e2e incompatible with Chrome Update functionality

[koto]

From tjdzi...@gmail.com on June 04, 2014 03:47:13

Is this report about the crypto library or the extension?

the extension, conceptually.

What is the security bug?

If Chrome is configured to allow automatic updates, or if the user explicitly updates Chrome, Google can ship hostile binary code that will reveal the user's private key.

How would someone exploit it?

The government sends Google a National Security Letter or other such demand to send a hostile update to a user's computer, which will then send key material back to Google, who will then relay it back to the government.

Original issue: http://code.google.com/p/end-to-end/issues/detail?id=9

[koto]

From evn@google.com on June 03, 2014 19:10:44

Hi!

I'm making this bug non-private, I hope you don't mind.

At the moment we are an open source project so this doesn't apply right now.

I don't have further comment for now, but we hear you :)

Labels: -Restrict-View-Commit

[koto]

From evn@google.com on June 03, 2014 19:27:59

Status: Done

[koto]

From tjdzi...@gmail.com on June 04, 2014 09:16:00

I don't understand why you closed this issue.

Being compelled by the government to issue hostile updates is the easiest and most likely attack vector against e2e. It's well documented that Google both complies government demands at the expense of user privacy, and that the government interferes with Google services without Google's knowledge.

National-Security-Letter cryptanalysis is just as valid as mathematical cryptanalysis. End-to-End, operating within Chrome, is supremely vulnerable to this "attack". Simply ignoring it and pretending it is rather disingenuous, considering the public media statements supporting user privacy.

[koto]

From tha...@google.com on June 04, 2014 16:06:51

We didn't say that this won't apply to the Chrome extension, which, however, isn't what we released yesterday.

Rest assure that we're aware of this problem, but please focus on the source code now.

[koto]

From evn@google.com on June 05, 2014 12:36:52

Yes, we treat this concern very seriously.

I closed it because we aren't auto-updating any extensions (there's no CRX we are shipping that could be auto-updated).

[koto]

From maciej.g...@gmail.com on June 05, 2014 23:47:15

If you treat this concern very seriously then IMO you should shut down this project as there is no way you can defend against the attack described while developing this code under US jurisdiction.

Basically you are just building a honeypot.

[koto]

From evn@google.com on June 16, 2014 03:50:49

To avoid us loosing track of responses to closed bugs, restrict adding comments to closed issues.

Please file a new bug if needed.

Labels: Restrict-AddIssueComment-CoreTeam

[koto]

From evn@google.com on July 21, 2014 16:42:58

Labels: Type-Defect Priority-Low Component-Scripts Security