Thanks for raising this. I'll investigate that extension specifically, but also more generally... you have a good point.
I don't think that UI changes would be feasible here (where would we put the attribution?), but we should be doing a better job detecting issues and pulling these extensions from the store.
On Fri, Jun 9, 2017 at 4:35 AM Jonathan Garbee <jonatha...@gmail.com> wrote:
Currently there is a strong urge of using HTTPS for web sites which reveal to users that their data is being sent insecurely. For example, the insecure prompt when a password input is detected on HTTP. However, Chrome Extensions themselves are in an uncanny valley that doesn't seem to be getting looked at with the same eyes.
For example, Infinity New Tab is a Chrome Extension that is sending all user data over regular HTTP. Even worse, via GET requests. One example from looking at the Network Panel when logging in: `http://api.infinitynewtab.com/login.php?name=test@example.com&password=5f4dcc3b5aa765d61d8327deb882cf99&version=2`. The password here is hashed with a simple MD5. No salt. So unraveling it is trivial. Salt also would not help here since it is client-side and all clients would need to share the same salt. So attacking it would still be trivial.
Thanks for raising this. I'll investigate that extension specifically, but also more generally... you have a good point.
I don't think that UI changes would be feasible here (where would we put the attribution?), but we should be doing a better job detecting issues and pulling these extensions from the store.
On Fri, Jun 9, 2017 at 4:35 AM Jonathan Garbee <jonatha...@gmail.com> wrote:
Currently there is a strong urge of using HTTPS for web sites which reveal to users that their data is being sent insecurely. For example, the insecure prompt when a password input is detected on HTTP. However, Chrome Extensions themselves are in an uncanny valley that doesn't seem to be getting looked at with the same eyes.
For example, Infinity New Tab is a Chrome Extension that is sending all user data over regular HTTP. Even worse, via GET requests. One example from looking at the Network Panel when logging in: `http://api.infinitynewtab.com/login.php?name=test@example.com&password=5f4dcc3b5aa765d61d8327deb882cf99&version=2`. The password here is hashed with a simple MD5. No salt. So unraveling it is trivial. Salt also would not help here since it is client-side and all clients would need to share the same salt. So attacking it would still be trivial.
I'd like to consider something like Apple's App Transport Security policy: disallowing the use of non-secure transport from extensions, or treating the use of non-secure transport as a permission that the extension must request. (Perhaps we could use the latter as a way of phasing in the former.)
--
You received this message because you are subscribed to the Google Groups "Security-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security-dev+unsubscribe@chromium.org.
--You received this message because you are subscribed to the Google Groups "Security-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security-dev...@chromium.org.