Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Audit using CRX3 instead of CRX3_WITH_PUBLISHER_PROOF #20701

Closed
atuchin-m opened this issue Jan 26, 2022 · 2 comments
Closed

Audit using CRX3 instead of CRX3_WITH_PUBLISHER_PROOF #20701

atuchin-m opened this issue Jan 26, 2022 · 2 comments
Assignees
@atuchin-m
Labels
OS/Android Fixes related to Android browser functionality OS/Desktop QA/No security
Milestone
Closed / Dupe / I...

Comments

@atuchin-m
Copy link
Contributor

It was done 4 years ago in brave/brave-core#369

  1. What kind of crx is affected by this change? (component, extensions)
  2. If we revert it what will be broken?
  3. Do we use crx2 or crx3 for our components right now?
  4. Why does Google uses CRX3_WITH_PUBLISHER_PROOF for components? Just in case? At first sight for components the publisher is equal to the extension owner (Google) therefore checking the main signature should be enough.
  5. Is it complicated to add our publisher signature to the code in addition to google one?
  6. How to generate publisher signature? Looks like https://github.com/ahwayakchih/crx3 can't add a publisher proof.

Slack discussion: https://bravesoftware.slack.com/archives/C8MP8ME4C/p1643116065059900

Related issue: #873
@atuchin-m atuchin-m added security OS/Android Fixes related to Android browser functionality OS/Desktop labels Jan 26, 2022
@atuchin-m atuchin-m self-assigned this Jan 26, 2022
@atuchin-m
Copy link
Contributor Author

atuchin-m commented Jan 26, 2022
edited
Loading

  1. Only components are affected. For extensions, publisher proof checking is enabled. To make sure I repacked an extension from Chrome Store - it can't be installed in Brave with the error crx_required_proof_missing(see the screenshot)

  2. All of our components will stop installing/updating. If we use some Google components as it - they will work.

  3. CRX3. CRX2 support was removed in 2019.

  4. They did it in a bunch for all systems using CRX. Reason: a possible SHA-1 collision (which get the possibility for an attacker to make a valid extension with the given id, but different public_key/content)

  5. We should add 2 simple patches:
    a) add a public key hash here;
    b) add found_publisher_key = found_publisher_key || key_hash == brave_publisher_key here.

  6. I can't find any tool to do in out-of-the-box, but it should be simple: to add one more item with signature to the protobuf message.

Also, components can be installed only from browser code by downloading it from the backend over HTTPS (extensions can be installed using a filesystem or other untrusted sources).
Therefore to replace the content not only SHA-1 collision is required but also the ability to modify HTTPS traffic.

crx_required_proof_missing

Test file: https://github.com/brave/brave-browser/files/7941406/crx3_from_chrome_store_without_publisher_proof.crx.zip

@atuchin-m
Copy link
Contributor Author

The code to generate a publisher proof will be added in #873

@atuchin-m atuchin-m added this to the Closed / Dupe / Invalid milestone Feb 3, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@atuchin-m atuchin-m

Labels
OS/Android Fixes related to Android browser functionality OS/Desktop QA/No security
Projects
None yet
Milestone
Closed / Dupe / Invalid
Development

No branches or pull requests
1 participant
@atuchin-m