Evan Martin (evan) wrote in evan_tech,
Evan Martin

helvitireader and extending the web

Helvetireader is the first application I've seen to explicitly call out the Greasemonkey in Chrome work that Boodman and I did. It's a cute hack, too.

Lately Boodman's been thinking about extensions and autoupdate, so his first observation after "Cool!" was "...and it was implemented in the slowest and least secure way possible." The script basically injects a <link rel='stylesheet' ...> in the pages it wants to affect and it sources the CSS from the dude's site. This means you can't verify what code will actually be used when the script runs in the future.

There are two aspects that cause worry. One is that CSS can be a vector for attacks. My Googling attempts have mostly failed me to find the current state of the world, but at some times some browsers have been known to execute JavaScript expressions from within CSS. Going back to LiveJournal attacks, the Firefox XBL change got LJ too.

The other is that, assuming the owner of that site doesn't end up attacking you (here's one attack I've seen: buy his domain name from him, then put a malicious file at exactly the same URL) is that HTTP is insecure. Historically people haven't cared much about this but it's become more of a problem now that laptops grab wifi from anywhere. (On the other hand, not even SSL will help casual users much if they learn to just click through man-in-the-middle dialogs.)

What's the lesson? I guess it's that you have to make being fast and secure easier than the alternatives if you people to do it. Nobody, myself included, cares much about fast/secure when you're just making a hack.
Tags: chromium, hacking

  • münchen

    On that note: I'm living in Munich for the next week plus a few days. Do I know anyone around here? (PS: The LJ → PubSubHubbub → Reader…

  • your vcs sucks

    I've been hacking on some Haskell stuff lately that's all managed in darcs and it's reminded me of an observation I made over two years ago now (see…

  • deb/rpm diffing tools

    Dear Linux hackers, Chrome tends to push minor updates (often security) pretty frequently. We'd like to operate as a good member of the Linux…

  • Post a new comment


    default userpic
    When you submit the form an invisible reCAPTCHA check will be performed.
    You must follow the Privacy Policy and Google Terms of use.
  • 1 comment