Search Mailing List Archives


Limit search to: Subject & Body Subject Author
Sort by: Reverse Sort
Limit to: All This Week Last Week This Month Last Month
Select Date Range     through    

[liberationtech] Satori - distributed tamper-resistant circumvention tools

Griffin Boyce griffin at cryptolab.net
Fri May 2 14:22:11 PDT 2014


Tom Ritter wrote:
> I'm wondering about the update mechanism.
> 
> Do chrome extensions update over SSL? Is this update connection to
> google pinned, so you have to compromise a specific CA, instead of any
> CA?

   Chrome packaged apps update over SSL from a domain that has its 
certificate pinned.  Rather than compromising the CA (which is Google 
Internet Authority), it seems more likely that someone gets a bad copy 
of Chrome and is at a strong negative from the beginning.

   When testing from within Iran and within China, everything's been 
accessible and no tampering has occurred.  There are some serious 
economic incentives that work in our favor (and that's why this is for 
Chrome and not Firefox).

   But let's say that the person is being MITM'd for Chrome Web Store.  
There are a couple of solutions to this:

- Comparing software sha256 checksums from multiple sources to ensure 
they match.
- Install from a gpg-signed zip file instead of from the Chrome store. 
This is not ideal, since they need to know how to check signatures
- Downloading gpg keys, verifying web of trust, and then checking 
software signatures*

> Do chrome extensions have a private offline key you use to sign
> extensions, to prevent malicious extension upgrades by google/an
> attacker who can middle SSL?

   No, though I have two-factor authentication using a secure device (not 
a cell phone), and I can't be vanned/rubber-hosed because I don't 
actually know the password to my Google developer account.  Some of this 
does require trust that I have a secure signing/uploading environment.

best,
Griffin
gpg: 0x879bda5bf6b27b6127450a2503cf4a0ab3c79a63

* which aren't included, but will be this weekend




More information about the liberationtech mailing list