70 comments

[ 2.7 ms ] story [ 151 ms ] thread
Just for Windows users.
So far.

I believe that part of Goog's motivation is to stop malware, but part of their motivation is platform control. I just don't know the proportion.

actual source instead of useless techcrunch filler: http://blog.chromium.org/2013/11/protecting-windows-users-fr...

Wasn't this already largely the case? You have to manually download extensions and then drag them into the extensions manager to install them outside the store right now, don't you?

The only change here seems to be that now you need a checked "Developer mode" box in order for that to work. I guess that discourages randomly checking the box, but if they had just labelled it "Allow third party extensions" it would make the change seem less overbearing.

Developer mode only allows installing unpacked extensions, no?
No. If that's the case I think that's new.
this was the case at least a year ago when I was making a chrome app/extension
the most obnoxious part about this is extensions will not update automatically or otherwise. you are forced unpack and drag in the extension for every change.
Another day, another step closer to Apple.
Presumably Chromium has no such restriction.
There's a Chromium Web Store? I'm not sure I follow :)
I'll admit I don't fully understand the Chromium <=> Chrome relationship. (I believe that Chrome is Google's browser built on the open-source Chromium code.) But isn't this an announcement made on the Chromium blog? It would appear to me that this is going to be in the Chromium source... not just Chrome. Am I missing something?
Not sure if the Chromium binaries have this restriction turned on but it doesn't matter as someone will compile it without it (probably the official Linux channels, for instance).
At least Apple's extension system for Safari explicitly has adblock as one of the top downloads.

This just sucks.

Doesn't Apple's Safari take the approach that Zikes proposes[0]? As far as I know, all you need to publish extensions is to sign up for a free developer certificate key, and then you sign the extension yourself.

[0]. https://news.ycombinator.com/item?id=6692656

Let's start betting on when Google starts to squeeze ad blockers through feature changes or right out of the web store.
And Firefox will be there with open arms :)
Funded almost solely by Google.
Microsoft would probably be more than happy to take Google's place there, even if Firefox does compete with IE.
There's a comment on the Chromium blog [1] (via magicalist's comment [2]) that nails this: if security is all they cared about, a signed certificate is all that's necessary.

Knowing that option exists and persisting with their store-only approach means they must have an ulterior motive of some sort, most likely control and money. Ad blockers that target Google Ads will be no more, as well as anything else that the user might want to use to subvert or circumvent. Extensions will also have to adhere to Google's moral code, and developers will once again be beholden to a greater authority in order to operate their business.

Just like with Facebook and the Apple app store, if you build a business on Google Chrome Extensions you now face having the plug pulled at any time for any reason, with absolutely no recourse.

[1] http://blog.chromium.org/2013/11/protecting-windows-users-fr...

[2] https://news.ycombinator.com/user?id=magicalist

(comment deleted)
Would a signed certificate approach allow them to deny extensions, or not? If yes, they could still deny ad blockers that way. If no, it is a weaker form of security than this is.
The alleged reasoning is to stop malware. A signed certificate must come from an authority willing to put their own reputation on the line, but Google does not need to be the only such authority.
So the extension being installed on some malicious site would have a popup talking about security certificates and such, and asking the user whether they want to proceed? You and I might think twice, but most users just click "Yes". Signed certificates would not be adequate to protect the average user.
The idea is that the browser would only accept signed certificates, and only those certificates which the signing authority has not revoked. So long as the signing authority is in a trusted list, the user would see no Yes/No option at all. It would simply install, or be rejected outright with an explanation of why.

It would be like limiting web browsing to HTTPS only, except you would not be given the option to click through for unsigned certificates.

So then Google could still revoke the certificates of any ad blocking software.
Great! I am the "Definitely Not A Malware Author" certificate authority and I have signed this "Definitely Not Malware" extension.
Not quite. The DNAMA would quickly lose hard-won reputation once DNM was shown to be malware. Google not being the only CA doesn't mean everyone gets to be a CA.
> Not quite. The DNAMA would quickly lose hard-won reputation once DNM was shown to be malware.

No problem. I am a completely different "Definitely Not A Malware Author 2" certificate authority and I have signed this "Definitely Not Malware" extension.

> Google not being the only CA doesn't mean everyone gets to be a CA.

Oh. In that case who gets to decide who gets to be a CA?

Who decides who gets to be a CA for SSL certs? Similar process. Somehow my browser doesn't recognize a CA that would allow any random person to pretend to be Facebook.
The web browser authors/distributors decide what root CAs will be included in their browsers. So in this case concerning Chrome, Google decides.

Which means Google is still in charge, ultimately.

Which means that this digital signature scheme hasn't actually accomplished anything.

Google controls the entire browser, meaning they are in absolute control, ultimately. They could inject code into your banking web sites, they could block all the porn, whatever they want.

The idea isn't that the certificates would wrest control away from Google, it's that they wouldn't be able to use "omg the malwares" as a shield for their intentions. If there's a root CA that's handing out certs for malware extensions then sure, pull the plug, but if the root CA is handing out certs for ad blockers and Google pulls the plug then it'll be plain as day what they're doing.

Heck, all the browsers nowadays use extensions of some sort, maybe they could form a consortium for extension certifications so no one company would be in complete control. You could bet Mozilla would keep that sort of behavior in check, at least.

> If there's a root CA that's handing out certs for malware extensions then sure, pull the plug, but if the root CA is handing out certs for ad blockers and Google pulls the plug then it'll be plain as day what they're doing.

Pulling a root CA is no more public than blocking an extension from the Chrome Web Store. In both cases it is clear that Google has taken the action, and whoever has gotten blocked can protest it publicly (just like people do now for Apple App Store rejections). The Chrome Web Store doesn't give Google any kind of "cover" or "shield."

Additionally, revoking an entire root CA that was letting malware through (intentionally or unintentionally) would be far more intrusive than pulling a single extension from the Web Store, because every extension that the CA had approved would be affected, even if they were not malware.

What annoys me about this entire thread is that the OP (which was voted to the top of the story's comments) presumes that you can sprinkle some crypto fairy dust and get just as much security against malware without having to give up any control. And it goes so far as to assume bad intentions on Google's part for not doing it. But it's not that easy; crypto isn't a magic wand that lets you have your cake and eat it too.

> (OP:) if security is all they cared about, a signed certificate is all that's necessary.

Um no. It's not that simple.

Another option would be to allow untrusted extensions like the Android setting for "Allow untrusted sources" for installing apps.

Of course the problem with that route is preventing any unwanted-extension installer from maliciously enabling that option itself.

Someone called "Google OS" posted[1] this about installing extensions not in the web store:

The developer option will still work: replace the crx extension with zip, extract the files to a new folder, go to the Chrome extensions page, enable developer mode, load unpacked extension and select the folder you've created.

Sounds like a huge pain in the ass but at least people doing this are less likely to be in the same group of people that are complaining about malware.

[1] http://blog.chromium.org/2013/11/protecting-windows-users-fr...

Today's serving of feudal security is brought to you by...
I'm guessing it's time for alternatives then. Has anyone tried the new Opera, and what other browsers are out there?

Or maybe I'm just overreacting.

Firefox, Chromium.
I think Mozilla may be headed in the same direction.

Add-on File Registration System: http://www.ghacks.net/2013/11/01/mozillas-add-file-registrat...

Merging of AMO with Firefox Marketplace: http://www.ghacks.net/2013/10/26/thunderbird-seamonkey-kicke...

In Firefox's case, at least, it's clear that the only motive in doing so would be genuine concern for the safety of their users— Mozilla wouldn't have any incentive to stop people installing extensions that hurt their own business model.
Doubtful. Mozilla has repeatedly gone out of their way to ensure that their services aren't strictly reliant on a centralized source. Firefox Sync allows you to set up your own sync server. Persona allows you to set up your own authentication server. Firefox OS allows you to set up your own first-class app store. Locking down Firefox add-ons in the same manner as Chrome would be highly out-of-character.
The new Opera is very, very simple, but it allows you to install just about all extensions in the Chrome store, if you download the Opera extension to do so.

So it depends on which features you'd prefer to keep.

I can definitely recommend using Pinboard for your bookmarks anyway.

Surprise surprise. Closed garden mode.
Finding it very strange that this change is presented under the guise of safety, as there are absolutely very malicious extensions currently circulating on the Chrome Web Store.
They do seem to have very little policing of the Chrome Web Store. It's actually annoying to have an app on there that is legit, as so many of the top places in the store are taken up by unscrupulous rip-offs of Super Mario Bros and Sonic the Hedgehog. I could make some money too by putting classic games into a javascript emulator, plastering the page with ads, and submitting a few hundred apps (one for each game) to the Chrome Web Store. I'd rather play by the rules and have Google properly run their marketplace, though.
I am displeased by this change. Although the Firefox version of my extension is more work to develop, I will be pouring most of my resources into that in the future.

I currently have a product that uses a Chrome extension to work. I am privately beta'ing it out by hosting it on my own website.

Because I don't want to be killed with negative reviews of my unpolished first version in the Chrome store.

Now I am forced to show my work and suffer brickbats in public even before I finish it. WTF.

Second =======

And post-Snowden, the Chrome web store publication process is LESS secure for my users than me hosting the app myself. In the Chrome store, you send Google your raw source (possibly minimized) files. They will sign it and push a blob to the end user. https://developers.google.com/chrome/web-store/docs/publish

AFAIK, there is no way for the end user to have any assurance that the file being pushed by Google was the file that the developer intended to push.

With a privately-served version, the equivalent of a secret key created by the developer needs to be compromised to push updates.

Please correct me if I'm mistaken about this.

IIRC, the CWS allows you to distribute alphas and betas to a specific set of users.
Yeah, I looked into that. There doesn't seem to be a way to have a "hidden" extension whose URL isn't public, but which can be downloaded without signing into a Google account.

That sucks for people in my network who are being kind enough to test my software.

Instead of just messaging them on Facebook/Twitter/Skype/Email/SMS/iMessage/Linkedin with a URL, I need to find out their Google account and add it to a dashboard and they need to be logged in before they download.

Snowden or no Snowden, a security focused developer wouldn't want someone else signing on their behalf or someone else controlling availability and updating. A security focused user wouldn't want to see that either.
So for normal (non-admin) users there is no way to opt-in to this. I can't understand that.

I don't think anyone would have a problem if this was a simple opt-in system like downloading unofficial apk's on android. Only a select few would be opting in, and those are not the core audience that Google is pretending to be security conscious about.

Giving no ability to switch on this ability for a normal user makes Google lose face with the general tech community. I don't understand the reasons behind this.

Agreed. You would think for security you would stop driving technical people to have to use admin for everything...

1 step forwards, 2 steps back.

Don't you usually want to limit non-admin users from installing things you don't know about anyway?
If this was something that a lot of admin users wanted to restrict from their users surely Google could have made the complete disabling of this feature from all users available in the admin panel.

But that should be an opt in feature for the admin.

The security excuse is BS. Show me the numbers for what an enormous problem this is, to justify why such an extreme measure is needed, Google!

And even if it does affect a ton of users, I'm sure there are other ways for Google to fix this, even if not completely. But assuming for a moment this wasn't a malicious move from Google's part, I'm still angry with the lazy decision to "just close off non-store extensions" to fix the problem.

Should I expect side-loading to be gone from Android soon, too, Google? Don't you dare!

The way Android handles this issue is the best possible compromise (there will always be a compromise between security and freedom - and that's a great thing). In Android sideloading is disabled by default, and if a user knows what he's doing, he'll enable it and do whatever he wants.

So why can't Google do the same with Chrome?! Disable sideloading by default, but still keep the option in settings somewhere. What's the big deal? Unless they have a completely different agenda behind this...

Also, I'm not sure, but do Chrome extensions work in Opera or Safari? I think it's about time we call Google on this and ask them to open up the format, so other browsers can use the same extensions. The browser shouldn't be another vector for "lock-in".

Amazing, an actual reason to consider the Blink build of Opera.
This has made me very, very irritated. I was quite upset at the initial change to preventing installation of third party extensions via a download, but then I realised it was for the best.

However, to fully remove the ability to install third party extensions is just ludicrous.

I develop a small Chrome application for internal use at my workplace. The staff love it, it helps them do their jobs a lot quicker. I don't see any easy way other than (as mentioned), building Chromium to remove this limit, as has been done before with crx files.

Might just move to Firefox and take my workforce following with me!

Private extensions are possible via the Chrome Web Store. You can make it available to anyone with the link, or a list of "trusted testers".
The original article says they will continue to support "installs via Enterprise policy", whatever that means exactly.
(comment deleted)
Very disappointing if there is no workaround available to the "ordinary" user. Enough to make me fully question whether I want to use Chrome at all.

Question: what is the situation with ChromeOS? If this applies to ChromeOS then it is essentially in the same locked down, anti-competitive state that the Apple app store is in. It is the main reason I avoid Apple devices and would pretty much put ChromeOS devices on the same blacklist as well for me.

"Question: what is the situation with ChromeOS?"

I don't know, but why would anyone even consider running ChromeOS? The fact that you have to sign in (with a Google account) gives Google unprecedented opportunity to track your activity in the OS. Even something as simple as printing to your desktop printer requires sending your documents via Google's cloud print service.

Imagine having to sign in to Windows or your Mac with your email address and having to remain signed in always to use the OS. Most of us would be horrified. I'm just astonished by how little comment is made of Google's insatiable appetite to track and record online behaviour.

Being constantly signed in also gives you a lot of advantages. Not everybody has a huge distain for being signed in. There are plenty of people who PREFER a simpler OS with a simpler UI that doesn't get viruses or trojans, running on hardware cheaper than an iPad.
I am not concerned about "tracking" very much. I'm not sure what the giant issue is that you and others have with that (ie: exactly where and what is the harm you perceive, in concrete terms?).

Btw, new versions of Windows all but force users to sign in with an email address and then proceed store all documents by default in SkyDrive. Skype is turned on and signing out is not allowed, thus you are every minute constantly advertising your presence and activity to Microsoft. Plus even searching your hard drive sends the query to Bing and shows ads to you as a result. So I am not sure Windows is on track to be much better than ChromeOS in that regard.

But while I don't mind the "tracking", I consider freedom essential. An operating system must allow the freedom to develop applications that are hostile to the interests of the platform owner. That is the only defence against a descent into a monopolistic kind of dark ages. Eg: imagine if FireFox had never been allowed to run on Windows? We'd probably still be using IE6. New disruptive technologies can only develop when they have the freedom to do so, and it is rarely in the interests of the incumbents for it to happen. So this is what I care about far more than the implications for privacy and tracking etc.

Blogpost says this change is only for Windows stable/beta. The workaround for the "ordinary" user is to use dev/canary. Btw, if you're a ordinary user, do you care where you get the extension from?
Does this really solve the problem?

I imagine most of these complaints come from people who pick up the extensions via bundling (not opting out of something when installing software). As those bundles run off of executables with admin privileges in Windows, the last change was circumvented simply by altering some files in the user's chrome directory and the registry. I imagine a similar tactic will defeat this measure. At least before the removal of the third party installation route, Chrome was able to control the messaging and generate warnings. These changes are simply pushing the malevolent even further underground.

Does anyone know if this will include Greasemonkey-style scripts as well? (e.g. like the ones from userscripts.org)
People who commented until now don't know how blessed is this measure. If you're a programmer, you probably don't get lots of malware in your computer, but if you ever had to use the same Windows PC as your uncle, mother or brother-in-law, even for a short time, you would know how bad it is to see huge amounts of malware and changed home pages, new tab pages, default search engines, everything messed up inside Chrome.

I don't know how these people get all these malwares, but is a fact that they get them installed. And if you don't have a better solution, Google at least has a temporary potentially good one.