On 04/08/2014 06:09 AM, Pablo Castellano wrote: > Thanks Yan! > > For what it's worth I have just written this script in order to check > it quickly. > > https://github.com/PabloCastellano/pablog-scripts/blob/master/browsers_check_extension_keys.py > > It supports firefox (several profiles), chromium and chrome.
Thanks! > > Regards, > Pablo. > > > On 08/04/14 02:41, Yan Zhu wrote: >> Hi all, > >> A serious vulnerability in OpenSSL 1.0.1-1.0.1f was announced >> today, which allows a connected client or server to read up to 64kb >> of memory at a time. This can be exploited repeatedly to leak >> arbitrary amounts of key material, including private SSL keys and >> Tor Hidden Service private keys. (You can read more about the >> impact on Tor via this blog post: >> https://blog.torproject.org/blog/openssl-bug-cve-2014-0160.) > >> Here's how this bug affects HTTPS Everywhere, to the best of my >> understanding: > >> * The EFF server that hosted HTTPS Everywhere downloads was running >> an affected version of OpenSSL. In theory, this means that an >> attacker could have exploited the vulnerability to get a copy of >> our private SSL key. Note that this also applies to a large >> fraction of the servers on the Internet. In our case, the potential >> damage is mitigated by the fact that our servers supported >> ciphersuites with forward secrecy (such that future compromise of >> our SSL private key can't be used to decrypt past communications). > >> * However, even if EFF's private SSL keys have been compromised, >> updates to Firefox and Chrome HTTPS Everywhere are still safe >> (assuming you downloaded a safe copy of HTTPS Everywhere to begin >> with). This is because we sign all updates with an offline key, and >> Firefox/Chrome rejects updates unless they have a valid signature. > >> To check that you have a "good" copy of HTTPS Everywhere (one with >> the correct update signing keys), you can do the following: > > >> # Firefox: 1. Go to your Firefox profile directory: >> https://support.mozilla.org/en-US/kb/profiles-where-firefox-stores-user-data#w_how-do-i-find-my-profile. > > > 2. From there, go into ./extensions/[email protected]/ >> 3. Open up install.rdf. You should see the following line: >> <em:updateKey>MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA6MR8W/galdxnpGqBsYbqOzQb2eyW15YFjDDEMI0ZOzt8f504obNs920lDnpPD2/KqgsfjOgw2K7xWDJIj/18xUvWPk3LDkrnokNiRkA3KOx3W6fHycKL+zID7zy+xZYBuh2fLyQtWV1VGQ45iNRp9+Zo7rH86cdfgkdnWTlNSHyTLW9NbXvyv/E12bppPcEvgCTAQXgnDVJ0/sqmeiijn9tTFh03aM+R2V/21h8aTraAS24qiPCz6gkmYGC8yr6mglcnNoYbsLNYZ69zF1XHcXPduCPdPdfLlzVlKK1/U7hkA28eG3BIAMh6uJYBRJTpiGgaGdPd7YekUB8S6cy+CQIDAQAB</em:updateKey> > > > >> # Chrome: 1. Go to your Chrome/Chromium profile directory: >> http://www.chromium.org/user-experience/user-data-directory 2. From >> there, go into >> ./Extensions/gcbommkclmclpchllfjekcdonpmejbdp/ADDON_VERSION, where >> ADDON_VERSION should be something like 2014.1.3_0. 3. Open up >> manifest.json. You should see the following value for "key": > >> "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA6MR8W/galdxnpGqBsYbqOzQb2eyW15YFjDDEMI0ZOzt8f504obNs920lDnpPD2/KqgsfjOgw2K7xWDJIj/18xUvWPk3LDkrnokNiRkA3KOx3W6fHycKL+zID7zy+xZYBuh2fLyQtWV1VGQ45iNRp9+Zo7rH86cdfgkdnWTlNSHyTLW9NbXvyv/E12bppPcEvgCTAQXgnDVJ0/sqmeiijn9tTFh03aM+R2V/21h8aTraAS24qiPCz6gkmYGC8yr6mglcnNoYbsLNYZ69zF1XHcXPduCPdPdfLlzVlKK1/U7hkA28eG3BIAMh6uJYBRJTpiGgaGdPd7YekUB8S6cy+CQIDAQAB" > > > >> (Note that the keys are the same. For reference, the sha1sum is >> c33840b49a97cddc65e2c6bd312b2c6e7e6982e8.) > >> Hope this helps, Yan > >> PS: Server operators are recommended to update OpenSSL to 1.0.1f >> immediately and rotate all private keys that could have been >> exposed. > > > >> _______________________________________________ HTTPS-Everywhere >> mailing list [email protected] >> https://lists.eff.org/mailman/listinfo/https-everywhere > > > -- Yan Zhu <[email protected]>, <[email protected]> Staff Technologist Electronic Frontier Foundation https://www.eff.org 815 Eddy Street, San Francisco, CA 94109 +1 415 436 9333 x134
signature.asc
Description: OpenPGP digital signature
_______________________________________________ HTTPS-Everywhere mailing list [email protected] https://lists.eff.org/mailman/listinfo/https-everywhere
