Hey Jeffrey,

I think the chief concern is that the traffic is unencrypted and can be sniffed extremely easily.

Personally I think binding the components using a shared key + key derivation scheme similar to DUKPT / NIST 800–108 would be a good idea. And having identity keys would also be a good idea.. but I work for SafeNet (Now Gemalto) so I’m a bit biased and open to using crypto.

If you don’t want users to go through the extremely painful process of typing something in or hitting yes on two checkboxes to validate a shared code… then why not ignore the authentication bit and use completely ephemeral keys for the encryption?

When the browser extension requests the data it can pass an ephemeral public key to the agent. The agent can encrypt a payload using that public key (or encrypt an ephemeral AES key, or do a key exchange and return a second ephemeral public key that that browser extension can also use. ) and then the data would at least pass over the loopback in an encrypted form making it more secure. Your other post makes it seem like you have some reasonable checks to validate you are talking to a proper agent so this scheme does enhance security without adding a burden on your users (other than an update to get the new feature)