Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Private key in repository #101

Open
da2x opened this issue Feb 15, 2017 · 15 comments
Open

Private key in repository #101

da2x opened this issue Feb 15, 2017 · 15 comments

Comments

@da2x
Copy link
Contributor

da2x commented Feb 15, 2017

https://github.com/haystack/tipsy/blob/5d68566/chrome-extension/key.pem

This must be removed. A new key must be generated. Anything relying on this key must be resigned with an actual private key.

Chrome Web Store will not allow you to update the extension in the store with a different key. The current extension cannot be updated, so please distribute a notice to existing users on how they can manually remove the current extension and install a new replacement extension.

@rht
Copy link
Contributor

rht commented Feb 15, 2017

ACK

@karger
Copy link
Member

karger commented Feb 15, 2017

If I understand correctly, there's no way to replace the signing key in an extension---we have to make a new extension with a new signing key---and get all current users to switch, which will be a mess.

Might it make sense to publish a new extension with secret signing key, but continue to update both the old and the new as code evolves? Although really we only want the new to be visible in the app store---can we hide the old while still giving current users the benefit of updates?

@da2x
Copy link
Contributor Author

da2x commented Feb 15, 2017

I’d recommend you publish a new extension with a new signature.

When that is done, you publish one last update to the old extension with messaging and links to the new extension. Maybe add a data export and import option? In the update, change the name and icon of the extension. X icon and "Tipsy (delete this extension)" for the name. That way people would easily tell the difference between the new and old (that should be deleted) in their extension manager.

You MAY get another answer if you contact Google. If I remember correctly, then Google actually replaces your key with their own as part of the publishing process. If that is the case, you may be able to get them to accept a new key. However, as your extension has less than 100 000 users, I would not expect Google to be at all interesting in making special accommodations.

@da2x
Copy link
Contributor Author

da2x commented Feb 15, 2017

See also purging a file from your git repository's history. The damage is already done, but removing the key would still be a good idea.

@rht
Copy link
Contributor

rht commented Feb 15, 2017

If the course of action is to migrate the extension ID (refreshing the priv key), btw this sounds like a chance to bundle in some non-backward-incompatible changes (the storage db, for instance, while keeping the serialized data format intact).

If I remember correctly, then Google actually replaces your key with their own as part of the publishing process.

As much as this might the case, the generated priv key should still be derived from the uploaded .pem file. If I were google, I wouldn't put an extra rule (in a server that can be taken down) that allows patches such as to deny the old .pem and use the new .pem, yet in the end leaving the key field in the manifest file intact. It should be crypto from one end to another, as far as package signing is concerned. // Occam's razor

@tbranyen
Copy link
Member

tbranyen commented Feb 16, 2017

I've seen other extensions that are open source committing this key. Why exactly do we need to remove this? I understand privacy concerns, but what is the specific attack vector we are preventing by removing this key?

As far as I know Google has very strict publishing rights, so sure someone could sign and distribute a *.crx file as an imposter Tipsy, but they could do that already. Users should go through the Chrome webstore.

@karger
Copy link
Member

karger commented Feb 16, 2017 via email

@rht
Copy link
Contributor

rht commented Feb 16, 2017

(hmmm...one case: with DNS-spoofing, an attacker could redirect the user to a chrome webstore server with a correctly-signed-but-tampered package)

@da2x
Copy link
Contributor Author

da2x commented Feb 16, 2017

“The private key is used to sign each version of the extension and must be secured from public access. Be careful not to include your private key within your extensions!”
https://developer.chrome.com/extensions/packaging

@tbranyen
Copy link
Member

Okay this part is worrying:

Google Chrome automatically checks for extension updates by querying update URLs specified by
developers. If attackers can forge the DNS (domain name system) responses received by the browser,
they can force it to install a rogue digitally signed extension update from a server under their control.

Since we're dealing with payments, it makes sense to lock this down. 👍 Thanks for the explanation!

@da2x
Copy link
Contributor Author

da2x commented Feb 16, 2017

Signed extensions can’t be sideloaded, but they can be side-upgraded. Signed extensions can also access data from other extensions signed with the same key. (Not sure if this was only in dev or if this feature ever made it to public builds.)

@da2x
Copy link
Contributor Author

da2x commented Feb 16, 2017

I’m not being a dick on purpose. 😝
Private keys are private for a reason.

@tbranyen
Copy link
Member

Oh I understand completely, I just want to make sure we have an accurate understanding of why this key needs to be removed. It's easy to say something isn't secure because it's private, but that really doesn't mean anything unless there is a valid attack vector that can be exploited.

That said, we'll need a way to share this new key among contributors or make one person a BDFL to sign+publish.

@da2x
Copy link
Contributor Author

da2x commented Feb 16, 2017

Stick the key along with the Google-password in a LastPass account. Trusted developers can have access to it. Mind the bus factor.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

4 participants