Slashdot Mirror

← Back to Stories (view on slashdot.org)

Yahoo Includes Private Key In Source File For Axis Chrome Extension

Posted by timothy on from the open-source-rocks dept.

Trailrunner7 writes "Yahoo on Wednesday launched a new browser called Axis and researchers immediately discovered that the company had mistakenly included its private signing key in the source file, a serious error that would allow an attacker to create a malicious, signed extension for a browser that the browser will then treat as authentic. The mistake was discovered on Wednesday, soon after Yahoo had launched Axis, which is both a standalone browser for mobile devices as well as an extension for Firefox, Chrome, Safari and Internet Explorer. ... Within hours of the Axis launch, a writer and hacker named Nik Cubrilovic had noticed that the source file for the Axis Chrome extension included the private PGP key that Yahoo used to sign the file. That key is what the Chrome browser would look for in order to ensure that the extension is legitimate and authentic, and so it should never be disclosed publicly."

85 comments

  1. Yeah... by Anonymous Coward · · Score: 3, Insightful

    ...this is the group of clowns I want developing my browser extensions for me. Amiright?

    1. Re:Yeah... by Jeremiah+Cornelius · · Score: 3, Interesting

      Getting this back? HAH! Put that toothpaste back in the tube, Yahoo!

      They also included the letter "A" from Adobe in the source. This is a bitch.

      Exhibit A: http://37prime.com/news/wp-content/uploads/2012/05/Yahoo-Axis.jpg

      Exhibit B: http://www.mobilemarketingwatch.com/wordpress/wp-content/uploads/2012/02/Adobe-Shakes-Up-Digital-Publishing-With-Embellished-Platform.png

      --
      "Flyin' in just a sweet place,
      Never been known to fail..."
    2. Re:Yeah... by localman57 · · Score: 5, Funny

      ...this is the group of clowns I want developing my browser extensions for me. Amiright?

      It'll be fine. They all have computer science degrees. They said so on their resumes.

    3. Re:Yeah... by cpu6502 · · Score: 1

      Not the same A. Close... but the bottom leg is different.

      --
      My AC stalker: " I personally agree with your posts most of the time, but that won't keep me from modding you troll"
    4. Re:Yeah... by Beardo+the+Bearded · · Score: 5, Funny

      ...this is the group of clowns I want developing my browser extensions for me. Amiright?

      Really?

      You didn't go with "bunch of yahoos"?

      --

      ---
      ECHELON is a government program to find words like bomb, jihad, plutonium, assassinate, and anarchy.
    5. Re:Yeah... by Anonymous Coward · · Score: 0

      ...this is the group of yahoos I want developing my browser extensions for me. Amiright?

      FTFY!

    6. Re:Yeah... by bobcat7677 · · Score: 1

      I hesitate to speculate on what's happening over at Yahoo. But whatever it is, it can't be good, and hasn't been good for a long time. The "new" yahoo mail is shiite. I used to use yahoo bookmarks to keep track of links wherever I might be...they "upgraded" that and now it's dog slow and won't even allow you to view bookmarks if you have more then a certain amount per folder. Completely useless. The Yahoo "toolbar" has caused problems with more computers then I can count. First thing I do when my friends/family bring me their "slow" computer is uninstall that crap. So far not one had said they actually used it. I could go on, but you get the idea. Lots of code, with no quality in sight.

    7. Re:Yeah... by Anonymous Coward · · Score: 1

      Nothing interesting has happened at Yahoo since before 2000. Of all the Old Internet firms to survive on inertia, Yahoo is the most significant. I had an old and fairly clueless friend who managed to get a senior admin position there on personal contacts, and they basically did fuck all but ride the wave.

  2. Can it be changed by Billly+Gates · · Score: 0

    Without breaking all the ad-ons? This will hurt Chromium browsers too if Google quickly changes the keys as ad-ons will break.

    Also what is the change of an ad on installing itself on a drive bye from this? Should I worry about this using Chrome?

    --
    http://saveie6.com/
    1. Re:Can it be changed by oakgrove · · Score: 3, Informative

      The cert is revoked and Chrome now says "This extension is blacklisted." when you try to install it.

      --
      The soylentnews experiment has been a dismal failure.
    2. Re:Can it be changed by errandum · · Score: 0

      The key is user-based and not browser based. It is used to identify you as the source of the material.

      It won't hurt anyone else other than yahoo.

    3. Re:Can it be changed by GerbilSoft · · Score: 4, Informative

      It's Yahoo's private key that was leaked, not Google's. Assuming Chrome's certificate system is reasonably decent, Yahoo should be able to publish a CRL to revoke that certificate and/or key, and then generate a new one.

    4. Re:Can it be changed by Anonymous Coward · · Score: 1

      The only thing that got leaked was Yahoo's private key, i.e. what is used to prove that the extension is made by Yahoo. So as long as you don't install any extensions that claim that they are made by Yahoo, you should be fine.

      Drive-by downloads/installation would be a separate issue with browser security. I have no clue if there are any exploits in the wild that allow this. (I would think that most of these would be malware installed on your computer that modified your Chrome installation as opposed to "visit a website, extension installed automatically").

    5. Re:Can it be changed by The+MAZZTer · · Score: 1

      Key signing is only a concern if you install addons from sources other than the Chrome Web Store. If you upload an app to the Chrome Web Store Google takes care of the key signing for you (you upload in a simple ZIP file and Google generates the signed CRX file for you).

      I THINK the purpose key signing is to ensure that updates to an extension are signed with the same key, but I'm not sure. Users are normally never notified about anything concerning the key used to sign any extension. At any rate whenever you install a new extension OR an update to an extension asks for new security permissions there's always a prompt you must agree to.

      So it's probably safe enough to NEVER install Axis until Yahoo releases a version that's signed with a new key. I think other extensions should be unaffected.

    6. Re:Can it be changed by Jawnn · · Score: 0, Troll

      Riiight. Think just a little bit longer/harder on that one.

    7. Re:Can it be changed by mcgrew · · Score: 5, Insightful

      Should I worry about this using Chrome?

      No, but you should worrry about using the Axix extension. If they're going to make a mistake that incredibly stupid, you'd be a fool to use it. What other gaping holes did they leave open?

      --
      Free Martian Whores!
    8. Re:Can it be changed by mwvdlee · · Score: 0

      Please explain instead of assuming you are right and we'll all see how right you are if only we were as smart as you.

      --
      Slashdot social media options: AIM, ICQ, Yahoo, Jabber and Mobile Text. Why no MySpace?
    9. Re:Can it be changed by localman57 · · Score: 5, Funny

      Please explain instead of assuming you are right and we'll all see how right you are if only we were as smart as you.

      My cousin was on crank for a while. One time he was tweaking for about 3 days straight. And about halfway through, his sentences sounded just like that.

    10. Re:Can it be changed by Anonymous Coward · · Score: 0

      He means user as in extension developer. I'm not sure why you got modded insightful.

    11. Re:Can it be changed by Anonymous Coward · · Score: 0

      Google public/private encryption. Last I checked Wikipedia was good.

      Ive tried to explain it to people in person before, some people get it within a minute or two, some ppl never do. I have no intention of beating my head against the wall trying to explain it to a user on slashdot. Go google it.

    12. Re:Can it be changed by mwvdlee · · Score: 1

      Yes, we all know how keys public/private keys work.
      But that doesn't explain how it can hurt anybody except Yahoo now that Google has revoked it.

      --
      Slashdot social media options: AIM, ICQ, Yahoo, Jabber and Mobile Text. Why no MySpace?
    13. Re:Can it be changed by localman57 · · Score: 4, Funny

      What other gaping holes did they leave open?

      Everyone is advised to be very, very careful what links they click on from this parent post. You guys know what I'm talking about....

    14. Re:Can it be changed by idontgno · · Score: 2

      How about, "It hurts users who have loaded extensions signed with Yahoo's private key, who now have to unload those extensions and find updated versions signed with Yahoo's new private key."

      Fer instance.

      BTW, "hurt" is the drama-queen way to express the impact. "Inconvenience" is more accurate. Both for Yahoo, and users who have trusted Yahoo's old signatures, as long as the revocation is effective and quick enough to prevent Yahoo-signed malware from getting a foothold.

      If that happens, the impact to users escalates beyond "inconvenience" to "big inconvenience" or "real hurt", depending on what gets compromised. "Big inconvenience" == your machine becomes part of a botnet. "Real hurt" becomes a keylogger that transmit your banking or other personal information to an online crim who strips your bank accounts and begins to use your identity fraudulently.

      --
      Welcome to the Panopticon. Used to be a prison, now it's your home.
    15. Re:Can it be changed by Sulphur · · Score: 1

      Please explain instead of assuming you are right and we'll all see how right you are if only we were as smart as you.

      My cousin was on crank for a while. One time he was tweaking for about 3 days straight. And about halfway through, his sentences sounded just like that.

      Is that why they call it crank; because words keep turning up like pedals on a bike?

    16. Re:Can it be changed by rrohbeck · · Score: 1

      So that's why there was a Chrome update last night? That was quick.

      --
      thegodmovie.com - watch it
    17. Re:Can it be changed by Anonymous Coward · · Score: 0

      What other gaping holes did they leave open?

      That's nothing, you should install the Goatse extension.

    18. Re:Can it be changed by X0563511 · · Score: 1

      Supposedly this is already done. ... at least on Google's end. I don't chrome, so I have no idea if this is a manual blacklisting or a CRL.

      --
      For large sets, this will be our guide even unto death, for the LORD will work for each type of data it is applied to...
    19. Re:Can it be changed by Billly+Gates · · Score: 1

      What other gaping holes did they leave open?

      Everyone is advised to be very, very careful what links they click on from this parent post. You guys know what I'm talking about....

      What like this one?

      --
      http://saveie6.com/
    20. Re:Can it be changed by Anonymous Coward · · Score: 0

      The only thing that got leaked was Yahoo's private key, i.e. what is used to prove that the extension is made by Yahoo. So as long as you don't install any extensions that claim that they are made by Yahoo, you should be fine.

      Drive-by downloads/installation would be a separate issue with browser security. I have no clue if there are any exploits in the wild that allow this. (I would think that most of these would be malware installed on your computer that modified your Chrome installation as opposed to "visit a website, extension installed automatically").

      Actually, the way the certificates work with Chrome is that each extension has its own pub/priv key pair, not each publisher. The exposure of this key would allow faked updates to the Axis extension, but not spoofing Yahoo has the publisher of a different extension.

    21. Re:Can it be changed by Anonymous Coward · · Score: 2, Informative

      No, Chrome polls for a list of blacklisted plugins every few hours. It's entirely independent of the browser updates.

  3. Not a mistake by Anonymous Coward · · Score: 0

    Think about all the free PR from all those signed extensions!

  4. "...but not so open that your brains fall out." by jeffb+(2.718) · · Score: 5, Funny

    That's how open your source should be.

  5. Poor Yahoo by alphax45 · · Score: 4, Funny

    I almost feel bad for them at this point. They are trying but can't seem to do anything to help themselves.

    --
    K Man
    1. Re:Poor Yahoo by Anonymous Coward · · Score: 1, Insightful

      I think this might go down as the moment where Yahoo? lost their last shred of credibility as a technology company. And it's not this one mistake that signals the end...it's the fact that I'm not that surprised by it. If it were Google or even Facebook I would be shocked. But Yahoo? Yeah, sounds about right.

      For a long time I've said that Yahoo? needs to forget the fact that they started as a search company. They're still a serious player in online display advertising and they own a lot of properties that are disproportionately valuable in terms of CPM. They should stop trying to come up with new doohickies and focus on what they do best - selling targeted advertising to major advertisers.

      It's a shame that they didn't hit the goldmine like google or fb did, but there's no point in letting the past get in the way of the opportunities of the moment. Yahoo could still be one hell of an ad network.

    2. Re:Poor Yahoo by Anonymous Coward · · Score: 1

      I tend to agree. What'll be key here is how well and how fast they fix & reduce this faux pas. That'll reflect true dev resources, and I'm not sure they have any.

      About a decade ago they tried to hire me. Big push to assemble a dream team of web developers, big offers with full perks already long vanished in the post-boom. The top-ordained plan was to hire all of the Names their devs respected, with serious funding and empowerment of their web staff thereafter.

      They'd figured out being second-place to Google wasn't a long-term survival plan, and that they'd have to scrap hard with Google for the first place in web development just to survive.

      Sounded like a good plan. Nothing ever came of it. They didn't get me, or any of the people I knew, and from the outside it didn't look like they did anything to empower their existing teams.

      There's just something culturally wrong with the place. Which, yeah is a shame because they're sitting on quite a pile of resources. That's quite a base for a company that really wants to use web development as their cutting edge. It'd be interesting to watch.

    3. Re:Poor Yahoo by virgnarus · · Score: 3, Insightful

      Nothing like what appears to be a genuine display of pity and compassion on a dying entity being modded up as "Funny". Certainly tells you how much of a laughingstock they are.

    4. Re:Poor Yahoo by Anonymous Coward · · Score: 0

      They should never have dropped their search engine...

    5. Re:Poor Yahoo by Sulphur · · Score: 1

      I almost feel bad for them at this point. They are trying but can't seem to do anything to help themselves.

      Maybe they should mob up with Time-Warner; its the only way to be sure.

    6. Re:Poor Yahoo by alphax45 · · Score: 1

      Thank you for seeing that I was trying to be genuine.

      --
      K Man
    7. Re:Poor Yahoo by alphax45 · · Score: 1

      Agree with you both and nice insight into why they might be in this mess.

      --
      K Man
    8. Re:Poor Yahoo by virgnarus · · Score: 1

      Yah, no prob. To be honest, no matter how big or small a business is, I always feel dismayed seeing it go down. It means jobs lost, investments sunk, and lives altered. Even worse if the company is just trying to honestly make ends meat and ends up losing out. Obviously it always a risk for those involved, and they are well aware of it, but it doesn't make the process any easier.

  6. Dumb question... by Reasonable+Facsimile · · Score: 1

    Will the exploit still work/exist after Yahoo releases a fix?

    1. Re:Dumb question... by MickyTheIdiot · · Score: 3, Informative

      Cert has been revoked according to above notes.

      So, no, it already doesn't work. It just shows someone truly had a bad day at Yahoo yesterday (and probably before that as well)/

    2. Re:Dumb question... by Reasonable+Facsimile · · Score: 1

      Cert has been revoked according to above notes.

      So, no, it already doesn't work. It just shows someone truly had a bad day at Yahoo yesterday (and probably before that as well)/

      Thanks (don't know how I missed that originally).

    3. Re:Dumb question... by Hotawa+Hawk-eye · · Score: 1

      Thanks (don't know how I missed that originally).

      That's what he said.

    4. Re:Dumb question... by rastos1 · · Score: 1

      Cert has been revoked ...

      At first I was wondering what does PGP (mentioned in TFS/TFA) have to do with certificates? Nothing. The file included was a .pem (PKCS private key). Another question is - wasn't the private key file protected with a passphrase?

  7. Oops by Anonymous Coward · · Score: 0

    Oops

  8. LMAO!!! by MickyTheIdiot · · Score: 0

    This is great.

    It's the final notice that every person with any competency has at Yahoo has left the building (with the fake CS degrees in tow).

  9. Exuberance by virgnarus · · Score: 5, Funny

    Did the hacker exclaim "Yahoo!" after he discovered it?

    1. Re:Exuberance by Anonymous Coward · · Score: 0

      http://www.youtube.com/watch?v=KJHN3XnnlBk&t=31s

    2. Re:Exuberance by ch-chuck · · Score: 1

      Maybe, but I'm sure the package maintainer at yahoo! definitely had an 'oh shit!' moment.

      --
      try { do() || do_not(); } catch (JediException err) { yoda(err); }
  10. Original by A+Friendly+Troll · · Score: 1, Informative

    Would it have been SO FUCKING HARD to link to the original, instead to a site that won't even load as I'm writing this?

    http://nikcub.appspot.com/posts/yahoo-axis-chrome-extension-leaks-private-certificate-file

  11. Re: by Anonymous Coward · · Score: 0

    This proves yahoo zombies eat braaaaaaiiiiiiiiinnnnssss

  12. Hi by Anonymous Coward · · Score: 3, Insightful

    Once again, THIS IS A BROWSER EXTENSION ON THE DESKTOP, and a FRONT END FOR MOBILE SAFARI.

    This is not a browser. This is NOT a BROWSER. FOR FUCK SAKES THIS IS NOT A BROWSER

    Hey, check out this brand new compiler I wrote! It's called yahoo_compiler.sh

        gcc $@

    pretty cool huh?

    1. Re:Hi by Anonymous Coward · · Score: 1

      pretty cool huh?

      No... It doesn't even work!

      $ cat yahoo_compiler.sh
      gcc $@

      $ cat hello\ world.c
      #include
      int main()
      {
      puts("Hello world\n");
      return(0);
      }

      $ ./yahoo_compiler.sh hello\ world.c
      gcc: hello: No such file or directory
      gcc: world.c: No such file or directory
      gcc: no input files

      You might want to use gcc "$@"

    2. Re:Hi by Anonymous Coward · · Score: 0

      So your saying that the yahoo_compiler was actually written by Yahoo?

    3. Re:Hi by Anonymous Coward · · Score: 0

      That should really be: gcc "$@"

  13. This was entirely preventable. No pity for cheapos by Anonymous Coward · · Score: 1

    This is exactly what happens when you hire too few senior level technicians.

    Yes, they are more expensive than their entry-level counterparts. But as stories like this one show, they are worth it.

  14. Absolutely gibberish article summary by Anonymous Coward · · Score: 5, Insightful

    Wake up editors:

    "Yahoo on Wednesday launched a new browser called Axis and researchers immediately discovered that the company had mistakenly included its private signing key in the source file, a serious error that would allow an attacker to create a malicious, signed extension for a browser that the browser will then treat as authentic"

    Okay, perfect so far.

    "The mistake was discovered on Wednesday, soon after Yahoo had launched Axis, which is both a standalone browser for mobile devices as well as an extension for Firefox, Chrome, Safari and Internet Explorer."

    I already knew the mistake was discovered on Wednesday, soon after Yahoo had launched Axis. This sentence does have some new information though.

    "Within hours of the Axis launch, a writer and hacker named Nik Cubrilovic had noticed that the source file for the Axis Chrome extension included the private PGP key that Yahoo used to sign the file. That key is what the Chrome browser would look for in order to ensure that the extension is legitimate and authentic, and so it should never be disclosed publicly."

    Yes, I know something happened within hours of the Axis launch. You already told me twice. You also already told me why it's bad that the key was available publicly.

    Here's a new summary:
    On Wednesday, Yahoo! launched a web browser called Axis, which is both a standalone browser for mobile devices and an extension for popular desktop browsers. Shortly after launch, a writer and hacker named Nik Cubrilovic noticed that the Chrome version of the extension mistakenly included the private PGP key that Yahoo used to sign the file. This file could be used to generate a malicious spoof version of the extension.

    Never mind the secondary-source quoting, which is also obnoxious.

    1. Re:Absolutely gibberish article summary by BattleApple · · Score: 5, Insightful

      I, for one, welcome our new anonymous summary-critiquing overlord

    2. Re:Absolutely gibberish article summary by Anonymous Coward · · Score: 0

      Yours is better. But any newsroom editor will tell you they'll take a good reporter/mediocre writer over a mediocre reporter/good writer.

      Substitute "article poster" for "reporter" and "Slashdot" for "newsroom", and there you go. Sometimes the rush to get the scoop takes its toll on the quality of the copy.

  15. "That little bitty ting. It's not the same." by Anonymous Coward · · Score: 1

    Vanilla Ice? Is that you?

    http://www.youtube.com/watch?v=1s0hEi8zhmg

  16. Removing Yahoo Axis by Anonymous Coward · · Score: 0

    Axis is horrible. I installed on Mac/Safari last night, and CANNOT remove it. There's no help/support/FAQ from Yahoo at all. I followed the steps from Apple to remove "Unsupported third-party add-ons" (here: http://support.apple.com/kb/TS3230?viewlocale=en_US&locale=en_US ) ... but since there's no HOT GARBAGE folder, I cannot locate where Axis is stored. (honestly though, I really cannot locate it, and I'm working on conditional CSS tweaks and that Yahoo turd is in my way.

    Searching for "Delete Yahoo Axis" doesn't have any results yet because we're early adopters. Here— I'll bring folks here with a dash of link-sauce, assuming someone will come-up with a solution... "Deleting Yahoo Axis" "Removing Yahoo Axis" "Uninstalling Yahoo Axis"

  17. Re:This was entirely preventable. No pity for chea by Anonymous Coward · · Score: 3, Funny

    Maybe they have a habit of hiring expensive people who claimed they were senior level in their resume?

  18. Cringe-worthy summary. by leftover · · Score: 1

    Although I did not RTFA I must comment that the summary was notably terrible in identifying what was compromised:
    "That key is what the Chrome browser would look for in order to ensure that the extension is legitimate and authentic, and so it should never be disclosed publicly."

    How about this:
    "The value of this key depends solely on everyone else trusting that only Yahoo knows it."

    --
    Bent, folded, spindled, and mutilated.
  19. Get your Senior Dev résumés to Yahoo by Anonymous Coward · · Score: 0

    Hi:

    I hear they're hiring.

    1. Re:Get your Senior Dev résumés to Yahoo by Genda · · Score: 1

      Uh, uh. uh... mustn't forget the firing!!!

  20. from hacker to researcher... by kj_kabaje · · Score: 1

    ah... how times change. Or is it now white-hat is a researcher and black-hat is a hacker?

  21. Quote mistake: Private vs. public key by Anonymous Coward · · Score: 1

    "Axis Chrome extension included the private PGP key that Yahoo used to sign the file. That key is what the Chrome browser would look for in order to ensure that the extension is legitimate and authentic, and so it should never be disclosed publicly."

    The Yahoo developer will never get it right by reading /. The public key is used by the browser to verify the extension. The private key is used to sign the extension, not to verify it. The private key is to never be shipped with the browser!

    1. Re:Quote mistake: Private vs. public key by Anonymous Coward · · Score: 0

      Interestingly, if you intend to develop an open source Chrome extension that exposes a public API, you'll find that you have to distribute the private key, because if people downstream use their own keys, the extension will get a different ID and it won't receive the messages intended for its API.

  22. Lesson from Crypto 101 class by hAckz0r · · Score: 0
    Never embed a private key in your application, ever. Did I mention never?

    No mater how you impliment it, someone is going to reverse engineer your app (for fun, or profit) and will discover your darkest of dark secrets. Once they find your key the game is over. There is no going back. Whatever that key is protecting is now open to a hackers delight field day worthy of its own Defcon capture the flag compitition. If you are lucky some nice grey-hat hacker will tell you before you get in too much trouble, if not, you are going to have one very bad day (or days) at the office. There are better ways to handle keys, don't act like a yahoo and take the time to learn how to do it right.

  23. Guess Yahoo fired (err let-go) 'expert' for... by Anonymous Coward · · Score: 0

    Guess Yahoo fired (err let-go) their in house experts for how public keys and private keys work. (bunch of dumb-asses). //gh

  24. Game Changer!!! by tunapez · · Score: 1

    My initial reservations to allowing these yahoos handle my browsing experience have been quashed. Only a luser wouldn't trust these 'professionals' with his\her datas.

    --
    Imagination drew in bold strokes, instantly serving hopes and fears, while knowledge advanced by slow increments...
  25. Amateurs by gweihir · · Score: 1

    As long as amateurs are responsible for making "professional" software, security is an illusion. Utterly pathetic, really.

    --
    Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
  26. How Chrome extension signing works by pspmikek · · Score: 4, Informative

    I'm not sure everyone understands exactly what this file is.

    When you create a Chrome extension, if you are not going to submit the Chrome extension to the store, you ask Chrome to package the extension. In this process, Chrome generates a private key. This key has nothing to do with identifying you as the author. It is only used so that you when you update the extension, you can package and sign it using the same key. Everyone has to keep a local copy of this key, because if you lose it, you can never update your extension. It appears Yahoo kept it in their build directory and accidentally packaged it.

    Having this private key allows you to build a Chrome extension that when installed overlays the existing Yahoo extension. This is because the private key is how Chrome uniquely identifies an extension.

    So yes, this was a dumb mistake. It would allow someone to create an add-on that when installed would overwrite the Yahoo Axis extension. To do this, you would need to create the extension and then convince someone to install it. But if you can convince someone to install it, you can convince them to install any Chrome extension.

    This was not giving away "Yahoo's private key," it was giving away "the private key that Chrome generated to allow Yahoo to sign their extension."

    There is the remote possibility that Yahoo used a real private key to sign their Chrome extension and not one generated by Chrome. If that's the case, everyone involved in the project should be fired.

    1. Re:How Chrome extension signing works by PuZZleDucK · · Score: 1

      You sound like you know what your talking about, but from the TP article: "Yahoo officials said that they are in the process of publishing a new, repaired extension".

      I don't think Yahoo would be admitting blame or Google revoking keys in Chrome if the key was not significant.

      --
      Can a person program a new solution to a problem? Why should anyone be able to stop such a thing? -Richard Stallman
    2. Re:How Chrome extension signing works by Anonymous Coward · · Score: 0

      Should you even have it in your build?

      You dont have some sort of security officer that signs the release candidate on a machine used for the signing that no-one else has access to?

      I am not in the security field but I have watched a few intrigue movies.

    3. Re:How Chrome extension signing works by Anonymous Coward · · Score: 0

      They would and they should. Leaking the private key for an extension means that anyone can update that extension with some random malware, for anyone who happens to have the old version of the extension installed. It doesn't compromise anything else, but that's bad enough.

      Yahoo will need to publish a new version of the extension using a new private key, but the old compromised one still needs to be disabled by revoking its key. Since the updated version is, by definition, a new extension and not an update to an old one, Yahoo pretty much have to admit what happened to explain why they can't use the regular update method.

    4. Re:How Chrome extension signing works by pspmikek · · Score: 1

      To add to what Anonymous posted below, what Google has essentially done is blacklisted the ID associated with that key.

      They want to be proactive and make sure noone else uses that key because any time a Chrome extension signed with that key is installed, it would always overwrite Yahoo Axis.

      Chrome keys are used to generate unique IDs for their extensions one key == one ID.

      They also blacklist IDs for things like malware.

      Blacklisting extensions is done by Mozilla as well based on IDs, only the Firefox IDs are generated by the developer of the add-on.

    5. Re:How Chrome extension signing works by pspmikek · · Score: 1

      This isn't really a code signing certificate, this is just a Chrome thing.

      What you're referring to is a certificate that a company pays hundreds or thousands of dollars for and gets from a company like Verisign (are they still in business?). This certificate needs to be treated with utmost care because anyone that gets it can sign an executable or other application saying that it came from a specific company.

      These certificates should NOT be used to sign Chrome extensions, because in the Chrome world you can only sign one extension for each certificate because the unique ID is based on a hash of the certificate.

      Firefox supports using these certificates to sign add-ons. That's why sometimes when you install Firefox add-ons, you see a company name in the install dialog.

  27. Dropping Axis faster than a Neo Zeon Terrorist... by Anonymous Coward · · Score: 0

    Too bad it doesn't default to a red color scheme, so I can drop it 3x faster. Especially since it's dog slow of Firefox...

  28. It's called and OpenPGP key. by MagicFab · · Score: 2

    OpenPGP, PGP and GnuPG / GPG are often used interchangeably - a common mistake.

    OpenPGP is technically a proposed standard although it is widely used.

    PGP is an acronym for Pretty Good Privacy, a computer program which provides cryptographic privacy and authentication.

    GnuPG is an abbreviation for Gnu Privacy Guard, another computer program which provides cryptographic privacy and authentication.

    gpg is the name of the binary executable file for GnuPG in Gnu/Linux- and Unix-nased operating systems.

    --
    Notepad specialist & FAT administrator, group training available
    1. Re:It's called and OpenPGP key. by Anonymous Coward · · Score: 0

      Funny that you were so pedantic about it, but didn't notice it's not a PGP key at all, but a PEM ASN.1 encoded RSA key.

  29. Allied browser? by Anonymous Coward · · Score: 0

    > Yahoo on Wednesday launched a new browser called Axis

    Where is the Allies browser when you need it?

  30. Yahoo sucks by akubot · · Score: 1

    One more piece of evidence that explains Yahoo's long, slow decline as a software enterprise.