On Sun, May 04, 2014 at 10:51:40AM -0400, Nick wrote:
Quoth Andrew Cady:
On Sat, May 03, 2014 at 12:35:39PM -0400, Nick wrote:
if you're worried about an evil google, hey, they control the
browser, so you've already lost.
I use Chromium and update it through my distro, so no, Google
Nathan Freitas wrote:
Automated distributed deterministic build comparisons FTW!
Seriously, it seems like we are pretty close with such a thing for
Android APKs, so perhaps Chrome extension bundles could be added to
the list, as well.
That sounds pretty awesome :D Apps and extensions are
On Sat, May 03, 2014 at 02:51:43PM -0400, Nathan Freitas wrote:
On May 2, 2014 8:46:08 PM EDT, Griffin Boyce grif...@cryptolab.net
wrote:
On 2014-05-02 20:35, Andrew Cady wrote:
On Fri, May 02, 2014 at 05:22:11PM -0400, Griffin Boyce wrote:
I can't be vanned/rubber-hosed because
On Sat, May 03, 2014 at 12:35:39PM -0400, Nick wrote:
if you're worried about an evil google, hey, they control the
browser, so you've already lost.
I use Chromium and update it through my distro, so no, Google
does not control the browser (/usr/bin/chromium). But they do,
still, control the
Quoth Andrew Cady:
On Sat, May 03, 2014 at 12:35:39PM -0400, Nick wrote:
if you're worried about an evil google, hey, they control the
browser, so you've already lost.
I use Chromium and update it through my distro, so no, Google
does not control the browser (/usr/bin/chromium).
Me too,
On 2014-05-04 01:02, Nick wrote:
https://developer.chrome.com/extensions/crx is the documentation
that mentions the signing. There are a couple of scripts there that
will create a signed .crx file. I also wrote one a while ago[0].
I don't know how crx files integrate with Google's developer
On 2 May 2014 17:22, Griffin Boyce grif...@cryptolab.net wrote:
Do chrome extensions have a private offline key you use to sign
extensions, to prevent malicious extension upgrades by google/an
attacker who can middle SSL?
No, though I have two-factor authentication using a secure device
Quoth Tom Ritter:
This makes it harder for someone to compromise your account, but not
Google. In the Android App store, it's a *little* stronger, as apps
are signed by a developer key, and they need that key to update.
Except if Google really wanted they could push down an update to
bypass
Nick wrote:
Can you definitely not sign extensions with a private key?
This is not an option available to any of my extensions or apps,
unfortunately. There's reference to it in the documentation, but I've
never seen this as an option for apps or for my developer account.
Could you
On May 2, 2014 8:46:08 PM EDT, Griffin Boyce grif...@cryptolab.net wrote:
On 2014-05-02 20:35, Andrew Cady wrote:
On Fri, May 02, 2014 at 05:22:11PM -0400, Griffin Boyce wrote:
No, though I have two-factor authentication using a secure device
(not a cell phone), and I can't be
Quoth Griffin Boyce:
Nick wrote:
Can you definitely not sign extensions with a private key?
This is not an option available to any of my extensions or apps,
unfortunately. There's reference to it in the documentation, but
I've never seen this as an option for apps or for my developer
Hey all,
So lately I've been obsessively working on a project to get software
into people's hands and make it easy for them to see whether it's been
tampered with in-transit.
Code: https://github.com/glamrock/satori (download the zip)
App:
On 2 May 2014 11:00, Griffin Boyce grif...@cryptolab.net wrote:
Also open to ideas about how I'm screwing this all up or am
failing to account for Threat Model X.
I'm wondering about the update mechanism. As I understand it, some
scenarios are:
1) You bake in SHA256 hashes of software, with
Tom Ritter wrote:
I'm wondering about the update mechanism.
Do chrome extensions update over SSL? Is this update connection to
google pinned, so you have to compromise a specific CA, instead of any
CA?
Chrome packaged apps update over SSL from a domain that has its
certificate pinned.
On Fri, May 02, 2014 at 05:22:11PM -0400, Griffin Boyce wrote:
No, though I have two-factor authentication using a secure device
(not a cell phone), and I can't be vanned/rubber-hosed because I don't
actually know the password to my Google developer account. Some
of this does require trust
On 2014-05-02 20:35, Andrew Cady wrote:
On Fri, May 02, 2014 at 05:22:11PM -0400, Griffin Boyce wrote:
No, though I have two-factor authentication using a secure device
(not a cell phone), and I can't be vanned/rubber-hosed because I don't
actually know the password to my Google developer
16 matches
Mail list logo