| > Also, taviso popped up ... to repeat what he said on the report, and that the policy was followed. ...does that satisfy you, or are you still dissatisfied? > ...they either need to upload the private key, or it will have a different id... The documentation isn't 100% clear on what that means. What I would expect to happen is that the signed code package gets re-signed once by Google's systems, the ID changes, and then -just as long as you keep uploading with the same private key- that ID will remain the same. [0] Notice how [1] mentions that you have to point to your locally-stored private key that was created back when you locally signed your Chrome Extension to package and publish updates? That wouldn't be required if Google's systems didn't check to make sure that the key that signed the current version of the package is the same as the one that signed the previous version. [2] If they are re-signing already-signed Chrome extensions and _ignoring_ the dev-supplied signature, then that's really nuts, super squicky, and a rather dramatic departure from the entirely reasonable model that they use in Android. I really doubt that they're doing that. That would make dev-held keys completely useless. > ...update the extension, but don't publicize the issue. Ah, I missed that. I should go caffeinate. :/ So, should Google have a possibly indefinite disclosure embargo period? Or maybe just have a policy of never putting any details at all into security bug reports? > ...it's also okay for them to remotely remove extensions that pose a security risk. You see that that removal from the store (or -assuming that they have the power to do so- remote removal from Chrome) is entirely and dramatically different from modifying uploaded code on behalf of the dev, right? [0] The key phrase for me here is "This different ID might be a problem if you've distributed your extension package..." (Emphasis mine.) [1] https://developer.chrome.com/extensions/packaging#update [2] Or -obviously- if Google was making a show of checking, but that sort of subterfuge would be trivial to demonstrate and a huge breach of trust. |
Like I said, I'm satisfied that it followed the policy. I don't fully understand why, though, and want clarification. I assume that if he'd found a usable exploit then he wouldn't have published it: note that until he posted, I was assuming he did find a usable exploit, and was arguing that that shouldn't have been disclosed, a position people disagreed with me on.
>So, should Google have a possibly indefinite disclosure embargo period? Or maybe just have a policy of never putting any details at all into security bug reports?
Their 90-day policy seems reasonable.
>You see that that removal from the store (or -assuming that they have the power to do so- remote removal from Chrome) is entirely and dramatically different from modifying uploaded code on behalf of the dev, right?
I only mentioned that as a way to remove the extension. I had assumed they can update an extension, and therefore thought they can replace an extension by one that does nothing.
I'm no longer sure. They could do with better documentation.