Linked by Thom Holwerda on Sun 10th Jun 2012 22:36 UTC
Google So, Google has made it very hard to install Chrome extensions outside of the Chrome Web Store - out of security concerns. In addition, they sprung this on users and extension developers without much consultation or consideration for their concerns. As always - understandable to protect users, but the handling has an almost Apple-like bluntness to it. Next up: how to jailbreak your browser?
Thread beginning with comment 521644
To view parent comment, click here.
To read all comments associated with this story, please click here.
Alfman
Member since:
2011-01-28

darknexus,

"I call bs."

There's really no need for sarcasm. Your opinion is that it's ok to submit users to third party control for safety's sake, which is fair enough. I hope you are least aware that such philosophies, especially when taken collectively, tend to erode our freedoms over time.


"If you're a carpenter, you don't expect your tools to maintain themselves. You don't expect your vehicle to keep itself going without maintenance, nor do you expect it to survive in tact if you drive it straight into a tree. Yet, people expect their electronics to magically just work no matter what sort of crap they put on them."

You are speaking metaphorically about how physical tools relate to software. I don't like using metaphors since comparing different things as though they are the same is inherently flawed as details are worked in. But to be more complete the metaphor must account for how end user restrictions affect software. For example, your tools would need to refuse to work with unauthorised components that are never the less compatible. Artificially restricting tools would generally be considered a bad thing, even if the freedom to use the tools the wrong way may damage them.

"And before anyone mentions it: Yes, I know how elitist and arrogant I sound. That's what happens when you see the same mistakes repeated over and over and over again, and every time they ask: 'Why didn't my computer protect me?'"

To which I say, the goal should be addressing the lack of software sandboxing rather than having users acquire all their software from centralised sources.


"As long as those of us who do know our stuff can legally and uncomplicatedly bypass said lockdowns, I have no problem with it whatsoever, as that approach keeps both groups happy."

But you've completely overlooked that the walled garden approach (whether it can be disabled or not) doesn't directly solve any security problems on it's own. For that you need additional vetting, otherwise there's nothing in place to stop covert distribution of malware through official channels. In fact it creates a false sense of security that anything downloaded through official channels is safe. Though one may be happy under a false sense of security, it's still not something to be happy about. At best this lock down offers reactive security, which is better than nothing, but not as good as having the ability to run software in a security sandbox in the first place.

Reply Parent Score: 2

darknexus Member since:
2008-07-15

To which I say, the goal should be addressing the lack of software sandboxing rather than having users acquire all their software from centralised sources.


Sandboxing doesn't help in this situation. Even if a piece of software can't get outside the sandbox, if you voluntarily run it inside of your browser, it has access to whichever features the parent process does. If you install an extension that happens to be malware in a sandboxed browser, it might not be able to get at your files or other data but anything you put in that browser is compromised in either case. That means web history, form entries such as credit card numbers and passwords, and any other information said malware wishes to collect. As it's running inside your browser, which has network access, so does the malware. Network access and data, that's all they're after anyway, and you can't effectively block browser extensions' access to these facilities since they depend on such things to function. Both sandboxing and walled gardens offer you a false sense of security in the same way. I prefer to call Google's approach a gated garden, since you can easily get out if you wish. The one advantage such systems have over sandboxing is that malware, if detected, can be revoked and killed. That power can, of course, be abused (Apple, I'm looking at you) which is why a way out is important.

Reply Parent Score: 2

Alfman Member since:
2011-01-28

darknexus,

"Sandboxing doesn't help in this situation. Even if a piece of software can't get outside the sandbox, if you voluntarily run it inside of your browser, it has access to whichever features the parent process does."

That's probably the heart of the disagreement right there. It's not really the case that a sandboxed extension has to have the same level of access as the parent process.

Reply Parent Score: 3