undefined | Better HN

0 pointssitkack6y ago0 comments

Even for extensions you trust, if their domain expires, it can be minutes later that it is pushing an update.

Actually ... Chrome extensions should have a trust policy wrt domain age, meaning a newly refreshed domain (via expiration) shouldn't be able to push an update for X days.

edit, forgot to mention that this applies to all plugin systems, many which provide vectors of attack against programmers, many of whom can affect global infrastructure.

So VSCode, IntelliJ, etc can be used to inject code into the client as well.

0 comments

5 comments · 2 top-level

dogma11386y ago· 3 in thread

Chrome extensions should be signed and should prevent updates of extensions if the new version was signed by a different from the one signed the current one until the user manually approves it.

ocdtrekkie6y ago

The problem is malicious actors will only buy the extension conditional on the author handing over the signing key as well.

jamieweb6y ago

Most users will click straight through the approval though, like when they granted it full permissions at install.

And is the signing actually effective anyway? There's very little mention of it online, and as far as I can see it isn't covered in the official guide for publishing extensions.

Is it even possible to have proper signing keys stored locally or air-gapped?

namibj6y ago

No, just straight up refuse unless the new signing key got approved by the old one. Hard-block. Why shouldn't it?

jamieweb6y ago

To be honest that problem exists for essentially any software that auto-updates.

You just have to hope that the built-in integrity checking (if any) works and is effective.

That's why I like software distribution methodologies that rely purely on signing to verify authenticity, rather than simply the location that it was downloaded from. I can technically use any old dodgy Apt mirror that I want, as long as I only accept packages signed by trusted keys.

As a side note, it's shocking how many software providers say that their downloads are 'integrity checked' just because they're served over HTTPS.

j / k navigate · click thread line to collapse