Google Chrome 25 Will Disable Silent Extension Installation

An anonymous reader writes "Google on Friday announced that it is changing its stance for silently installing extensions in its browser. As of Chrome 25, external extension deployment options on Windows will be disabled by default and all extensions previously installed using them will be automatically disabled."

Re:Impossible

[Anonymous Coward]

One way is to keep record of installed plugins by user interaction on google server and recall the list and compare extension lists on startup.

Another way is to sign the extensions with a special per user key that is kept on google server. If key may also be kept on the user pc but needs a public private key signing system. The signing and reading key needs to be created on user plugin installation with all plugins re-signed with new signing key and then that key is destroyed leaving only the reading key. Trying to write over the reading key would make old plugin unreadable (or a special check file for cases with no plugins) and you can't create a signed plugin without the signing key. This still leave attacks left for listening but it's should be pretty rare for plugin installation, anyways kinda moot if a malware has great access to your pc.

Re:Yeah!

[Albanach]

SOME users experience fatigue and click themselves into deep shit, others pay attention and click themselves out of it.

How many extensions do you think the average user wants/needs? I really don't see fatigue being much of an issue with browser extensions. A user should only be seeing a couple of warnings a year.

If the click through presents a warning and defaults to No, then users are much more likely to opt-out, clicking themselves to safety. Even better if there's a 'don't let this site bother me again' option.

Re:Yeah!

[Johann Lau]

How many extensions do you think the average user wants/needs? I really don't see fatigue being much of an issue with browser extensions.

Same here, so don't ask me :P

I think saying "user fatigue!" is really just the last FUD straw of someone who doesn't like that Google made an innocent good move for a change. There is nothing wrong with this change, which is why the "arguments" against it are so desperate and funny. I can sympathize with that, I'm all for being unfair to Google haha, but this is too much of a stretch.

Fuck "user fatigue" - unless you mean being tired of users, then more power to you, of course. Look out for the disabled, for those who need help, and of course streamline stuff where it makes sense. But fuck catering to lazyness and mindlessness. If most people are lazy then most people are obsolete. I don't think they are, but that's what I respond to that argument. Ignore them now before they feel even more entitled. Personally, I'd be all for hunting them down (not being lazy and all that), but I am willing to compromise.

Re:Adware?

[Todd Knarr]

It should. The add-ons can be dumped into the folders, but the browser will leave them disabled and non-functioning until you manually enable them. At least until the adware makers start figuring out how to dig into the internals of the browser config files and modify things directly to convince the browser the add-ons have already been enabled. That's doable but not simple, so I expect it'll take a while for that to become common. And there's simple methods the browser can use to make that modification even more difficult, eg. tagging each enabled extension with an encrypted hash of the extension's file so that the adware would have to find the browser's encryption key before it could successfully modify the configuration.

Note that none of these will do anything about add-ons that convince the user to manually install them.