My SSL is being intercepted in Guest Mode- quick question

[Mike Guest Mode]

Hi,

I'm currently talking to Google about this, but saw this might be a better place to ask. I have been targeted by a persistent advanced threat for some time which is far beyond me. That's why I started using Guest Mode on Chromebook. I was surprised to find my SSL was being intercepted here too. I could tell by visiting green Extended Validation websites. When the green bar is missing it means my SSL is being intercepted (a nice lesson about it at https://www.grc.com/ssl/ev.htm ). Well this bar is regularly missing from a number of EV websites like Symantec and others. I went to a broadband internet USB modem to isolate the environment further and the interception has continued. 

Here is my question: my Chromebook is not in Developer Mode, it has just had the OS re-installed and on the Settings About Chrome OS is has the following under Command Line: 

/opt/google/chrome/chrome --enable-logging --gpu-sandbox-failures-fatal=yes --ppapi-flash-args=enable_hw_video_decode=1 --ppapi-flash-path=/opt/google/chrome/pepper/libpepflashplayer.so --ppapi-flash-version=19.0.0.185-r1 --ui-prioritize-in-gpu-process --use-cras --use-gl=egl --user-data-dir=/home/chronos --

To me this sounds like Allow logging and video while disabling the sandbox, therefore I can be spied on while in Guest Mode. Can anyone tell me what the references to enabling logging, the fatal failure of the sandbox and the video comments mean? 

[Mike Frysinger]

erm, no, that's not what those mean.  guest mode in CrOS starts by creating a new empty profile entirely in RAM, and when you log out, that RAM is freed.  nothing is written to disk.

the logging flag controls internal log messages only.  you can read about it here:

http://dev.chromium.org/for-testers/enable-logging

i don't know why you think the sandbox is disabled.  the flash flag is merely to allow flash access to hardware acceleration rather than doing it in software.

if the device is in verified mode (i.e. dev mode is disabled), and you don't see warnings at power-on, then i highly doubt your guest mode sessions are being attacked by any persistent software.  and if you aren't getting cert errors, then your connection most likely is not being intercepted/modified either.

if you have any further concerns, please use the product forums instead:

https://productforums.google.com/d/forum/chromebook-central

-mike

--
--
Chromium OS discuss mailing list: chromium-...@chromium.org
View archives, change email options, or unsubscribe:
http://groups.google.com/a/chromium.org/group/chromium-os-discuss?hl=en

[Mike Guest Mode]

Thanks for your quick reply. Regarding the interception I can tell through the use of Green Extended Validation SSL websites. If you go to a known Green EV site and the green bar is missing, you know your SSL is being intercepted. Here is a good explanation of it from https://www.grc.com/ssl/ev.htm)  

I switched from my wired network behind a firewall to a mobile broadband USB internet stick, thinking that would help. It hasn't. My browsing while in Guest Mode continues to be intercepted. This is a picture I just took of https://protonmail.ch which is a green EV SSL website which you can check out yourself. Here is what it looks like on my Chromebook in Guest Mode right now: IT IS MISSING THE GREEN EV BAR... so that means I'm being intercepted. This happens regularly, but not with forged certificates. 

I am connected to the Internet via a broadband internet stick with no wifi. It is cellular. I believe that means it is either from the ISP or from inside my Chromebook (which I just reformatted the OS and updated things in the last hour.)

I can see the effects from the data leak and am just trying to isolate where it is coming from. It feels, like my Sandbox has been disabled and there is a backdoor allowing third party access to my data. On Chrome://sandbox it tells me SUID Sandbox status is No. I think that is normal but wanted to let you know just in case. 

Finally, when I check my Chrome://device-log I see a USB device called SunplusIT which is an HD webcam listed there. 

USBUser[21:31:34] USB device added: vendor=7119 "SunplusIT Inc", product=11367 "HD WebCam", serial="", guid=01FB7571-993C-4958-845D-3ED5BAA65E18

My questions are: How can I verify 100% my sandbox is working? I have only got my USB internet stick added to my Chromebook with a cellular connection, nothing else, yet the interception continues. 

So for this interception to be happening from what I know I can see three options (maybe you see more):

1)  from inside my Chromebook (maybe i downloaded a malicious version of the OS to reformat my system from, or someone in Google is providing a backdoor maybe), 

2) from my ISP intercepting my communication or 

3) DNS poisoning. 

I think it is one of the first two, but would like advice on how to eliminate all from suspicion. As for the Google employee thing, as strange as it sounds, this is exactly how this opponent attacks targets- they find out your vendors and recruit employees to help access your data. I'm not saying it is the case, but is it even possible for someone inside of Google to control someone's Chromebook? 

Additional question: 

Is it normal to see this HD webcam connected to my system via USB automatically during system start up? Is this the Chromebook's webcam just loading up? 

I would appreciate any and all guidance. Trying to defend yourself from people while they are intercepting your communication has been very challenging. 

Thank you. 

[Mike Frysinger]

the sandbox is not turned off.  Chromium has more than one type, and the page you describe just indicates which one.  there's a newer *more* secure implementation that doesn't require set*id to work.

practically speaking, it is not possible to inject a bad/custom upgrade of the OS.  we check everything for signatures.  if someone tried, the system would detect it and reject it.

obviously CrOS includes no backdoors.  but if you think that's a possibility, you're probably already far enough down the conspiracy trail where logic/assurances aren't sufficient.  if you don't trust Google, get your own copy of the source code, audit it yourself, and then build it yourself.

the USB web cam is always detected during boot and initialized.  that doesn't mean it's in use.  you'll get a little led right next to the camera that turns on whenever that happens.

again, if you have further concerns, please post them to the product forum.

-mike