New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 596308 link

Starred by 1 user

Issue metadata

Status: WontFix
Owner:
Last visit > 30 days ago
Closed: Mar 2016
Components:
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: 2
Type: ----



Sign in to add a comment

Cast Streaming extension being enabled and updated automatically over insecure channel

Reported by marek.se...@gmail.com, Mar 20 2016

Issue description

PRIVACY ISSUE
Chrome Canary automatically enabled (and I don't know when) Cast Streaming.
Extension, which is not listed in chrome://extensions or chrome://plugins.
Only mention I've found is in chrome://flags under title "Cast Streaming hardware video encoding"

When Chrome Canary is started, it automatically fetches latest version of CRX for Chrome Cast plugin over insecure HTTP protocol (see full wireshark dump lower).

Privacy issues from my POV:
1) Chrome Cast extension exists built-in and cannot be disabled by standard means
2) Update process is done over insecure HTTP protocol (information leak) 

VERSION:
Chrome Version:  51.0.2673.0 canary (64-bit) - and previous 
Operating System: OSX 10.10.5 latest patch level, 64-bit

REPRODUCTION STEPS
Start up chrome and watch firewall/network monitor to mention "http://redirector.gvt1.com/crx/blobs/..." URL

FULL Wireshark dump

GET /crx/blobs/QgAAAC6zw0qH2DJtnXe8Z7rUJP0swKAzb3KcuJ8GizR3XY3LLuJfiJzLNDj_ji1aWUDeGHBdIN_TAVFhwePtVA4WtATHAD1XXQqOLoQB6frm4jxTAMZSmuVI4WrvDCdq1yGoU2CXbR-tiHFe-Q/extension_5116_315_0_0.crx HTTP/1.1
Host: redirector.gvt1.com
Connection: keep-alive
DNT: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2673.0 Safari/537.36
Accept-Encoding: gzip, deflate, sdch
Accept-Language: en,cs;q=0.8

HTTP/1.1 302 Found
Date: Sun, 20 Mar 2016 10:12:22 GMT
Pragma: no-cache
Expires: Fri, 01 Jan 1990 00:00:00 GMT
Cache-Control: no-cache, must-revalidate
Location: http://r8---sn-2gb7ln7l.gvt1.com/crx/blobs/QgAAAC6zw0qH2DJtnXe8Z7rUJP0swKAzb3KcuJ8GizR3XY3LLuJfiJzLNDj_ji1aWUDeGHBdIN_TAVFhwePtVA4WtATHAD1XXQqOLoQB6frm4jxTAMZSmuVI4WrvDCdq1yGoU2CXbR-tiHFe-Q/extension_5116_315_0_0.crx?cms_redirect=yes&expire=1458483142&ip=80.250.30.162&ipbits=0&mm=31&mn=sn-2gb7ln7l&ms=au&mt=1458468620&mv=m&nh=IgphcjAxLnByZzAyKgkxMjcuMC4wLjE&pl=19&sparams=expire,ip,ipbits,mm,mn,ms,mv,nh,pl&signature=387559FD073A7BB457A3F85F481644E43CB89847.39AA73BA9FAE0C968F342C5372963A4432965005&key=cms1
Content-Type: text/html; charset=UTF-8
Server: ClientMapServer
Content-Length: 757
X-XSS-Protection: 1; mode=block
X-Frame-Options: SAMEORIGIN

<HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8">
<TITLE>302 Moved</TITLE></HEAD><BODY>
<H1>302 Moved</H1>
The document has moved
<A HREF="http://r8---sn-2gb7ln7l.gvt1.com/crx/blobs/QgAAAC6zw0qH2DJtnXe8Z7rUJP0swKAzb3KcuJ8GizR3XY3LLuJfiJzLNDj_ji1aWUDeGHBdIN_TAVFhwePtVA4WtATHAD1XXQqOLoQB6frm4jxTAMZSmuVI4WrvDCdq1yGoU2CXbR-tiHFe-Q/extension_5116_315_0_0.crx?cms_redirect=yes&amp;expire=1458483142&amp;ip=80.250.30.162&amp;ipbits=0&amp;mm=31&amp;mn=sn-2gb7ln7l&amp;ms=au&amp;mt=1458468620&amp;mv=m&amp;nh=IgphcjAxLnByZzAyKgkxMjcuMC4wLjE&amp;pl=19&amp;sparams=expire,ip,ipbits,mm,mn,ms,mv,nh,pl&amp;signature=387559FD073A7BB457A3F85F481644E43CB89847.39AA73BA9FAE0C968F342C5372963A4432965005&amp;key=cms1">here</A>.
</BODY></HTML>

 

Comment 1 by battre@chromium.org, Mar 21 2016

Components: Platform>Extensions
Owner: lottie@chromium.org
Status: Assigned (was: Untriaged)
AFAIK, all extensions are fetched via HTTP but validated against a checksum that is provided via HTTPS. Assigning to lottie@ for triaging or routing.
To clarify, Cast streaming (used to stream captured tab content to ChromeCast devices) only happens when users explicitly start mirroring tab. Media router extension is whitelisted to use tab capturing and cast streaming. 


Comment 3 by lottie@chromium.org, Mar 22 2016

Status: WontFix (was: Assigned)
Cast streaming is hosted as a component on CWS that's why it's distributed via HTTP. Normal extensions in the Chrome Web Store (CWS) are distributed via HTTPS. CWS signs all CRX with the private key and Chrome will validate the downloaded CRX on client side with the public key to ensure integrity. So what you have observed is the expected behavior.

Hello, thanks, there are two issues in this report, Cast extension (or Media Router extension) being downloaded/updated and it being enabled automatically.

Is there any way to solve second part of the issue?
I'm not aware of any way I could disable / uninstall the Media Router / Cast extensions.

Thank you

Sign in to add a comment