Search Mailing List Archives


Limit search to: Subject & Body Subject Author
Sort by: Reverse Sort
Limit to: All This Week Last Week This Month Last Month
Select Date Range     through    

[liberationtech] Satori - distributed tamper-resistant circumvention tools

Tom Ritter tom at ritter.vg
Sat May 3 05:14:35 PDT 2014


On 2 May 2014 17:22, Griffin Boyce <griffin at cryptolab.net> wrote:
>> Do chrome extensions have a private offline key you use to sign
>> extensions, to prevent malicious extension upgrades by google/an
>> attacker who can middle SSL?
>
>
>   No, though I have two-factor authentication using a secure device (not a
> cell phone), and I can't be vanned/rubber-hosed because I don't actually
> know the password to my Google developer account.  Some of this does require
> trust that I have a secure signing/uploading environment.

This makes it harder for someone to compromise your account, but not
Google.  In the Android App store, it's a *little* stronger, as apps
are signed by a developer key, and they need that key to update.
Except if Google really wanted they could push down an update to
bypass that.  It'd be more work though.

Anyway, I don't think any of this makes the extension worthless, far
from it, I just wanted to understand the attacks possible for
malicious extension update and for malicious google.  Thanks for your
work!

-tom



More information about the liberationtech mailing list