Google Chrome 25 Will Disable Silent Extension Installation

An anonymous reader writes "Google on Friday announced that it is changing its stance for silently installing extensions in its browser. As of Chrome 25, external extension deployment options on Windows will be disabled by default and all extensions previously installed using them will be automatically disabled."

Impossible

[KiloByte]

How exactly can they block silent installs if the process that wants to add the extensions has the same rights as Chrome -- or strictly higher? The other program can emulate whatever way Chrome uses to mark something as legitimately installed.

It's only a feel-good measure, that can stop only "nice" extensions which would play by the rules in the first place, and does nothing against malware or the operating system itself (looking at you, Microsoft).

Re:Impossible

[BradleyUffner]

Because the solution isn't perfect we should do nothing at all instead.

Re:Impossible

[ohnocitizen]

Stopping "nice" extensions is a step forward. This will make it difficult for 3rd party app developers who wanted to sneak extensions into Chrome to continue business as usual. Microsoft and malware authors will probably find ways to work around it, true. But reigning in bad behavior by people who otherwise play by the rules is still progress.

Re:That UI is getting tired. Anyone agree?

[Anonymous Coward]

Have you learnt nothing?

Trolls are everywhere!!!

[Anonymous Coward]

Someone needs to get a handle on these trolls on this site or I'm calling the POLICE!!!!!

I think malda himself might be trolling and I'm SICK OF IT!!!

Re:Impossible

[larry bagina]

An elevated process can also update the encrypted list.

Re:Yeah!

[dreamchaser]

You're so right. We should also leave all of our doors and windows unlocked because face it, a determined intruder will just find a way in, and we could be blocking legitimate friends and family. We might actually have to get up and answer the door!

Re:Yeah!

[symbolset]

Fact: silent browser extension installation is like a browser version of Microsoft's AutoRun. There is no reason why a legitimate extension needs to install without asking the operator for permission any more than a program on a disk or share needs to autorun on mounting the volume.

Re:Yeah!

[jhoegl]

There is such a thing as user fatigue.
If you keep harping at the user about every little thing they will just accept without reading and move on.
So in what way have you empowered the broad user base by adding this?
Treating the symptoms instead of finding the cause is the problem. Although there is no easy way to solve this particular riddle, the solutions provided do nothing to educate and help the user.

Re:Impossible

[TheLink]

This is setting a new intended default behaviour - e.g. extensions should ask permission. If you bypass this it makes it harder to argue that your extension isn't malware.

Most people and the Courts treat things differently depending on whether you broke a lock to enter a place or the door wasn't even latched in the first place.

Re:Yeah!

[Johann Lau]

SOME users experience fatigue and click themselves into deep shit, others pay attention and click themselves out of it.

If you keep harping at the user about every little thing they will just accept without reading and move on.

And what is lost compared to not even having the choice? That's like initializing user_fatigue with the maximum value.

So in what way have you empowered the broad user base by adding this?

As I just said, you give each user the choice how much of an idiot they want to be, instead of forcing ALL users to be idiots.

Re:Impossible

[techno-vampire]

...and aren't malware by any stretch of the imagination.

I don't know about you, but personally I find it hard to believe that any extension that installs itself without notifying the user has that user's best interests at heart. Even if they're not actually malware, they're probably doing something their author doesn't want us to know about and that's enough to make sure that I, for one, would never trust them.

Re:Yeah!

[cbiltcliffe]

When your "lock" consists of a lever with a little sign saying "push this lever if you're supposed to be here" you might as well leave it unlocked....

Re:Yeah!

[VortexCortex]

There is no reason why a legitimate extension needs to install without asking the operator for permission any more than a program on a disk or share needs to autorun on mounting the volume.

Then explain Chrome's silent updates? By your logic there should be no reason why an application would update itself without operator permission -- Why, if it were small part of a larger system it could even bring the entire intranet down. What I see is friction between notification of updates and desire to have less notification noise. IMO, the best answer when there is a choice to make that involves users' usage is to let them decide:
An update for Chrome is available.
( ) Skip this update.
( ) Download the update and ask again later.
(o) Download and Install Automatically

[x] Remember this choice and don't ask again.
____

A plugin update is available for: NotScript
( ) Skip this update.
( ) Download the update and ask again later.
(o) Download and Install Automatically.

[_] Remember my choices for future updates.
[x] Make this the default for all plugins.
____

Status Notification:
42 Updates are being downloaded and installed. [Options...]

I thought we solved this shit in the 70's? You know, with our rocket science... The answer is almost never: Less Choice; It's almost always: Sane defaults & Discoverable options.

See also above comment by: girlinatrainingbra (2738457)