[liberationtech] Satori - distributed tamper-resistant circumvention tools
Tom Ritter
tom at ritter.vg
Sat May 3 05:14:35 PDT 2014
On 2 May 2014 17:22, Griffin Boyce <griffin at cryptolab.net> wrote:
>> Do chrome extensions have a private offline key you use to sign
>> extensions, to prevent malicious extension upgrades by google/an
>> attacker who can middle SSL?
>
>
> No, though I have two-factor authentication using a secure device (not a
> cell phone), and I can't be vanned/rubber-hosed because I don't actually
> know the password to my Google developer account. Some of this does require
> trust that I have a secure signing/uploading environment.
This makes it harder for someone to compromise your account, but not
Google. In the Android App store, it's a *little* stronger, as apps
are signed by a developer key, and they need that key to update.
Except if Google really wanted they could push down an update to
bypass that. It'd be more work though.
Anyway, I don't think any of this makes the extension worthless, far
from it, I just wanted to understand the attacks possible for
malicious extension update and for malicious google. Thanks for your
work!
-tom
More information about the liberationtech
mailing list