Linked by Thom Holwerda on Sun 10th Jun 2012 22:36 UTC
Google So, Google has made it very hard to install Chrome extensions outside of the Chrome Web Store - out of security concerns. In addition, they sprung this on users and extension developers without much consultation or consideration for their concerns. As always - understandable to protect users, but the handling has an almost Apple-like bluntness to it. Next up: how to jailbreak your browser?
Order by: Score:
v Comment by undu
by undu on Sun 10th Jun 2012 23:23 UTC
RE: Comment by undu
by Thom_Holwerda on Sun 10th Jun 2012 23:31 UTC in reply to "Comment by undu"
Thom_Holwerda Member since:
2005-06-29

Didn't see a submission from you...?

I'm not a robot, I can't pump out an extensive item on command. I just don't care about browser extensions enough to write 6 paragraphs about it, especially not after a long workday - sorry.

Reply Score: 5

"How to Jailbreak"
by Jondice on Sun 10th Jun 2012 23:26 UTC
Jondice
Member since:
2006-09-20

Install Chromium? Does Chromium also require web store extensions by default?

Reply Score: 3

RE: "How to Jailbreak"
by Beta on Sun 10th Jun 2012 23:51 UTC in reply to ""How to Jailbreak""
Beta Member since:
2005-07-06

Install Chromium? Does Chromium also require web store extensions by default?


Not much point, the only difference between Firefox and Chrome now is a few -webkit- properties and NativeClient. And since Chromium doesn’t support NaCl, most of the ‘chrome web store’ content doesn’t actually work.

Reply Score: 2

RE[2]: "How to Jailbreak"
by jasutton on Mon 11th Jun 2012 00:11 UTC in reply to "RE: "How to Jailbreak""
jasutton Member since:
2006-03-28

Where do you see that Chromium doesn't support NaCl? I'm running Chromium on ArchLinux, and I'm pretty sure it works. Perhaps you're referring to it not working on Debian/Ubuntu builds of Chromium?

http://askubuntu.com/questions/91789/why-is-nacl-disabled-for-chrom...

Reply Score: 8

Side-loading can be re-enabled
by jasutton on Mon 11th Jun 2012 00:06 UTC
jasutton
Member since:
2006-03-28

According to the green-highlighted comment added in this commit...

https://chromiumcodereview.appspot.com/10511015/diff/1/chrome/common...

You can re-enable side-loading by starting Chrome/Chromium with the "--enable-easy-off-store-extension-install" switch, and then drag-n-drop the *.crx file onto "chrome://extensions/".

I'd say this is a nice compromise. It still allows user freedom, while not opening up an easily-exploitable area for users to be duped by. This is pretty comparable to Android, which offers a checkbox to enable side-loading. This is no where near the Apple/iOS defective-by-design model, in which you have to exploit a bug in the OS in order to side-load.

Reply Score: 12

RE: Side-loading can be re-enabled
by Alfman on Mon 11th Jun 2012 03:03 UTC in reply to "Side-loading can be re-enabled"
Alfman Member since:
2011-01-28

jasutton,

Yea, it's better than apple's control. But google is weaving precariously on the line between open and closed. I am extremely disappointed they're using a "security" excuse to justify new restrictions, which users won't know how to bypass. A better approach would have been to give users better tools to view/limit what extensions can do and just set the defaults to restrictive.

Reply Score: 2

darknexus Member since:
2008-07-15

I am extremely disappointed they're using a "security" excuse to justify new restrictions, which users won't know how to bypass.


Speaking from tech support experience, I'd say if a user doesn't know enough to google for that switch, they have no business side-loading. The more checkboxes you give users, the more they will check out of annoyance just to avoid the alert dialogs, and then your security becomes null and void. I'd agree that having this switch is a nice compromise, and it's not as though you have to hack your browser to enable this.

Reply Score: 6

Alfman Member since:
2011-01-28

darknexus,

"Speaking from tech support experience, I'd say if a user doesn't know enough to google for that switch, they have no business side-loading. The more checkboxes you give users, the more they will check out of annoyance just to avoid the alert dialogs, and then your security becomes null and void."

The spread of malware happens because users lack the tools to make informed decisions. Often the choice is between "run" and "do not run" and the only information presented is to identity the software. Even knowledgeable users will be at a complete loss to know if something is harmful, so I fully agree that this type of security model is flawed. But I disagree very strongly with the "remedy" of a walled garden (even if more savvy users can disable it). It'd be both more open and more secure to add metadata about what the extension does and then enforce it in a sandbox. Given the right tools & information, users may be even more secure than simply trusting everything in google's repository.

Reply Score: 2

darknexus Member since:
2008-07-15

The spread of malware happens because users lack the tools to make informed decisions.


I call bs. Malware spreads because users treat their computer as a magic box. They expect their computer to protect them, to do their common sense thinking for them, and to be the always-on tool. They don't wish to make informed decisions. I speak from experience with a large number of users, some of which have actually said this to me. I can't count the number of times I've heard "well, if that's not a safe program, I shouldn't be allowed to install it." I shit you not, I have heard these words.
If you're a carpenter, you don't expect your tools to maintain themselves. You don't expect your vehicle to keep itself going without maintenance, nor do you expect it to survive in tact if you drive it straight into a tree. Yet, people expect their electronics to magically just work no matter what sort of crap they put on them. They want that? Fine, but that comes at a heavy cost. They don't want to think, so fine, we don't make them think. However, we have to allow those who still wish to think and employ their common sense to not be limited by the idiocy of those who do not wish to use their brains. Therefore, a compromise is needed.
I wish these sorts of things weren't necessary. I wish people would use their damn brains for something other than watching crap tv and window shopping. The sad reality is, however, that the greater part of the market decides these issues and we could easily find ourselves buried by them. Allowing us to enable this ability in an easy way that is, at the same time, not obvious to those who don't have the brains to search for it anyway seems to be the best way to keep both groups happy.
And before anyone mentions it: Yes, I know how elitist and arrogant I sound. That's what happens when you see the same mistakes repeated over and over and over again, and every time they ask: "Why didn't my computer protect me?" I don't know what the situation is in other countries, but in the USA that's what I get 95% of the time. I'm almost glad for lockdowns imposed on these types of people, if only so they stop bothering me with the same crap and stop spreading their malware. As long as those of us who do know our stuff can legally and uncomplicatedly bypass said lockdowns, I have no problem with it whatsoever, as that approach keeps both groups happy.

Reply Score: 9

Alfman Member since:
2011-01-28

darknexus,

"I call bs."

There's really no need for sarcasm. Your opinion is that it's ok to submit users to third party control for safety's sake, which is fair enough. I hope you are least aware that such philosophies, especially when taken collectively, tend to erode our freedoms over time.


"If you're a carpenter, you don't expect your tools to maintain themselves. You don't expect your vehicle to keep itself going without maintenance, nor do you expect it to survive in tact if you drive it straight into a tree. Yet, people expect their electronics to magically just work no matter what sort of crap they put on them."

You are speaking metaphorically about how physical tools relate to software. I don't like using metaphors since comparing different things as though they are the same is inherently flawed as details are worked in. But to be more complete the metaphor must account for how end user restrictions affect software. For example, your tools would need to refuse to work with unauthorised components that are never the less compatible. Artificially restricting tools would generally be considered a bad thing, even if the freedom to use the tools the wrong way may damage them.

"And before anyone mentions it: Yes, I know how elitist and arrogant I sound. That's what happens when you see the same mistakes repeated over and over and over again, and every time they ask: 'Why didn't my computer protect me?'"

To which I say, the goal should be addressing the lack of software sandboxing rather than having users acquire all their software from centralised sources.


"As long as those of us who do know our stuff can legally and uncomplicatedly bypass said lockdowns, I have no problem with it whatsoever, as that approach keeps both groups happy."

But you've completely overlooked that the walled garden approach (whether it can be disabled or not) doesn't directly solve any security problems on it's own. For that you need additional vetting, otherwise there's nothing in place to stop covert distribution of malware through official channels. In fact it creates a false sense of security that anything downloaded through official channels is safe. Though one may be happy under a false sense of security, it's still not something to be happy about. At best this lock down offers reactive security, which is better than nothing, but not as good as having the ability to run software in a security sandbox in the first place.

Reply Score: 2

darknexus Member since:
2008-07-15

To which I say, the goal should be addressing the lack of software sandboxing rather than having users acquire all their software from centralised sources.


Sandboxing doesn't help in this situation. Even if a piece of software can't get outside the sandbox, if you voluntarily run it inside of your browser, it has access to whichever features the parent process does. If you install an extension that happens to be malware in a sandboxed browser, it might not be able to get at your files or other data but anything you put in that browser is compromised in either case. That means web history, form entries such as credit card numbers and passwords, and any other information said malware wishes to collect. As it's running inside your browser, which has network access, so does the malware. Network access and data, that's all they're after anyway, and you can't effectively block browser extensions' access to these facilities since they depend on such things to function. Both sandboxing and walled gardens offer you a false sense of security in the same way. I prefer to call Google's approach a gated garden, since you can easily get out if you wish. The one advantage such systems have over sandboxing is that malware, if detected, can be revoked and killed. That power can, of course, be abused (Apple, I'm looking at you) which is why a way out is important.

Reply Score: 2

Alfman Member since:
2011-01-28

darknexus,

"Sandboxing doesn't help in this situation. Even if a piece of software can't get outside the sandbox, if you voluntarily run it inside of your browser, it has access to whichever features the parent process does."

That's probably the heart of the disagreement right there. It's not really the case that a sandboxed extension has to have the same level of access as the parent process.

Reply Score: 3

Laurence Member since:
2007-03-26

darknexus,

"Speaking from tech support experience, I'd say if a user doesn't know enough to google for that switch, they have no business side-loading. The more checkboxes you give users, the more they will check out of annoyance just to avoid the alert dialogs, and then your security becomes null and void."

The spread of malware happens because users lack the tools to make informed decisions. Often the choice is between "run" and "do not run" and the only information presented is to identity the software. Even knowledgeable users will be at a complete loss to know if something is harmful, so I fully agree that this type of security model is flawed. But I disagree very strongly with the "remedy" of a walled garden (even if more savvy users can disable it). It'd be both more open and more secure to add metadata about what the extension does and then enforce it in a sandbox. Given the right tools & information, users may be even more secure than simply trusting everything in google's repository.


Metadata can be faked. This method ensures that only people tech-savy enough to know how not to break their browser has enough control to break their browser.

Reply Score: 2

Alfman Member since:
2011-01-28

Laurence,

"Metadata can be faked. This method ensures that only people tech-savy enough to know how not to break their browser has enough control to break their browser."

Can be faked to do what? Any metadata can be faked. But if the requested permissions are enforced by the sandbox and software attempts to escalate it's access above that specified in metadata, then it should be killed automatically. Furthermore the default max permissions should be restrictive enough such that the user needs to explicitly ok dangerous calls before the software will run.

The sandbox gives us much more security than we normally have when running extensions under blind faith. Although this could improve security for all extensions, I'd be open to removing sandbox restrictions from extensions that have already been vetted by google.

Reply Score: 3

Comment by Luminair
by Luminair on Mon 11th Jun 2012 03:13 UTC
Luminair
Member since:
2007-03-30

they also don't let you install apps on your android device unless you use their store! google says SUCK IT!!!!

Reply Score: 1

RE: Comment by Luminair
by darknexus on Mon 11th Jun 2012 04:41 UTC in reply to "Comment by Luminair"
darknexus Member since:
2008-07-15

they also don't let you install apps on your android device unless you use their store! google says SUCK IT!!!!


Since when? I've known of some carrier ROMs that have this ability taken out either by the phone manufacturer or your carrier, but I've not seen any stock Android rom impose such a limitation.

Reply Score: 4

RE: Comment by Luminair
by marcus0263 on Mon 11th Jun 2012 16:40 UTC in reply to "Comment by Luminair"
marcus0263 Member since:
2007-06-02

they also don't let you install apps on your android device unless you use their store! google says SUCK IT!!!!


MMM, I've got an Android Phone and Tablet, I've installed a few apps "not" from the Andriod Store. You know like Amazon's store? You might wanna look at your settings on your device and check "Unknown Sources" ;)

Reply Score: 3

Its basically
by Nelson on Mon 11th Jun 2012 05:41 UTC
Nelson
Member since:
2005-11-29

the same as "Allow apps from outside the Marketplace" that exists on Android.

You can toggle this off with a switch. Nothing to see here.

And trust me, I chomp at the bit to diss Google

Reply Score: 3

v 1
by Anonymous on Fri 15th Jun 2012 12:00 UTC