
SSH client in Google Chrome - Garbage
https://chrome.google.com/webstore/detail/secure-shell/pnhechapfaindjhompbnflcldabbghjo?
======
jwr
This is exactly what I've been waiting for!

The ability to take my critical secret information into a huge, buggy,
extensible, unaudited, complex and constantly changing browser environment!
Who could resist?

This will also inspire innovators world-wide. Look at it this way: we can now
find novel ways to steal passwords, secret keys, log sessions, access servers,
sneak in trojans.

Count me in.

~~~
eliben
I'm saddened by the recent shift of HN discussions to Reddit-isms. For Reddit,
we have Reddit. Please, stop wasting others' time.

~~~
hosay123
It is unfair to label this poor quality, the author clearly describes a
problem with moving a security tool like SSH into the browser.

Despite Chrome being speedily updated when _known_ security problems are
discovered, the attack surface compared to a dedicated client is huge: the
2-decade-old /usr/bin/ssh + /usr/bin/xterm combo has no concept of a DOM, does
not share computing interfaces available to untrusted users (e.g. shared web
workers), cannot receive messages from untrusted frames (postMessage()),
cannot even be addressed by untrusted content
(chrome://path/to/trusted/script), does not almost transparently expose ring0
drivers (OpenGL), does not have thousands of LOC on subsystems with little
battle testing (WebRTC) and so on.

Of course these features are thought to be secure, until they are discovered
in the midst of a Stuxnet type scenario and suddenly everyone is patching like
crazy. Wasn't Java considered invulnerable only 2 weeks ago? Look at what
changed - somebody noticed it wasn't long after tens of thousands of
infections already occurred, and today it is on every browser's plug-in
blacklist. I can't recall the last I read about xterm in the Pwn2Own contest,
or any 0-day in the past decade, nor can Google accidentally DoS my xterm
because their sync service is down (happened last month).

Following from the truism that the fastest, most bug-free code is code that
doesn't exist, the easiest way to reduce exposure to unknown attacks is to
_minimize the amount of code running_. Security design 101. Using something
with the complexity of a web browser to render an 80x25 vector used to
administer potentially hundreds of thousands of machines is almost the
antithesis of good protocol.

~~~
VikingCoder
Do most people run ssh and xterm on a bare-bones OS, or are they running on a
full OS stack?

An OS that they may or may not update frequently.

An OS that they may or may not be logged into as an admin.

An OS that may have a keylogger running on it.

I think running SSH (or Chrome Remote Desktop) from a Chromebox is a pretty
good way to have that minimal OS that is updated frequently, without admin
privileges, with a lower risk of a keylogger. That I have to use two-factor to
log into, even if my device is stolen.

~~~
ramayac
What do you think about using a js-keylogger via a malicious Chrome extension,
could that be a plausible scenario?

~~~
VikingCoder
Sure, absolutely.

If you don't want the risk, don't install extensions you don't fully trust.
Just like any applications or services on your desktop.

------
fatbird
What a fantastic way to get people to give you the private key and tell you
what host it's for.

~~~
Firehed
I'm not about to install that extension and find out myself as that could
cause some... serious problems... but that was my first thought as well.
What's to stop this from doing something nefarious? Its sandboxing privileges
are not remotely clear from what's in the app store, and I don't see of any
reasonable way to contain what it can and cannot do.

Granted this is equally a problem with any terminal emulator that you didn't
compile yourself after examining the source code, but I have quite a bit more
faith in Apple and the various Linux repo maintainers than some random guy
publishing to the chrome app store. I don't know if Google even _claims_ to
vet its contents, but if they do I know they do a terrible job because I've
ripped open some extensions to confirm they're doing some sketchy stuff
(nothing insecure or worrying, more like adding affiliate links to your entire
browsing experience)

~~~
kwn11
This is not some random guy publishing on chrome app store. This app is
officially developed by Google.

~~~
GauntletWizard
Not only that, it's an official part of our Oncall toolkit. I've got coworkers
for whom a chromebook is now the primary (and only) laptop, even when oncall.

~~~
riffraff
what else is there? I don't remember hearing about this "oncall toolkit"
before and I'm fairly curious.

~~~
GauntletWizard
Nothing that matters; Everyone needs to carry around their corporate laptop,
one-time-password token, and have configured VPN and ssh clients. The rest
varies by team and job role.

------
christiangenco
THIS IS AWESOME

I can now officially be productive on any computer running Chrome. Preferably
one with caps lock remapped to escape.

~~~
meaty
Yes: just like before with PuTTY or OpenSSH...

~~~
esteth
Except now you don't need to go install programs on someone else's computer if
they have chrome installed.

~~~
meaty
No you don't for PuTTY at least. You can download the exe and stick it on the
desktop or in the user profile directory.

------
martinp
Previous discussion: <http://news.ycombinator.com/item?id=3910649>

------
millstone
Gave it a try. I find the interface to be very confusing. For example, the
opening screen has a button with text "[Del] Delete", but hitting the Delete
key instead takes me back to the previous page instead of deleting anything,
and clicking it doesn't do anything.

It took me a while to figure out how to get it to try to make a connection -
even though it says "Enter" you actually have to press Enter twice.

It then took me to a page with a link to the FAQ, which I tried to click on,
but the link was not clickable. Also, the clipboard behavior is incredibly
irritating: selecting any text automatically copies it to the clipboard with a
giant SELECTION COPIED popup. It's also inconsistent: double clicking anywhere
flashes the same SELECTION COPIED, which turns out to be a lie. It doesn't
actually modify my clipboard in this latter case. And when I actually hit
Cmd-C, it unselects my selection (WHY?)

(The FAQ claims I can "disable this by setting the copy-on-select preference
to false, but I wasn't easily able to find a place for preferences. After some
hunting, I found that I have to control click on the app from Chrome's "Apps"
page to disable this.)

Anyways it's been hung at "Loading NaCl plugin..." for the last ten minutes.
Either it takes a long time to load, or I don't have the NaCl plugin
installed, and so it just decided to hang instead of tell me. I tried to
install it by googling "NaCl", and found the link
<https://developers.google.com/native-client/>. Clicking "Get Started" tells
me to download an SDK and work through the "Getting Started Tutorials." All
this for an SSH connection?

Anyways, it was overall a frustrating and confusing experience. I've now got
four identical connection entries, none of which I can figure out how to
delete, and none of which ever successfully connected to anything. Argh.

~~~
oakwhiz
That's odd, it loaded up almost immediately for me, with little effort on my
part.

------
RRRA
So uhm, how does it handle sockets?

I'm thinking of writing some kind of p2p as a webapp that would be universal
but right now it seems my best option is webRTC that, if I understand what
I've read correctly, will require a complete handling of the streams on a
server...

EDIT: Or how does NaCl differ from FirefoxOS goals and why?

~~~
est
By using this

<http://developer.chrome.com/apps/socket.html>

I played with this API for a few days and here are my conclusions:

1\. the socket.listen can not handle much concurrency. It's very easily DoS'd

2\. javascript String and ArrayBuffer is PITA to mess with. I tried to write a
partially working HTTP/1.1 server, all the encodings and string parsing made
me give up.

3\. calback style programming is the new GOTO

~~~
jrockway
You can use Dart instead of Javascript.

------
elktea
Can't even _look_ at the extension using Firefox. Nice work Google.

~~~
jrockway
The description page loads fine for me in Iceweasel 10.0.0.2 on Debian
unstable. (Iceweasel is Debian's fork of Firefox.)

Perhaps you have Javascript blocked or something like that?

~~~
LukeShu
Confirming that it also works in Iceweasel-libre 18.0.1-3 on Parabola.
(Iceweasel-libre is Parabola's fork of Debian's fork of Firefox)

------
arb99
Ideal for use on chromebooks. Looks like it has been around for quite a long
time too (91k users)

~~~
piinbinary
I'm curious: Is there any use case for this beyond Chromebooks?

~~~
andrewguenther
It is a nice alternative to Putty on Windows

~~~
christiangenco
Yeah, I've yet to find a good terminal on Windows.

------
Garbage
Secure Shell FAQ -
[http://git.chromium.org/gitweb/?p=chromiumos/platform/assets...](http://git.chromium.org/gitweb/?p=chromiumos/platform/assets.git;a=blob;f=chromeapps/hterm/doc/faq.txt)

------
brasic
I wish this app could register itself as a handler for the ssh:// uri scheme
[1].

[1] <https://www.iana.org/assignments/uri-schemes/prov/ssh>

------
zyc
Is this news? I have been using this for 6 months.

~~~
schappim
Ditto. It's a great alternative to iTerm when not at my Mac.

------
etherealG
how different is the actual security here from running chrome on a machine
with the same private keys? is the sandboxing any less secure protecting
extensions from each other as from the native os underneath chrome?

------
jjcm
Seems like it doesn't override the browser's basic keyboard shortcuts, some of
which are heavily used in a terminal (ctrl+w for instance). I'd probably give
it a run in place of putty if it werent for this.

~~~
meaty
That's because it's simply the wrong tool for the job. Stuff like this is a
deal breaker either for the terminal or the browser model.

Keep using PuTTY

~~~
BitMastro
It's just another tool.. If you're comfortable with PuTTY keep using it,
nobody is stopping you.

I believe having another option could be handy.

------
pjmlp
Browser plugins?

No thanks, the browser is for documents. No need to install security holes.

~~~
recursive
1997 called.

~~~
pjmlp
And it feels like sunshine.

------
of
I usually have multiple PuTTY windows open to a couple different servers. I
wish it was easier to have multiple SSH sessions going with this extension.

------
guilloche
If it is native-client, then it doesnot need to install. Why not just give us
an url? I do not want this extension to pollute my chromium.

------
niels_olson
How does this compare to anyterm? I understand one's client-side and one's
server-side, but aren't they both rather exposed?

------
jlgreco
From the reviews: _"Aside from the odd quirks with using Ctrl+W on bash,
emacs, or vim..."_

Sounds like fun. ;)

~~~
tonfa
Right-click, "Open as window". And voilà all your shortcuts.

~~~
JesseObrien
Thank you, this was bothering me as well but I guess I never thought to right
click. :)

------
shazam
I've been using this for some time already

------
pla3rhat3r
Hell to the yes!

------
martinced
I realize this is convenient for people running Chrome on OS X but...

The way I surf is simple: Chrome is installed from the _.tgz_ and certainly
_not_ from the _rpm_ or _deb_ files (simply put: I don't need to be root to
install Chrome and Chrome is confined to a single user account).

The account I use for surfing is _separated_ from the account from which I use
SSH to access SSH servers.

Should someone "root" Chrome while I surf the Web, he'd still need to find
what is called a "local root exploit" to access what's in the other user
accounts (for example, but not limited to, SSH keys).

I think there's no way that, for me, moving SSH _inside_ the browser would
provide me more security than having Chrome _not_ doing SSH and being in a
separate (throwaway) user account. It seems to be, once again, trading
conveniency in the name of security. I don't doubt it fits Google's plan to
make Chrome the OS that said and so they'll of course tell you: "Nothing to
see here, move along".

Another concerning thing, depending on how it's done, it's that the potential
to mount a "mocking bird" attack may be strong on this one. Mocking birds
attack tend to not work well when you use MagicSysRQ to emit a keypress
bypassing X, sending you to a text console, and doing your SSH magic.

I realize security is a pain, but it would be great if people could still
criticize quite critical security issues on HN without having everyone
downplaying the ones criticizing as "redditers" (is that an insult?),
contrarians, etc.

I love HN. I love entrepreneurship. But I do love Bruce Schneier too and I
consider security to be something very important.

Yet here everytime an app that does "one master online password to store all
your passwords" gets upvoted like mad just because it's a "startup" and just
because it "runs on a smartphone".

I understand that some of you may not like the "tone" of people using sarcasm
to make a point but... They're still making a point and, very often, it's a
valid point.

So it would be great if people could come up with better arguments than simply
name-calling the ones pointing out the security implications of apps / plugins
/ etc.

~~~
arcatek
I don't see how installing from an archive is safer than using a package, can
you develop ?

From my understanding, Chrome is obviously not chrooted, so a local root
exploit will be required in either case to access to the other accounts (since
it will run with your current privileges).

And actually it seems easier to corrupt a chrome extracted in the home
directory, since an intruder would not require root credentials to inject some
code into your chrome (and replacing every bank front page with fishing pages,
for example).

~~~
throwaway54-762
RPMs / dpkgs require root to install to the machine-global database. Both
package formats have mechanisms called "triggers" which allow the package to
run arbitrary shell script at install or uninstall time. Since
install/uninstall are run as root, this means arbitrary root code execution on
install.

Vs: a non-root user extracting a tgz and then running some file, root is never
involved.

I'm not in agreement with OP about this being a concern worth his or her
mitigation strategy, but the logic is sound.

