[liberationtech] Satori - distributed tamper-resistant circumvention tools

[Griffin Boyce]

Nick wrote:
> Can you definitely not sign extensions with a private key?

   This is not an option available to any of my extensions or apps, 
unfortunately.  There's reference to it in the documentation, but I've 
never seen this as an option for apps or for my developer account.

> Could you then force the extension to check the key before updating
> itself? Probably not, it's probably well outside of the extension's
> control, and besides, if you're worried about an evil google, hey,
> they control the browser, so you've already lost.
> 
> Nick

   Walled gardens have issues, this is definitely true.

   I had a discussion with Google's Ryan Sleevi about adding the option 
to check SSL certificates against a hardcoded set [webrequest api hook], 
but they were clear that API access to the cert isn't going to happen.  
(This had been an ongoing discussion some time ago with others involved 
in circumvention).  They instead want people to rely on certificate 
pinning.  In Firefox, certificates can be accessed by extensions and 
checked against a list to detect MITM (CertPatrol being the most popular 
way to do this).  But it doesn't seem like this will ever really be an 
option for Google developers, which is a bummer.

> Tom Ritter wrote:
> Except if Google really wanted they could push down an update to
> bypass that.  It'd be more work though.

   It's true. But that at least limits the attack surface to just one or 
two parties, and as I said the change wouldn't go unnoticed.  I'm fairly 
paranoid about such things, particularly given that the project is 
intended as a pointed "fuck you" to the surveillance state. ^_^;;

> Anyway, I don't think any of this makes the extension worthless, far
> from it, I just wanted to understand the attacks possible for
> malicious extension update and for malicious google.  Thanks for your
> work!

Thanks for checking it out! ^_^

best,
Griffin