Forgot your password?
typodupeerror
This discussion has been archived. No new comments can be posted.

Google Chrome 25 Will Disable Silent Extension Installation

Comments Filter:
  • Yeah! (Score:1, Offtopic)

    by bfmorgan (839462)
    Thank you
    • Re:Yeah! (Score:5, Informative)

      by BitZtream (692029) on Sunday December 23, 2012 @10:04PM (#42378779)

      Whats to get excited about, this just causes problems for legitimate extensions.

      Fact: Dirty/Malware extensions can work around it by just sitting whatever flags need to be set where ever they need to be set to make Chrome think they are approved.

      Fact: Legit extensions installed with other software will now at the minimum need an annoying popup to allow them, or worse, digging through menus to figure out how to term them on instead of 'just working'.

      Fact: Google will exempt itself from this practice.

      As someone who wrote extensions for Firefox until we got tired of supporting its broken every release API, it was trivial to work around this sort of crap with firefox, the same will be true of Chrome.

      • Re:Yeah! (Score:5, Insightful)

        by dreamchaser (49529) on Sunday December 23, 2012 @10:19PM (#42378845) Homepage Journal

        You're so right. We should also leave all of our doors and windows unlocked because face it, a determined intruder will just find a way in, and we could be blocking legitimate friends and family. We might actually have to get up and answer the door!

        • Re:Yeah! (Score:4, Insightful)

          by jhoegl (638955) on Sunday December 23, 2012 @10:31PM (#42378903)
          There is such a thing as user fatigue.
          If you keep harping at the user about every little thing they will just accept without reading and move on.
          So in what way have you empowered the broad user base by adding this?
          Treating the symptoms instead of finding the cause is the problem. Although there is no easy way to solve this particular riddle, the solutions provided do nothing to educate and help the user.
          • Re:Yeah! (Score:5, Insightful)

            by Johann Lau (1040920) on Sunday December 23, 2012 @11:11PM (#42379071) Homepage Journal

            SOME users experience fatigue and click themselves into deep shit, others pay attention and click themselves out of it.

            If you keep harping at the user about every little thing they will just accept without reading and move on.

            And what is lost compared to not even having the choice? That's like initializing user_fatigue with the maximum value.

            So in what way have you empowered the broad user base by adding this?

            As I just said, you give each user the choice how much of an idiot they want to be, instead of forcing ALL users to be idiots.

            • Re:Yeah! (Score:5, Interesting)

              by Albanach (527650) on Monday December 24, 2012 @12:08AM (#42379269) Homepage

              SOME users experience fatigue and click themselves into deep shit, others pay attention and click themselves out of it.

              How many extensions do you think the average user wants/needs? I really don't see fatigue being much of an issue with browser extensions. A user should only be seeing a couple of warnings a year.

              If the click through presents a warning and defaults to No, then users are much more likely to opt-out, clicking themselves to safety. Even better if there's a 'don't let this site bother me again' option.

              • Re:Yeah! (Score:5, Interesting)

                by Johann Lau (1040920) on Monday December 24, 2012 @12:27AM (#42379337) Homepage Journal

                How many extensions do you think the average user wants/needs? I really don't see fatigue being much of an issue with browser extensions.

                Same here, so don't ask me :P

                I think saying "user fatigue!" is really just the last FUD straw of someone who doesn't like that Google made an innocent good move for a change. There is nothing wrong with this change, which is why the "arguments" against it are so desperate and funny. I can sympathize with that, I'm all for being unfair to Google haha, but this is too much of a stretch.

                Fuck "user fatigue" - unless you mean being tired of users, then more power to you, of course. Look out for the disabled, for those who need help, and of course streamline stuff where it makes sense. But fuck catering to lazyness and mindlessness. If most people are lazy then most people are obsolete. I don't think they are, but that's what I respond to that argument. Ignore them now before they feel even more entitled. Personally, I'd be all for hunting them down (not being lazy and all that), but I am willing to compromise.

              • by jittles (1613415)

                I really don't see fatigue being much of an issue with browser extensions. A user should only be seeing a couple of warnings a year.

                This is chrome we are talking about here. They've probably made 3 major releases just since they announced this feature in release 25. I mean how long has Chrome been around? The only software version that has a higher number than Chrome is Windows 98.

            • by hairyfeet (841228)
              How about simply having a checkbox that says "trust installs by this publisher" and call it a day? why not that? on the one hand i don't want to be clicking my ass off and on the other hand i don't want shit installing silently, so why not a compromise?
              • Yeah, why not. I'm all for making it easier to make responsible, conscious decisions, and to automate tasks based on those conscious decisions... it's the "let's make it so easy nobody even has to think" bits I have issues with, or the "let's measure people and give them more about they already have (or: let's put people into bins and then normalize those bins)". It's degrading, it has no good motivations and no good results.

                • by hairyfeet (841228)

                  Nice to see somebody else is sensible. I mean I trust the ForecastFox guys, so why shouldn't I get a little checkbox that says "trust extensions by this publisher" and let that be that?

                  There are plenty of times, especially with older customers, that having any thing pop up at them is gonna freak them right the fuck out, they are gonna think they are getting hacked or they broke something so why not give the option to guys like me that are actually building the system to say "I trust these extensions, alway

        • Re:Yeah! (Score:5, Insightful)

          by cbiltcliffe (186293) on Monday December 24, 2012 @12:30AM (#42379351) Homepage Journal

          When your "lock" consists of a lever with a little sign saying "push this lever if you're supposed to be here" you might as well leave it unlocked....

        • Windows users still install programs by downloading executables from the internet and running them as root. It doesn't matter what we do to our windows and doors when one wall of our house is missing.
          • by wvmarle (1070040)

            That's sensible, for the lack of anything resembling a Linux distribution's repository for Windows. I've before been told here on /. that "Google is your repository/app centre" - i.e. search for the software on Google and download it. That's just the way it goes in the Windows world. And to get Firefox, I happen to know to go to getfirefox.com but if I need say a pdf reader (not that bloated pos from Acrobat) then I'd also just go to Google, and select one or two of the top rated results, download it, run i

        • by Tim Ward (514198)

          Well, you could always follow the NRA's advice and get a gun and shoot everyone who walks through the door. You gotta gun, you don't need locks.

      • Re:Yeah! (Score:5, Insightful)

        by symbolset (646467) * on Sunday December 23, 2012 @10:19PM (#42378847) Journal
        Fact: silent browser extension installation is like a browser version of Microsoft's AutoRun. There is no reason why a legitimate extension needs to install without asking the operator for permission any more than a program on a disk or share needs to autorun on mounting the volume.
        • Re: (Score:1, Funny)

          by Anonymous Coward

          Fact: saying fact before a statement makes it an inarguable universal truth.
          Pro-tip: use the Fact: prefix before making stating any opinion in an online forum.

          FWIW I happen to agree. But for $DEITY's sake, just state your case.

          • by Maow (620678)

            Fact: saying fact before a statement makes it an inarguable universal truth.
            Pro-tip: use the Fact: prefix before making stating any opinion in an online forum.

            FWIW I happen to agree. But for $DEITY's sake, just state your case.

            Try reading the GP comment for the reason.

            Hint: he (Symbolset) is responding to that poster's arrogance.

            Hint #2: the GP's comment states 3 "facts" as though stating such that makes them inarguable truths.

            FWIW, I agree that it's bad form, but it was a response-in-kind that you replied to.

            Cheers

          • Re:Yeah! (Score:5, Funny)

            by 1u3hr (530656) on Monday December 24, 2012 @01:44AM (#42379651)

            Pro-tip: use the Fact: prefix before making stating any opinion in an online forum.

            And adding the "Period" suffix after your opinion makes it a universal truth. Period.

            • This. Adding 'this' always makes the parent true.
              • This. Adding 'this' always makes the parent true.

                "Yields falsehood when preceded by its quotation" yields falsehood when preceded by its quotation.

            • by S.O.B. (136083)

              Fact: Using Fact and Period makes your point even more universally true. Period.

        • Same problem with auto-update on Firefox. At some point, I was running version X of Firefox off of a live-boot-usb-stick, and I hadn't configured Firefox completely, and I forgot to do it for a day. Next afternoon, my version of Firefox had updated to X+2 and then the next day it was updated to Firefox 17 with all of the googley-crap put back into the search box and all of the javascript options I had disabled being re-enabled and all of my addons such as adblock and noscript were disabled because the ver
          • by Anonymous Coward

            So install the old version again? Really, not that hard. Of course, the old version most likely doesn't have security fixes, and the extensions you have can easily be updated, but where's the fun in that?

            • Actually, I could just reboot the live stick, then run my reset script with my archived settings. But this one particular archive had been saved before I remembered to disable the autoupdate features in FF. Read VortexCortex's comment below, which I wholeheartedly agree with. A sane default option is to "opt in" to auto-updates; it is insane and irrational to require "opting out" of auto-updates. That is the batshit insanity which Firefox has been setting up lately, just like MS Internet Explorer had be
          • by hairyfeet (841228)

            Mind some advice? Install Comodo Dragon on the stick instead. Not only does it have all the same extensions Chrome has (since they both use the Chromium base) but there is but a single checkbox in options that says "do not check for updates" and once it is checked it will do just that, never check for updates. it also has the Privalert built in which lets you block tracking crap with a single click and the option of Comodo Secure DNS which will block many sites that have been infected from loading. Oh and n

            • Thanks for the advice and the info about Comodo Dragon. I had not heard of it before your post. I may install it and give it a spin...
              .
              The wikipedia page on it ( http://en.wikipedia.org/wiki/Comodo_dragon [wikipedia.org] ) has more info about chromium vs. comodo though the last two items look like they were respun by someone who prefers google chromium, while comodo's page ( http://forums.comodo.com/help-cd/how-is-dragon-better-t67998.0.html [comodo.com] ) points out that google keeps track of the time it was installed (the better
              • by hairyfeet (841228)

                There is one MAJOR difference between Chrome and Dragon when it comes to Dragon and it is this: If you don't want to use Comodo Secure DNS? It asks you on install, simply say "no" and that is that. You can also switch it on and off at will in the options whereas last I checked there is NO easy way to just switch off the phone home in Chrome.

                Now that said in the end you have to trust somebody somewhere to give you DNS, unless you are gonna run your own DNS server and not only is the Comodo Secure DNS pretty

            • Privalert lasted all of about a week. They pulled it for "stability" reasons with an auto-update. https://forums.comodo.com/news-announcements-feedback-cd/23400-update-removes-privalert-t89212.0.html [comodo.com]

              I suspect the real reason they pulled it was that many people pointed out it was exactly the same as Ghostery but without Ghostery being given any credit. Exact same process flow, exact same number of items in the blocklist, despite their CEO claiming on their forum that it was entirely their own code and entire

        • Re:Yeah! (Score:5, Insightful)

          by VortexCortex (1117377) <VortexCortexNO@S ... t-retrograde.com> on Monday December 24, 2012 @02:17AM (#42379785) Homepage

          There is no reason why a legitimate extension needs to install without asking the operator for permission any more than a program on a disk or share needs to autorun on mounting the volume.

          Then explain Chrome's silent updates? By your logic there should be no reason why an application would update itself without operator permission -- Why, if it were small part of a larger system it could even bring the entire intranet down. What I see is friction between notification of updates and desire to have less notification noise. IMO, the best answer when there is a choice to make that involves users' usage is to let them decide:
          An update for Chrome is available.
          ( ) Skip this update.
          ( ) Download the update and ask again later.
          (o) Download and Install Automatically

          [x] Remember this choice and don't ask again.
          ____

          A plugin update is available for: NotScript
          ( ) Skip this update.
          ( ) Download the update and ask again later.
          (o) Download and Install Automatically.

          [_] Remember my choices for future updates.
          [x] Make this the default for all plugins.
          ____

          Status Notification:
          42 Updates are being downloaded and installed. [Options...]

          I thought we solved this shit in the 70's? You know, with our rocket science... The answer is almost never: Less Choice; It's almost always: Sane defaults & Discoverable options.

          See also above comment by: girlinatrainingbra (2738457)

          • Re:Yeah! (Score:4, Funny)

            by symbolset (646467) * on Monday December 24, 2012 @02:44AM (#42379849) Journal
            Well I guess the only reasonable response to this is: don't eat lead-based paint chips. Your post has nothing to do with my post.
          • by Anonymous Coward

            There is no reason why a legitimate extension needs to install without asking the operator for permission any more than a program on a disk or share needs to autorun on mounting the volume.

            Then explain Chrome's silent updates?

            Chrome specifically asks to install itself (and make subsequent updates). Your argument makes no sense.

      • The malware extensions only can do anything if they are already running. I'd expect Chrome to check the extensions before starting them.

      • by mwvdlee (775178)

        Fact: Google will exempt itself from this practice.

        Fact: TFA doesn't say this. Please back up your personal believes before stating them as if they were facts.

        More importantly; this is all a trust issue. Chrome is Google's browser. Assuming Google trusts itself, I can see why they would exempt themselves.

        I have a lock on my door to keep unwanted people out, but I have given myself a key to get in whenever I want because I trust myself not to steal from myself.

        • It's a matter of principle. Windows doesn't automatically allow something to be run if it's signed by Microsoft, neither does OS X, as far as I've seen.

      • by Chelloveck (14643)

        Fact: Legit extensions installed with other software will now at the minimum need an annoying popup to allow them, or worse, digging through menus to figure out how to term them on instead of 'just working'.

        "Legit extensions installed with other software"... Like that bullshit Ask Toolbar that got silently installed into Chrome when I loaded some crappy unrelated shareware the other day? Yeah, the world is sure going to lose out when that kind of anti-social behavior is made more difficult.

        I can't think

      • All my extensions were disabled by the dev channel when that update came through. It gave me a messagebox when it ran the update letting me know it disabled them, and it doesn't give you a way to re-enable them. You do have to dig through the menu to re-enable them. This is after a previous version already made it so to distribute them internally you had to save the crx file, open the extensions page, and drag it on there.

        I understand the point is security, but they're making legit purposes harder to deal w

  • It's pretty awesome.

    • by Anonymous Coward

      Chrome 299729548 is even better.

      • by Anonymous Coward
        Colonel Sandurz: Prepare ship for light speed.
        Dark Helmet: No, no, no, light speed is too slow.
        Colonel Sandurz: Light speed, too slow?
        Dark Helmet: Yes, we're gonna have to go right to ludicrous speed.
  • Impossible (Score:5, Insightful)

    by KiloByte (825081) on Sunday December 23, 2012 @09:53PM (#42378729)

    How exactly can they block silent installs if the process that wants to add the extensions has the same rights as Chrome -- or strictly higher? The other program can emulate whatever way Chrome uses to mark something as legitimately installed.

    It's only a feel-good measure, that can stop only "nice" extensions which would play by the rules in the first place, and does nothing against malware or the operating system itself (looking at you, Microsoft).

    • Re: (Score:1, Insightful)

      by BradleyUffner (103496)

      Because the solution isn't perfect we should do nothing at all instead.

    • by grim4593 (947789)
      Chrome could hash the extensions files upon proper installation and have an encrypted list of all valid extension hashes. That way an elevated process could move the files to the right folder locations but Chrome can choose not to evoke them if they aren't on the list.
      • Re: (Score:3, Insightful)

        by larry bagina (561269)
        An elevated process can also update the encrypted list.
    • Re:Impossible (Score:5, Insightful)

      by ohnocitizen (1951674) on Sunday December 23, 2012 @10:07PM (#42378801)
      Stopping "nice" extensions is a step forward. This will make it difficult for 3rd party app developers who wanted to sneak extensions into Chrome to continue business as usual. Microsoft and malware authors will probably find ways to work around it, true. But reigning in bad behavior by people who otherwise play by the rules is still progress.
    • Re: (Score:3, Interesting)

      by Anonymous Coward

      One way is to keep record of installed plugins by user interaction on google server and recall the list and compare extension lists on startup.

      Another way is to sign the extensions with a special per user key that is kept on google server. If key may also be kept on the user pc but needs a public private key signing system. The signing and reading key needs to be created on user plugin installation with all plugins re-signed with new signing key and then that key is destroyed leaving only the reading key. T

      • If Chrome can post a message to Google's server, Evil Plugin Installer can also post a fake message to Google's server. Your second choice sounds like a walled garden, which isn't bad, but it'll be messy to clean up after all those heads are blown...
    • Re:Impossible (Score:5, Insightful)

      by TheLink (130905) on Sunday December 23, 2012 @11:10PM (#42379059) Journal
      This is setting a new intended default behaviour - e.g. extensions should ask permission. If you bypass this it makes it harder to argue that your extension isn't malware.

      Most people and the Courts treat things differently depending on whether you broke a lock to enter a place or the door wasn't even latched in the first place.
      • by KiloByte (825081)

        Except that your average malware toolbar does ask for permission when whatever software it is attached to is being installed. It will just helpfully save you from having to do another step, after you click "ok" to "install and enable XXX?".

    • Why would malware in the system itself bother with a Chrome extension? What does that give you that you don't already have? Honest curiosity.

      can stop only "nice" extensions which would play by the rules in the first place

      Nah. There are plenty of "hey, it's just some ads/game/whatever, we from value add corp LOVE our customers!" extensions. Of course they're not "nice", but they otherwise use the standard process for extensions, and aren't malware by any stretch of the imagination.

      • Re:Impossible (Score:4, Insightful)

        by techno-vampire (666512) on Sunday December 23, 2012 @11:44PM (#42379203) Homepage
        ...and aren't malware by any stretch of the imagination.

        I don't know about you, but personally I find it hard to believe that any extension that installs itself without notifying the user has that user's best interests at heart. Even if they're not actually malware, they're probably doing something their author doesn't want us to know about and that's enough to make sure that I, for one, would never trust them.
        • That still doesn't make them malware in the stricter sense (all malware is evilware, but not all evilware is malware) Certainly when talking about bypassing the browser via having the OS infected.. if you have *that*, you can do anything; sure it'd be *nicer* to have an extension that makes grabbing web passwords super simple, but you don't really *need* it; you can already monitor all traffic, take screencaps, log keys, do whatever.. so what's the point of using root to install a chrome extension?

          I honestl

        • by AmiMoJo (196126) *

          I hate it as much as you do, but just to play Devil's advocate for a moment I can at least understand why an app like Adobe Reader might install a plug-in. When a normal user installs an app they expect certain things to just work, such as double clicking on a PDF opening in the PDF reader they just downloaded. So from Adobe's point of view it makes sense to allow PDFs on the web to open natively in the browser too.

          As to why they don't ask if you want it my guess would be that they don't think users will un

          • I have no objection to apps installing plug-ins so that documents can be opened in the browser. What I object to is having them do it silently, without bothering to tell me. If the plug-in is part of the original installation, the fact should be listed as part of what's getting installed. If the user doesn't bother to read the list, they've got no reason later to object as long as the information's clearly there.
      • by KiloByte (825081)

        The typical scheme on Windows is, one of ten "Ok" dialogs during installing an unrelated piece of software instead says "install Bonzi Buddy Toolbar", and you need to read them all carefully and press "cancel" instead, which most people fail to do. Or often, it's just a pre-checked check box on a long page.

        All that will change is that the question instead of "install BBT?" will be "install and enable BBT?".

    • by mysidia (191772)

      You can't. But this will interfere with network Administrators implementing a technical policy of pre-deploying specified extensions for all users.

      The only solution I can think of right now is to ban Chrome; and only allow IE or Firefox; which will allow admin-deployed extensions.

    • by jopsen (885607)

      It's only a feel-good measure, that can stop only "nice" extensions which would play by the rules in the first place, and does nothing against malware or the operating system itself (looking at you, Microsoft).

      Most of the crap toolbars people install for internet explorer are semi legitimate... They can be removed, often, you install program X it'll ask you if you wish to add toolbar Y to IE. The guys behind these toolbars pray on the fact that people forget to click, don't install this useless crap toolbar...
      Raising the bar and forcing people to make the actual choice is a good idea.

      Most of these toolbars are not removed by Anti virus, because they are perfectly legal, Yahoo toolbar is a good example.

      Grante

  • I'm not sure if I fully understand the ramifications here...what exactly will this mean for my Firefox?
  • While I love the Google's Chrome browser, it is my opinion that its UI is getting tired. Anyone agree? A refresh wouldn't do any harm at this point. Would it?

    • Re: (Score:3, Insightful)

      by Anonymous Coward

      Have you learnt nothing?

    • by Seumas (6865)

      To be frank, I don't know what other UI you could implement. It's a web browser. It has some tabs and some forward and back buttons and a giant viewport.

    • by Nimey (114278)

      No. I'm not wild about the three-bar option button, but the rest is OK.

    • NO.

      If you want constant UI refreshes, there's Firefox. Please don't mess up the only remaining sane browser.

  • by Anonymous Coward on Sunday December 23, 2012 @10:18PM (#42378841)

    Someone needs to get a handle on these trolls on this site or I'm calling the POLICE!!!!!

    I think malda himself might be trolling and I'm SICK OF IT!!!

  • What the hell. Since 2008?

    Who the hell does their versioning? That's just pathetic.

    • I agree. They should adopt Android's naming scheme for Chrome. If they had to come up with a stupid moniker for a release every two months, I think they'd at least consider slowing their cycle.
  • I will not trust in Chrome until they stop adding their plugin into Firefox.

    If they care so much about what's run inside Chrome, why do they inject their Google Updater into Firefox and put their update code in a bazillion places?

    Yes, they say that it's mean to always have the latest version available, but if I'm not using it daily, why should I waste CPU cicles and bandwith trying to upgrade it until I use it?

    I have Chrome installed only because I need to use it for testing, but I strongly dislike

  • So when Microsoft decided to enable do not track me by default, everyone says "you're preventing users from making the choice of being tracked!" The comments here were ridiculous. but Google decides to disable silent extensions and no one is throwing a tantrum about how they're preventing users from making that choice. What gives, people?

Line Printer paper is strongest at the perforations.

Working...