No, The bad guy does not have access to users computer. Users have good chrome (publicly available build of chrome and not the bad guys build). Bad guy sends an email or sets up a site that seems very genuine and asks users to install the extension from there (e.g. a gmail extension). Now, I want the users to be warned that the extension is fake.
I think chrome should mandate that any extension should be signed. So that users will take notice and start respecting the extension signature mismatch message. If users get used into installing extensions without signature, then a bad guys could just easily get users to install. What I am looking for is, if an extension is asking for access to a domain (and unlimited power there after), then that extension should be signed with certificate hosted in that domain. Otherwise chrome extension could be misused for spreading viruses and malware. Thanks, Sachin On Dec 21, 2:02 am, Adam Barth <[email protected]> wrote: > On Sun, Dec 20, 2009 at 11:48 AM, sachin <[email protected]> wrote: > > The threat that I want to guard is: A bad guy tricking users into > > installing a fake extension. > > To answer this question, we need to think about what kind of abilities > the bad guy has. You mentioned a public computer lab before. Does > the attacker have the ability to use these computers? Can he install > arbitrary extensions on the computers? > > > On the same topic, but looking at a different solution. > > > Is it possible for me to sign my extension with some certificate so > > that at install time chrome can validate it and let users know. So > > when I install a gmail extension, chrome would validate the signature > > and tell me if the extension was indeed from "http://mail.google.com";? > > That's possible in principle, and the Firefox extension system has > this notion of certificates. In practice, what happens is that very > few people sign their extensions. > > The best way to achieve this kind of behavior with the current > extension system is to host the CRX yourself on your web sites using > HTTPS. Then when the user is viewing the download page (over HTTPS), > they can be assured that the CRX they're getting actually comes from > you. > > Adam -- You received this message because you are subscribed to the Google Groups "Chromium-extensions" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/chromium-extensions?hl=en.
