-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Thanks Yan!
For what it's worth I have just written this script in order to check it quickly. https://github.com/PabloCastellano/pablog-scripts/blob/master/browsers_check_extension_keys.py It supports firefox (several profiles), chromium and chrome. Regards, Pablo. On 08/04/14 02:41, Yan Zhu wrote: > Hi all, > > A serious vulnerability in OpenSSL 1.0.1-1.0.1f was announced > today, which allows a connected client or server to read up to 64kb > of memory at a time. This can be exploited repeatedly to leak > arbitrary amounts of key material, including private SSL keys and > Tor Hidden Service private keys. (You can read more about the > impact on Tor via this blog post: > https://blog.torproject.org/blog/openssl-bug-cve-2014-0160.) > > Here's how this bug affects HTTPS Everywhere, to the best of my > understanding: > > * The EFF server that hosted HTTPS Everywhere downloads was running > an affected version of OpenSSL. In theory, this means that an > attacker could have exploited the vulnerability to get a copy of > our private SSL key. Note that this also applies to a large > fraction of the servers on the Internet. In our case, the potential > damage is mitigated by the fact that our servers supported > ciphersuites with forward secrecy (such that future compromise of > our SSL private key can't be used to decrypt past communications). > > * However, even if EFF's private SSL keys have been compromised, > updates to Firefox and Chrome HTTPS Everywhere are still safe > (assuming you downloaded a safe copy of HTTPS Everywhere to begin > with). This is because we sign all updates with an offline key, and > Firefox/Chrome rejects updates unless they have a valid signature. > > To check that you have a "good" copy of HTTPS Everywhere (one with > the correct update signing keys), you can do the following: > > > # Firefox: 1. Go to your Firefox profile directory: > https://support.mozilla.org/en-US/kb/profiles-where-firefox-stores-user-data#w_how-do-i-find-my-profile. > > 2. From there, go into ./extensions/[email protected]/ > 3. Open up install.rdf. You should see the following line: > <em:updateKey>MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA6MR8W/galdxnpGqBsYbqOzQb2eyW15YFjDDEMI0ZOzt8f504obNs920lDnpPD2/KqgsfjOgw2K7xWDJIj/18xUvWPk3LDkrnokNiRkA3KOx3W6fHycKL+zID7zy+xZYBuh2fLyQtWV1VGQ45iNRp9+Zo7rH86cdfgkdnWTlNSHyTLW9NbXvyv/E12bppPcEvgCTAQXgnDVJ0/sqmeiijn9tTFh03aM+R2V/21h8aTraAS24qiPCz6gkmYGC8yr6mglcnNoYbsLNYZ69zF1XHcXPduCPdPdfLlzVlKK1/U7hkA28eG3BIAMh6uJYBRJTpiGgaGdPd7YekUB8S6cy+CQIDAQAB</em:updateKey> > > > > # Chrome: 1. Go to your Chrome/Chromium profile directory: > http://www.chromium.org/user-experience/user-data-directory 2. From > there, go into > ./Extensions/gcbommkclmclpchllfjekcdonpmejbdp/ADDON_VERSION, where > ADDON_VERSION should be something like 2014.1.3_0. 3. Open up > manifest.json. You should see the following value for "key": > > "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA6MR8W/galdxnpGqBsYbqOzQb2eyW15YFjDDEMI0ZOzt8f504obNs920lDnpPD2/KqgsfjOgw2K7xWDJIj/18xUvWPk3LDkrnokNiRkA3KOx3W6fHycKL+zID7zy+xZYBuh2fLyQtWV1VGQ45iNRp9+Zo7rH86cdfgkdnWTlNSHyTLW9NbXvyv/E12bppPcEvgCTAQXgnDVJ0/sqmeiijn9tTFh03aM+R2V/21h8aTraAS24qiPCz6gkmYGC8yr6mglcnNoYbsLNYZ69zF1XHcXPduCPdPdfLlzVlKK1/U7hkA28eG3BIAMh6uJYBRJTpiGgaGdPd7YekUB8S6cy+CQIDAQAB" > > > > (Note that the keys are the same. For reference, the sha1sum is > c33840b49a97cddc65e2c6bd312b2c6e7e6982e8.) > > Hope this helps, Yan > > PS: Server operators are recommended to update OpenSSL to 1.0.1f > immediately and rotate all private keys that could have been > exposed. > > > > _______________________________________________ HTTPS-Everywhere > mailing list [email protected] > https://lists.eff.org/mailman/listinfo/https-everywhere > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBAgAGBQJTQ/T6AAoJEHj0TzpGP5GcsdoP/3j5AC1KiEl1H9MpSv06RwXv Pjstx7vEaZgGrmKjx6SCX2tlUsM0W33S5J5WA15v7CdrgO9Ewo74Jl1PTa8Tw1YE nT0J/WZm6dMQXQ4GPkXRTjOu6BpPAOZVqg3TsAcrxdpA1Kt6TUx7kvbLa8JCsdL/ PmKMAEPASyyHkl2daLT7MrmdJccxrKOfZPoWPZ6Er6xV5kc7+/GAlJHbyr7k3ktu YKVe+RF+5Z/MnXrbrsdtYOfd6D/t1bOtuGl/IogfuINHNWOMZE8eC29JX106fddW CaPdbiIcNRGwfgL6c7q7P0FuqN7d45kwwBt3/nLm6wnkJXk97LOF2Dmd90yjpoBf BRP2KSb9eHMJUrQ+gfzhjOUoSghuais/EgM7kPh/r0rHDgBY2O0c9X1PtrSoUw02 ZJ8zQWIIsWAEKw6XhMNDtmd6yDMEWG2hVORh1xrbubE2Ux+T5oUkHQN4PAZKvvd4 7HegHP7IM3ttH0aY+t7erbkS7qhIBNOmheMd1sZSwIZUZsXA11lCFxnn64gXb1ON 43xX0dCDhLuHda7FedZ4piweT2pNYThu9nhkgUpetl+EpP1htVLqEbSLoLXuwYv7 Wd9Y9XMZ18EMqRiXb0F4zrAw37AKvclGqgv4cENXtj2EiHaneMFN95Ca64xPefeq aIlunCL5suiuve1bwmkr =mYxv -----END PGP SIGNATURE----- _______________________________________________ HTTPS-Everywhere mailing list [email protected] https://lists.eff.org/mailman/listinfo/https-everywhere
