Well, you can execute a periodic script, maybe, that makes an XML HTTP request to the manifest of known fake extensions and show up an alert\whatever when it does. The URL would be chrome-extensions//ID_FROM_LIST_OF_IDs/manifest.json. If it has data (since I think it always returns 0 as the HTTP response code), it means the extension exists and you can alert the user about it.
☆PhistucK On Mon, Dec 21, 2009 at 06:08, sachin <[email protected]> wrote: > No, The bad guy does not have access to users computer. > > Users have good chrome (publicly available build of chrome and not the > bad guys build). Bad guy sends an email or sets up a site that seems > very genuine and asks users to install the extension from there (e.g. > a gmail extension). Now, I want the users to be warned that the > extension is fake. > > I think chrome should mandate that any extension should be signed. So > that users will take notice and start respecting the extension > signature mismatch message. If users get used into installing > extensions without signature, then a bad guys could just easily get > users to install. > > What I am looking for is, if an extension is asking for access to a > domain (and unlimited power there after), then that extension should > be signed with certificate hosted in that domain. Otherwise chrome > extension could be misused for spreading viruses and malware. > > Thanks, > Sachin > > On Dec 21, 2:02 am, Adam Barth <[email protected]> wrote: > > On Sun, Dec 20, 2009 at 11:48 AM, sachin <[email protected]> > wrote: > > > The threat that I want to guard is: A bad guy tricking users into > > > installing a fake extension. > > > > To answer this question, we need to think about what kind of abilities > > the bad guy has. You mentioned a public computer lab before. Does > > the attacker have the ability to use these computers? Can he install > > arbitrary extensions on the computers? > > > > > On the same topic, but looking at a different solution. > > > > > Is it possible for me to sign my extension with some certificate so > > > that at install time chrome can validate it and let users know. So > > > when I install a gmail extension, chrome would validate the signature > > > and tell me if the extension was indeed from "http://mail.google.com";? > > > > That's possible in principle, and the Firefox extension system has > > this notion of certificates. In practice, what happens is that very > > few people sign their extensions. > > > > The best way to achieve this kind of behavior with the current > > extension system is to host the CRX yourself on your web sites using > > HTTPS. Then when the user is viewing the download page (over HTTPS), > > they can be assured that the CRX they're getting actually comes from > > you. > > > > Adam > > -- > > You received this message because you are subscribed to the Google Groups > "Chromium-extensions" group. > To post to this group, send email to [email protected]. > To unsubscribe from this group, send email to > [email protected]<chromium-extensions%[email protected]> > . > For more options, visit this group at > http://groups.google.com/group/chromium-extensions?hl=en. > > > -- You received this message because you are subscribed to the Google Groups "Chromium-extensions" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/chromium-extensions?hl=en.
