[liberationtech] Satori - distributed tamper-resistant circumvention tools
Griffin Boyce
griffin at cryptolab.net
Fri May 2 14:22:11 PDT 2014
Tom Ritter wrote:
> I'm wondering about the update mechanism.
>
> Do chrome extensions update over SSL? Is this update connection to
> google pinned, so you have to compromise a specific CA, instead of any
> CA?
Chrome packaged apps update over SSL from a domain that has its
certificate pinned. Rather than compromising the CA (which is Google
Internet Authority), it seems more likely that someone gets a bad copy
of Chrome and is at a strong negative from the beginning.
When testing from within Iran and within China, everything's been
accessible and no tampering has occurred. There are some serious
economic incentives that work in our favor (and that's why this is for
Chrome and not Firefox).
But let's say that the person is being MITM'd for Chrome Web Store.
There are a couple of solutions to this:
- Comparing software sha256 checksums from multiple sources to ensure
they match.
- Install from a gpg-signed zip file instead of from the Chrome store.
This is not ideal, since they need to know how to check signatures
- Downloading gpg keys, verifying web of trust, and then checking
software signatures*
> Do chrome extensions have a private offline key you use to sign
> extensions, to prevent malicious extension upgrades by google/an
> attacker who can middle SSL?
No, though I have two-factor authentication using a secure device (not
a cell phone), and I can't be vanned/rubber-hosed because I don't
actually know the password to my Google developer account. Some of this
does require trust that I have a secure signing/uploading environment.
best,
Griffin
gpg: 0x879bda5bf6b27b6127450a2503cf4a0ab3c79a63
* which aren't included, but will be this weekend
More information about the liberationtech
mailing list