How secure is Google Chrome Sign In?

I’ve been avoiding Sign In feature for quite some time now, up until today, because security with major service providers, that are also legitimate businesses and often are not open-source, seems always to be tricky. I realized I couldn’t hold back any longer, though, because the temptation to use synced data — and Chrome/Chromium syncs basically everything and lets you recreate your browser environment on just any computer/mobile device with the Internet connection and default browser configuration — was becoming very intense.

So, I’ve ran an extensive search on Google, but there were very few detailed results that would give you the dirt. Mostly generalized statements about how secure or insecure it is. Luckily, though, some peoplewrote up excellent articles that answered my questions and made me feel confident that I can safely upload my personal data to the cloud.

Because bottom line is Chrome/Chromium Sign In feature provides a very reasonable security model.

In short, the solution is to encrypt everything and use encryption passphrase, not Google Account as a passphrase (this gets sent to Google periodically and kinda defeats the purpose, because theoretically unscrupulous/overly enthusiastic employees literally have the key to your encrypted stash of private data and could read it if they really wanted to. Not cool.)

To learn more details I highly recommend to follow these URLs and read these wonderful articles:

  1. Comparing the Security and Privacy of Browser Syncing by Gregory Szorc with Firefox who happens to work on FirefoxSync (this is exactly what I hoped to read, a fresh publication too!)
  2. How to Optimize Google Chrome for Maximum Privacy by Chris Hoffman of How-To Geek.
  3. Google Chrome Leaking Credit Card Data? by Adam Caudill, a demonstration of why you need to encrypt everything, not just passwords.

Chromium: updating WebMoney Root Certificate and renewing your X.509 Personal Certificate

Just about a week ago I received an e-mail notification from WebMoney stating that my personal certificate was going to expire very soon and that I had to get it updated since "… the Certificate Authority Server of WebMoney Transfer system has been modified." This week was rather busy for me and I knew that it would take a while to get it done right so I decided to postpone tackling this task. Until today. Today is a big catch-up day on all things possible that were put on either hold or to-do list or read it later list and/or subjected to any other imaginable time management technique.

It took some time and a bit of poking around (as I expected) but the drill comes down to these three commands eventually:

% certutil -d sql:$HOME/.pki/nssdb -A -t "C,," -n new.wm.root.cert -i cert.wmtransfer.com_WebMoney\ Transfer\ Root\ CA.crt
% pk12util -d sql:$HOME/.pki/nssdb -i wmid-2800878xxxxx-expon_20120530.p12
% chromium-browser --auto-ssl-client-auth

To begin with you have to install new Root Certificate:

% certutil -d sql:$HOME/.pki/nssdb -A -t "C,," -n new.wm.root.cert -i cert.wmtransfer.com_WebMoney\ Transfer\ Root\ CA.crt

Then WebMoney generates a new X.509 Personal Certificate and asks you (on the web-site) that you back it up. I simply exported it (backed it up) via Firefox in *.p12 format since as of day of this post WebMoney still doesn’t support fully Chromium and it wouldn’t let me create a new x.509 Personal Certificate via its web-interface because I was using Chromium so I had to run Firefox to first set all things up in it and then move on to having fun with Crhomium. Anyway, at this point you need to get your x.509 Personal Certificate working with Chromium and you do it by issuing the following command on your console:

% pk12util -d sql:$HOME/.pki/nssdb -i wmid-2800878xxxxx-expon_20120530.p12

Now try logging into WebMoney Transfer System. Chances are your Chromium will fail. If this is the case stop (close) Chromium and restart it with --auto-ssl-client-auth command line option:

% chromium-browser --auto-ssl-client-auth

This should let your Chromium silently authenticate itself with x.509 Personal Certificate in WebMoney Transfer System.

Some helpful bits of information: (Somehow there’s no man page for pk12util on ArchLinux)