[unbehagen]

If it is a chrome extension and is installed via the Chrome Web Store, it can be updated silently in the background if I'm not mistaken. So in theory, wouldn't it be possible to serve Google with a NSL and force them to silently push a modified update to a targeted user that reveals the private key?

[davelesser]

This scenario has been reported to Google as a "bug". Google's response, as of the time of this writing, is:

  I don't have further comment for now, but we hear you :)

[opendais]

Ya, I'd build it myself if I wanted to rely on the security of it. We'd have no way to know if the source is the same in the Chrome Web Store as it is in the open source project sign we can't check the signature.