Very cool idea. I noticed it reports that ridiculousfish.com "is run by" namecheap, but namecheap is only the registrar and does not run or even host the site.
I can't make that decision for you but generally things that transmit address bar input from a browser to other locations are enough for me to ban something from a network, whether it's encrypted in flight or not. Your personal DigitalOcean server being on the other end of the entire install base's queries (a) gives me pause, given the logging opportunities and (b) will fall over if you get some installation footprint. Your decision not to encrypt means that the threat vector expands from solely you to you as well as any adversaries in between the browser and you, so it's sort of an extra bummer on top of some bummers.
A screen shot extension for Chrome did this without telling people and it became headlines. There's a reason one popular tool for finding stuff that does this is called Little Snitch.
I think it is better if you mask your server ip using some service like CloudFlare and assign it a domain name when making public apps with links to your server.
Sorry, man, I'd recommend you re-package with a new key, and re-publish. There are numerous sites that log all Github commits, that private key is public now. Anyone could sign any other extension as you now.
45 comments
[ 2.8 ms ] story [ 110 ms ] threadBut expecting it to see through Scientology front groups is perhaps asking too much. ^^
When an owner is often reported as surprising for a domain, the extension should either blink or directly display the owner without being clicked.
Is this for publishing to the chrome app store? If it is, I recommend taking down the extension and republishing with a new secure key ASAP.
You will need to generate a new key and resign with the new one.
A screen shot extension for Chrome did this without telling people and it became headlines. There's a reason one popular tool for finding stuff that does this is called Little Snitch.