1. I'm really surprised legit vendors like LastPass don't become verified authors on the Chrome webstore; it's trivial to setup. We were able to do this for Meldium easily.
2. Joe's comments that it's hard to write an extension that steals data does not seem very true. Someone who is dedicated can do a lot with Javascript.
3. The author doesn't mention the model Mozilla follows with its addons: actual humans code review extensions to determine trustworthiness. They reject extensions containing obfuscated code for example.
Agreed. It would be a rather short script to, e.g., send every js-accessible cookie on every site you visit up to a third party. It doesn't take a lot of code to capture a lot of high value data. The supposition that it does is quite strange.
Chrome is addressing this with a feature that grants access on a temporary basis to the active tab. This is a great improvement for many types of extensions.
> The activeTab permission gives an extension temporary access to the currently active tab when the user invokes the extension - for example by clicking its browser action. Access to the tab lasts until the tab is navigated or closed.
> The main benefit of the activeTab permission is that it displays no warning message during installation.
Because a reader asked a question specifically about Chrome. The article begins, "I'm a big fan of Google Chrome and I love using extensions. However, I've noticed that a lot of them request permissions to access all of my data on every site. Why is this?".
They ask for permissions that are very hard to figure out as a user.
When the user is faced with two options:
1. Click Ok and get started with this app that looks cool.
2. Click No, and go back to the previous screen without the app.
The choice becomes pretty obvious.
My wife simply ignores it and clicks ok. I'm sure most users do the same after the first or second app they install and from then on it becomes a reflex response. Install. Ok. Ok.
Woe is the poor user, who is forced to make do with a free app that violates his privacy. Woe is the poor programmer, who is forced to offer his app for free.
I mean, their is obviously no other solution. We should just quit complaining about it.
Why pick on Chrome? How does this differ from extensions offered by Firefox or Internet Explorer? They all allow essentially similar behavior. Eventually it comes down to whether you trust the extension.
If I'm running AdBlock it needs to be able to modify the HTML of any page and occasionally update its lists using the Internet. But AdBlock Extra Evil Edition might also be paid by someone to not block their ads or to leave beacons in place.
A form filling application could potentially push evil information into a form and submit it before I could do anything. Or it may work the way I expect and only fill in data that I want to be filled. How do you allow the good stuff without also allowing the bad stuff?
It does seem like an odd oversight that Chrome allows you to block plugins per site but not extensions. If you click the green lock in your address bar now, you can see the option to block all plugins. It stops java and flash, but allows extensions like adblock, etc to keep running on the page.
The amazing thing here is: A few of my non-programmer friends told me that they would NEVER install a Chrome extension that can access all their data.
At the same time, all of them have no issue at all to install a regular Windows application from, say, Download.com. They are surprised when I tell them that any Windows application can not only access all their data but could also format their hard drive...
To cut a long story short: Google does a good job of educating users. Microsoft should follow (and innovate with a more fine grained security system).
No one would likely be able to cram enough code into a single plugin to manage to get "all" your information and still have a functioning plugin in only JavaScript.
Does not compute. I don't see the logic in this statement.
For any Extension developers, there are some workarounds to avoid asking for the "tabs" permission.
If you just need to know when a tab is visible for your content scripts to do things, use the Page Visibility API[1].
If you want your Extensions background scripts to notify all content scripts of something, you can rely on `chrome.storage.onChanged` event. The storage API does not warn users about permissions[2]
If anyone's interested in code samples, I could through some snippets in a gist.
I think it would be beneficial for Chrome (Android as well) to allow for an app to have a dynamic set of permissions.
Instead of requiring all web access just so an app can perform an action on any page (when you decide for it to) - what if a specific user action could grant temporary/permanent access to a domain? E.g. Clicking an icon if the app is in the toolbar, or selecting a certain action from a menu.
Chrome has a way to prompt for temporary permissions - but this brings up an alert box, and that is never ideal, it would be nice if the user interaction could be taken for permission.
Other features I wish Android's security model has are 'soft permissions', and 'pseudo permissions'.
Soft permissions would be where an app can function without permission, but has feature(s) that require it. For example, if I install a game, I should be able to play it without giving it internet access. However, if they want to have a online high-score system they must require that I give them internet access in order to install the app;
Pseudo permissions would be where the app thinks it has permission to use something, but it is really receiving bogus data. For example, say an app 'requires' access to my phones GPS system (when such access is not critical to the function of the app), it would appear to the app that it has access, but the data it receives would not corralate to the actually data.
I think I recall seeing a project to implement both of these features in Android, but I do not recall what it is called.
Am I paranoid for not wanting to install any extensions in Chrome? There are some I'd like to use, Feedly is an example, but I can't get past the part of allowing them access to anything on any website. I would prefer something that lets you allow access on a case by case basis.
Perhaps all data access by extensions should be logged. It wouldn't be of much interest to most programming laymen, but it would be more accessible/understandable than pointing them to Extension Gallery and Web Store Inspector so they can look at the code. I wouldn't recognize well obfuscated code that can grab my CC#, but I can recognize the number itself just fine.
At the least, it would let everyone know that their extension's activities are being watched. And laymen knowing that extension authors know that this activity is watched would be reassuring to the laymen.
Could such logging be done by a separate extension?
On Windows, Chrome also deliberately circumvents the normal system security model, installing in the unprotected user directory rather than as a real application in order to allow its background updates.
It also installs (silently, without permission, and for reasons unspecified) a Firefox plug-in, and it reinstalls/reactivates that plug-in even if the user has explicitly chosen to disable it.
It amazes me that Google seem to get such a free ride with Chrome. A lot of the things it does are either indistinguishable from a lot of the things that malware does or leaving itself wide open to compromise if malware gets onto a system by some other mechanism.
> [Chrome] also installs (silently, without permission,
> and for reasons unspecified) a Firefox plug-in, and it
> reinstalls/reactivates that plug-in even if the user has
> explicitly chosen to disable it.
Could you elaborate more on this? Most of my machines have both Chrome and Firefox installed, but I don't see any unexpected or Chrome-related plugins in Firefox. A web search for [chrome installs firefox plugin] also turns up no relevant hits.
Installing to a user folder doesn't make the system any more vulnerable to attack. Malware could easily put itself in the same place with or without chrome. Malware can also load programs from a secure location and immediately inject themselves.
I'm in the same position (IT security at a large corp), with the difference that we're a Google customer. Our email and collaboration suite is Gmail/Drive/Talk/Hangouts. This means we are now recommending Chrome as the default browser on all corporate machines. Keeping Chrome locked down has been a challenge for us and not a week goes by where we don't find that someone has or is planning to attempt to bypass our restrictions by installing Chrome extensions or using web apps that integrate with Google Apps by means of giving them your Google username and password.
Google makes it extremely hard for an enterprise security team to set reasonable restrictions. Our support response from Google is usually "we don't support locking that down" or "we don't have a way to let people access feature X without also allowing feature Y". Make no mistake, Google Apps for Enterprise exists in name only.
The policy in these large IT seems do often be : "don't do anything, it could go wrong". The long term damage is worse but the policy stays because, that way, there is no one to blame (or might be MS for security leaks in IE6 in 2013)
I'm not saying that the issue only came from IT. A well prepared plan that went wrong should be considered a necessary evil.
Extensions found at https://addons.mozilla.org/ get reviewed by a human. If there are issues with the code (obfuscated, security risks, etc) the add-on is not approved.
[+] [-] borisjabes|13 years ago|reply
1. I'm really surprised legit vendors like LastPass don't become verified authors on the Chrome webstore; it's trivial to setup. We were able to do this for Meldium easily.
2. Joe's comments that it's hard to write an extension that steals data does not seem very true. Someone who is dedicated can do a lot with Javascript.
3. The author doesn't mention the model Mozilla follows with its addons: actual humans code review extensions to determine trustworthiness. They reject extensions containing obfuscated code for example.
[+] [-] rictic|13 years ago|reply
[+] [-] jonknee|13 years ago|reply
http://developer.chrome.com/beta/extensions/activeTab.html
> The activeTab permission gives an extension temporary access to the currently active tab when the user invokes the extension - for example by clicking its browser action. Access to the tab lasts until the tab is navigated or closed.
> The main benefit of the activeTab permission is that it displays no warning message during installation.
[+] [-] VeejayRampay|13 years ago|reply
Doesn't the very same problem exist with Firefox extensions / add-ons? After a quick online search, it seems that this problem is far from being a Chrome thing... [1] http://www.computerworld.com/s/article/9152578/Mozilla_confi... [2] http://www.networkworld.com/columnists/2009/020309antonopoul...
[+] [-] bpatrianakos|13 years ago|reply
[+] [-] gingerlime|13 years ago|reply
They ask for permissions that are very hard to figure out as a user.
When the user is faced with two options:
1. Click Ok and get started with this app that looks cool.
2. Click No, and go back to the previous screen without the app.
The choice becomes pretty obvious.
My wife simply ignores it and clicks ok. I'm sure most users do the same after the first or second app they install and from then on it becomes a reflex response. Install. Ok. Ok.
[+] [-] IheartApplesDix|13 years ago|reply
I mean, their is obviously no other solution. We should just quit complaining about it.
[+] [-] unknown|13 years ago|reply
[deleted]
[+] [-] dmethvin|13 years ago|reply
If I'm running AdBlock it needs to be able to modify the HTML of any page and occasionally update its lists using the Internet. But AdBlock Extra Evil Edition might also be paid by someone to not block their ads or to leave beacons in place.
A form filling application could potentially push evil information into a form and submit it before I could do anything. Or it may work the way I expect and only fill in data that I want to be filled. How do you allow the good stuff without also allowing the bad stuff?
[+] [-] celticjames|13 years ago|reply
[+] [-] r3m6|13 years ago|reply
At the same time, all of them have no issue at all to install a regular Windows application from, say, Download.com. They are surprised when I tell them that any Windows application can not only access all their data but could also format their hard drive...
To cut a long story short: Google does a good job of educating users. Microsoft should follow (and innovate with a more fine grained security system).
[+] [-] unknown|13 years ago|reply
[deleted]
[+] [-] Mahn|13 years ago|reply
Does not compute. I don't see the logic in this statement.
[+] [-] borisjabes|13 years ago|reply
[+] [-] OGinparadise|13 years ago|reply
[+] [-] cickpass_broken|13 years ago|reply
If you just need to know when a tab is visible for your content scripts to do things, use the Page Visibility API[1].
If you want your Extensions background scripts to notify all content scripts of something, you can rely on `chrome.storage.onChanged` event. The storage API does not warn users about permissions[2]
If anyone's interested in code samples, I could through some snippets in a gist.
[1] http://www.w3.org/TR/2011/WD-page-visibility-20110602/#sec-p... [2] http://developer.chrome.com/extensions/permission_warnings.h...
[+] [-] crandles|13 years ago|reply
Instead of requiring all web access just so an app can perform an action on any page (when you decide for it to) - what if a specific user action could grant temporary/permanent access to a domain? E.g. Clicking an icon if the app is in the toolbar, or selecting a certain action from a menu.
Chrome has a way to prompt for temporary permissions - but this brings up an alert box, and that is never ideal, it would be nice if the user interaction could be taken for permission.
edit: apparently its in beta (https://news.ycombinator.com/item?id=5383011)
[+] [-] gizmo686|13 years ago|reply
Soft permissions would be where an app can function without permission, but has feature(s) that require it. For example, if I install a game, I should be able to play it without giving it internet access. However, if they want to have a online high-score system they must require that I give them internet access in order to install the app;
Pseudo permissions would be where the app thinks it has permission to use something, but it is really receiving bogus data. For example, say an app 'requires' access to my phones GPS system (when such access is not critical to the function of the app), it would appear to the app that it has access, but the data it receives would not corralate to the actually data.
I think I recall seeing a project to implement both of these features in Android, but I do not recall what it is called.
[+] [-] hrwl|13 years ago|reply
[+] [-] nooneelse|13 years ago|reply
At the least, it would let everyone know that their extension's activities are being watched. And laymen knowing that extension authors know that this activity is watched would be reassuring to the laymen.
Could such logging be done by a separate extension?
[+] [-] Silhouette|13 years ago|reply
It also installs (silently, without permission, and for reasons unspecified) a Firefox plug-in, and it reinstalls/reactivates that plug-in even if the user has explicitly chosen to disable it.
It amazes me that Google seem to get such a free ride with Chrome. A lot of the things it does are either indistinguishable from a lot of the things that malware does or leaving itself wide open to compromise if malware gets onto a system by some other mechanism.
[+] [-] jmillikin|13 years ago|reply
[+] [-] Dylan16807|13 years ago|reply
[+] [-] unknown|13 years ago|reply
[deleted]
[+] [-] unknown|13 years ago|reply
[deleted]
[+] [-] andyl|13 years ago|reply
It's not that Firefox is so much better. But Mozilla doesn't have Google's motive or ability to cross-correlate data-streams.
[+] [-] zspade|13 years ago|reply
[+] [-] freehunter|13 years ago|reply
Google makes it extremely hard for an enterprise security team to set reasonable restrictions. Our support response from Google is usually "we don't support locking that down" or "we don't have a way to let people access feature X without also allowing feature Y". Make no mistake, Google Apps for Enterprise exists in name only.
[+] [-] ecaradec|13 years ago|reply
I'm not saying that the issue only came from IT. A well prepared plan that went wrong should be considered a necessary evil.
[+] [-] joelthelion|13 years ago|reply
Plus they will make users hate you.
[+] [-] unknown|13 years ago|reply
[deleted]
[+] [-] criley|13 years ago|reply
http://www.chromium.org/administrators/policy-list-3
You can whitelist and blacklist extensions, whitelist sources, force install extensions and block them by type only.
It shouldn't be hard to prevent all extensions from running.
[+] [-] joelthelion|13 years ago|reply
[+] [-] msujaws|13 years ago|reply