Methodology · Browser extension v0.1
What the extension sees, what it doesn't, and where the line is.
The Cipherwake browser extension is a Manifest V3 add-on that surfaces the Decryption Blast Radius grade for every HTTPS site you visit. This page documents exactly what data flows the extension uses, what it explicitly refuses to read, and how badge colors are computed.
What the extension reads
One thing only:
- The hostname of the active tab's URL. When you switch to a tab, the service worker reads
tab.url, extracts the hostname (e.g. example.com), and uses it as the scan key.
That is the entire data flow into the extension's logic. Nothing else from the page, the browser, or the user is read.
What the extension explicitly does NOT read
- Page content. No DOM access. No HTML parsing. No text scraping.
- Cookies. The extension does not request the
cookies permission.
- Form data. Logins, passwords, payment fields — not accessible to the extension.
- Browsing history. No
history permission. Tab switches are observed live; nothing is logged across sessions.
- Other tabs. Only the active tab. The
tabs permission with activeTab scope is the minimum surface that lets the toolbar icon respond to the current page.
- Identity / sign-in state. No auth flows; the extension is not tied to any account.
- Cross-site request data. The service worker calls only
https://www.cipherwake.io/api/scan. host_permissions is scoped to this origin alone.
How the badge is computed
On tab switch, the service worker:
- Extracts hostname from the active tab.
- Checks
chrome.storage.session for a cached score. Cache lifetime: 30 minutes.
- If no fresh cache: calls
/api/scan?domain=<host> and stores the result.
- Updates the toolbar icon's badge text (the grade letter A/B/C/D/F) and its background color per the table below.
| Grade | Badge color | DBR score band |
|---|
| A | Green (#16a34a) | 0-2 |
| B | Lime (#65a30d) | 2-4 |
| C | Amber (#ca8a04) | 4-6 |
| D | Orange (#ea580c) | 6-8 |
| F | Red (#dc2626) | 8-10 |
Network behavior
- One outbound request per domain per 30 minutes. The session cache eliminates repeat traffic on tab switches.
- No telemetry. No analytics, no install events, no usage pings. The only request is the scan call itself, with the hostname as the only argument.
- No request to non-Cipherwake origins. The extension does not contact analytics, ad networks, or third-party services.
What the badge does NOT claim
- It is not a security verdict. A green "A" means low public-surface HNDL exposure on the active tab's domain. It does not mean the site is free of XSS, has good CSP, has 2FA available, or is operationally trustworthy.
- It does not score the page you're viewing. The score is for the domain, not the URL path. Two URLs on the same hostname show the same grade.
- It does not vouch for third-party script content. The Supply Chain tab flags new scripts and grades the vendor's TLS hygiene, but does not analyze script CONTENT (we never read script bodies). A vendor with a good HNDL grade can still ship malicious code if their hosting is compromised — that's why we surface the NEW-since-last-visit signal specifically.
- It does not detect ongoing attack. The badge reflects the public TLS posture; a bad grade on Twitter does not mean Twitter is being attacked right now.
- It does not work for non-HTTPS pages.
http://, chrome://, file://, localhost, and IPv4 literals are not scanned (no badge).
Limitations + edge cases
- Subdomain ambiguity. The extension scans the full hostname (e.g.
foo.example.com); the subdomain may behave differently from the apex. Click the icon to see the apex-vs-subdomain split.
- First-load latency. Cold cache scans take 1-3 seconds; the badge briefly shows "..." while the scan resolves.
- Cache-staleness. A 30-minute cache means rapid posture changes (e.g. cert rotation) won't show until cache expiry. Open the popup and click "rescan" to force a fresh fetch.
- Manifest V3 service-worker dormancy. Long-idle workers may take an extra ~200ms to wake; this affects only the first tab switch after a long pause.
Supply chain change detection (v0.3.14+)
The killer ASM feature. Cipherwake's content script auto-runs on every HTTPS page you visit, reads the page's <script>, <link>, and <iframe> source attributes, and reports the third-party hostnames to the background service worker. The background:
- Compares this visit's third-party hosts to last visit's (per-origin baseline stored in
chrome.storage.local).
- Flags any NEW host that appeared (could be a Polyfill.io-style supply-chain compromise; see the Polyfill.io 2024 attack writeup).
- Checks each
<script> for an integrity="sha384-..." attribute (SRI — without it, the vendor can swap script contents silently).
- Fetches the HNDL grade for each unique third-party host (cached aggressively).
- Stores the consolidated report per-origin so the popup can render it instantly without re-running the scan.
What the content script reads: only attribute values from public DOM elements (src, href, integrity). It never reads page text content, form values, cookies, localStorage, sessionStorage, or any cross-frame data. The full source is in content-deps.js.
What the supply-chain detector does NOT claim
- It does not analyze script CONTENT. We never read script bodies. We see the SRC attribute (where the script comes from) and the INTEGRITY attribute (whether SRI is enforced). A malicious script with a good vendor grade and SRI present will not be flagged by this feature alone.
- It is not a complete supply-chain audit. First-party scripts (loaded from the page's own origin) are not analyzed — they're assumed to be under the page owner's control. SRI is recommended even for first-party scripts but we don't flag absence there.
- It does not block scripts. Cipherwake is detection-only. It does not modify the page, block requests, or interfere with site functionality. For active blocking, use a CSP enforcement extension or browser CSP headers.
- It does not retroactively detect attacks pre-install. The baseline is "what third-party scripts were here on your first visit AFTER installing Cipherwake." If a site was already compromised when you first visited it, that compromise is in the baseline — we'd only detect a subsequent change.
Source + permissions audit
The extension source is in the public repo at extension/. The manifest.json declares exactly:
permissions: activeTab, tabs, storage, scripting, contextMenus.host_permissions: https://*/* (required for the content script that powers supply-chain detection — without it we can't enumerate third-party scripts on the pages you visit).content_scripts: content-deps.js auto-injected on every HTTPS page, runs at document_idle, throttled 1 report per origin per hour.
You can verify this in the manifest before installation. The Chrome Web Store listing replicates the same disclosure. The content script source (content-deps.js) is 130 lines and exclusively reads public DOM attributes — see the full code for verification.
Try it
- Sideload (Chrome / Edge / Brave / Arc): see install instructions.
- Firefox:
about:debugging → "Load Temporary Add-on" → select manifest.json.