Tom Ritter wrote:
I'm wondering about the update mechanism.
Do chrome extensions update over SSL? Is this update connection to
google pinned, so you have to compromise a specific CA, instead of any
CA?
Chrome packaged apps update over SSL from a domain that has its
certificate pinned. Rather than compromising the CA (which is Google
Internet Authority), it seems more likely that someone gets a bad copy
of Chrome and is at a strong negative from the beginning.
When testing from within Iran and within China, everything's been
accessible and no tampering has occurred. There are some serious
economic incentives that work in our favor (and that's why this is for
Chrome and not Firefox).
But let's say that the person is being MITM'd for Chrome Web Store.
There are a couple of solutions to this:
- Comparing software sha256 checksums from multiple sources to ensure
they match.
- Install from a gpg-signed zip file instead of from the Chrome store.
This is not ideal, since they need to know how to check signatures
- Downloading gpg keys, verifying web of trust, and then checking
software signatures*
Do chrome extensions have a private offline key you use to sign
extensions, to prevent malicious extension upgrades by google/an
attacker who can middle SSL?
No, though I have two-factor authentication using a secure device (not
a cell phone), and I can't be vanned/rubber-hosed because I don't
actually know the password to my Google developer account. Some of this
does require trust that I have a secure signing/uploading environment.
best,
Griffin
gpg: 0x879bda5bf6b27b6127450a2503cf4a0ab3c79a63
* which aren't included, but will be this weekend
--
Liberationtech is public & archives are searchable on Google. Violations of
list guidelines will get you moderated:
https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change
to digest, or change password by emailing moderator at compa...@stanford.edu.
