

luetage

@Pathduck It surely was a mistake, the only thing that could rectify the situation is either hiding the option to disable the extensions, or showing a popup on trigger, with a text warning the users about what exactly will break.

@nomadic Great explanation, I always thought it’s just 2‐factor authentication. The fact it only breaks after removing cookies only adds to the confusion.

Pathduck

@luetage said in Google Extensions - Crypto Token [What it Does]:

It surely was a mistake, the only thing that could rectify the situation is either hiding the option to disable the extensions, or showing a popup on trigger, with a text warning the users about what exactly will break.

I partly agree. But like I said I hope Vivaldi will still give us the option of disabling components and system extensions we have no need for. Maybe only for advanced users, i.e. hidden under experiments.

One of the (many) things I dislike about Chromium is its tendency to sneakily introduce new Google experiments like FloC, Crowd Deny, Zxcvbn and so on. Apparently the latest one (just noticed it in User Data) is "hyphen-data".

Some of these might be innocent, others are clearly ways for Google to experiment with different data-collection stuff, like FLoC which thankfully seems to be broken in Vivaldi, possibly intentionally by the team.

The way Google sees things, Chromium is not meant for casual users, so it can be used as a platform for publicly testing stuff before it's put into Chrome. The result of this is of course that Vivaldi users (at least Snapshotters) end up as lab-rats for various Google experimentation.

chubyduck

@nomadic This resolve my issue trying to sign into Pandora Radio as well. Great article!