On 2 May 2014 17:22, Griffin Boyce <[email protected]> wrote: >> Do chrome extensions have a private offline key you use to sign >> extensions, to prevent malicious extension upgrades by google/an >> attacker who can middle SSL? > > > No, though I have two-factor authentication using a secure device (not a > cell phone), and I can't be vanned/rubber-hosed because I don't actually > know the password to my Google developer account. Some of this does require > trust that I have a secure signing/uploading environment.
This makes it harder for someone to compromise your account, but not Google. In the Android App store, it's a *little* stronger, as apps are signed by a developer key, and they need that key to update. Except if Google really wanted they could push down an update to bypass that. It'd be more work though. Anyway, I don't think any of this makes the extension worthless, far from it, I just wanted to understand the attacks possible for malicious extension update and for malicious google. Thanks for your work! -tom -- Liberationtech is public & archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at [email protected].
