[cryptography] chromium: unconditionally downloads binary blob

Jeffrey Walton noloader at gmail.com
Wed Jun 17 09:06:21 EDT 2015


> <https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=786909>
>
> After upgrading chromium to 43, I noticed that when it is running and
> immediately after the machine is on-line it silently starts
> downloading "Chrome Hotword Shared Module" extension, which contains a
> binary without source code. There seems no opt-out config.
>
> that extension:
> - doesn't appear in the extension list;
> - is apparently used to provide an “ok google” voice activation stuff.
>
> The fact that Audio Capture Allowed is set to yes, and that both the
> extension and the shared module are marked as “enabled” are definitely
> bothering me...

I think that's more browser security model goodness.

All you need is a certificate because authentication = authorization.
Its entrenched in "powerful features" and "privileged contexts", which
are discussed at "Requirements for Powerful Features"
(http://www.w3.org/TR/powerful-features/). It includes things like
Credential Management, Bluetooth, Location Services, and Service
Workers (see section 3 for a more complete listing).

You may not even need an authentic certificate. Try intercepting it
and see if it still ships off your data to whoever answers.

The Java applet sandbox was ruined with "authentication =
authorization" thinking. Its to the point that authentic code should
*not* be signed so the applet cannot escape the sandbox. See
http://threatpost.com/javas-losing-security-legacy.

Jeff


More information about the cryptography mailing list