On Sun, Dec 20, 2009 at 8:08 PM, sachin <[email protected]> wrote: > No, The bad guy does not have access to users computer. > > Users have good chrome (publicly available build of chrome and not the > bad guys build). Bad guy sends an email or sets up a site that seems > very genuine and asks users to install the extension from there (e.g. > a gmail extension). Now, I want the users to be warned that the > extension is fake.
Why makes the extension fake? If the attacker can convince the attacker to install a malicious extension from his or her own web page, the attacker can probably convince the user to run an EXE because the user experiences are very similar. Once the attacker is running the attacker's EXE, there's nothing we can do to protect the user. > I think chrome should mandate that any extension should be signed. All extensions are signed. > So that users will take notice and start respecting the extension > signature mismatch message. If users get used into installing > extensions without signature, then a bad guys could just easily get > users to install. Chrome refuses to install extensions that have a signature mismatch. > What I am looking for is, if an extension is asking for access to a > domain (and unlimited power there after), then that extension should > be signed with certificate hosted in that domain. Otherwise chrome > extension could be misused for spreading viruses and malware. This breaks a primary extension use case. For example, that would preclude Fittr Flickr from improving Flickr because it's created by a third party and not sanctioned by Flickr. https://chrome.google.com/extensions/detail/fhaledancjhefginmkkondfjpnkhdglh Extensions are powerful. When you install an extension, you're making a trust decision. I don't recommend installing extensions from random web sites, just like I don't recommend running EXEs from random web sites. That's a social problem that cryptography can't solve. Adam -- You received this message because you are subscribed to the Google Groups "Chromium-extensions" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/chromium-extensions?hl=en.
