On Sun, May 04, 2014 at 10:51:40AM -0400, Nick wrote:
> Quoth Andrew Cady:
> > On Sat, May 03, 2014 at 12:35:39PM -0400, Nick wrote:
> > > if you're worried about an evil google, hey, they control the
> > > browser, so you've already lost.
> >
> > I use Chromium and update it through my distro, so
On 2014-05-04 01:02, Nick wrote:
https://developer.chrome.com/extensions/crx is the documentation
that mentions the signing. There are a couple of scripts there that
will create a signed .crx file. I also wrote one a while ago[0].
I don't know how crx files integrate with Google's developer acco
Quoth Andrew Cady:
> On Sat, May 03, 2014 at 12:35:39PM -0400, Nick wrote:
> > if you're worried about an evil google, hey, they control the
> > browser, so you've already lost.
>
> I use Chromium and update it through my distro, so no, Google
> does not control the browser (/usr/bin/chromium).
M
On Sat, May 03, 2014 at 12:35:39PM -0400, Nick wrote:
> if you're worried about an evil google, hey, they control the
> browser, so you've already lost.
I use Chromium and update it through my distro, so no, Google
does not control the browser (/usr/bin/chromium). But they do,
still, control the
On Sat, May 03, 2014 at 02:51:43PM -0400, Nathan Freitas wrote:
>
> On May 2, 2014 8:46:08 PM EDT, Griffin Boyce
> wrote:
>
> > On 2014-05-02 20:35, Andrew Cady wrote:
> >
> > > On Fri, May 02, 2014 at 05:22:11PM -0400, Griffin Boyce wrote:
> > >
> > > > I can't be vanned/rubber-hosed because I do
Nathan Freitas wrote:
Automated distributed deterministic build comparisons FTW!
Seriously, it seems like we are pretty close with such a thing for
Android APKs, so perhaps Chrome extension bundles could be added to
the list, as well.
That sounds pretty awesome :D Apps and extensions are .c
Quoth Griffin Boyce:
> Nick wrote:
> >Can you definitely not sign extensions with a private key?
>
> This is not an option available to any of my extensions or apps,
> unfortunately. There's reference to it in the documentation, but
> I've never seen this as an option for apps or for my develop
On May 2, 2014 8:46:08 PM EDT, Griffin Boyce wrote:
>On 2014-05-02 20:35, Andrew Cady wrote:
>> On Fri, May 02, 2014 at 05:22:11PM -0400, Griffin Boyce wrote:
>>
>>> No, though I have two-factor authentication using a secure device
>>> (not a cell phone), and I can't be vanned/rubber-hosed be
Nick wrote:
Can you definitely not sign extensions with a private key?
This is not an option available to any of my extensions or apps,
unfortunately. There's reference to it in the documentation, but I've
never seen this as an option for apps or for my developer account.
Could you then
Quoth Tom Ritter:
> This makes it harder for someone to compromise your account, but not
> Google. In the Android App store, it's a *little* stronger, as apps
> are signed by a developer key, and they need that key to update.
> Except if Google really wanted they could push down an update to
> by
On 2 May 2014 17:22, Griffin Boyce wrote:
>> Do chrome extensions have a private offline key you use to sign
>> extensions, to prevent malicious extension upgrades by google/an
>> attacker who can middle SSL?
>
>
> No, though I have two-factor authentication using a secure device (not a
> cell p
On 2014-05-02 20:35, Andrew Cady wrote:
On Fri, May 02, 2014 at 05:22:11PM -0400, Griffin Boyce wrote:
No, though I have two-factor authentication using a secure device
(not a cell phone), and I can't be vanned/rubber-hosed because I don't
actually know the password to my Google developer acc
On Fri, May 02, 2014 at 05:22:11PM -0400, Griffin Boyce wrote:
> No, though I have two-factor authentication using a secure device
> (not a cell phone), and I can't be vanned/rubber-hosed because I don't
> actually know the password to my Google developer account. Some
> of this does require tr
Tom Ritter wrote:
I'm wondering about the update mechanism.
Do chrome extensions update over SSL? Is this update connection to
google pinned, so you have to compromise a specific CA, instead of any
CA?
Chrome packaged apps update over SSL from a domain that has its
certificate pinned. Rath
On 2 May 2014 11:00, Griffin Boyce wrote:
> Also open to ideas about how I'm screwing this all up or am
> failing to account for Threat Model X.
I'm wondering about the update mechanism. As I understand it, some
scenarios are:
1) You bake in SHA256 hashes of software, with links to the bundles.
Hey all,
So lately I've been obsessively working on a project to get software
into people's hands and make it easy for them to see whether it's been
tampered with in-transit.
Code: https://github.com/glamrock/satori (download the zip)
App:
https://chrome.google.com/webstore/detail/satori/o
16 matches
Mail list logo
