Google Chrome 25 Will Disable Silent Extension Installation 121
An anonymous reader writes "Google on Friday announced that it is changing its stance for silently installing extensions in its browser. As of Chrome 25, external extension deployment options on Windows will be disabled by default and all extensions previously installed using them will be automatically disabled."
Yeah! (Score:1, Offtopic)
Re:Yeah! (Score:5, Informative)
Whats to get excited about, this just causes problems for legitimate extensions.
Fact: Dirty/Malware extensions can work around it by just sitting whatever flags need to be set where ever they need to be set to make Chrome think they are approved.
Fact: Legit extensions installed with other software will now at the minimum need an annoying popup to allow them, or worse, digging through menus to figure out how to term them on instead of 'just working'.
Fact: Google will exempt itself from this practice.
As someone who wrote extensions for Firefox until we got tired of supporting its broken every release API, it was trivial to work around this sort of crap with firefox, the same will be true of Chrome.
Re:Yeah! (Score:5, Insightful)
You're so right. We should also leave all of our doors and windows unlocked because face it, a determined intruder will just find a way in, and we could be blocking legitimate friends and family. We might actually have to get up and answer the door!
Re:Yeah! (Score:4, Insightful)
If you keep harping at the user about every little thing they will just accept without reading and move on.
So in what way have you empowered the broad user base by adding this?
Treating the symptoms instead of finding the cause is the problem. Although there is no easy way to solve this particular riddle, the solutions provided do nothing to educate and help the user.
Re:Yeah! (Score:5, Insightful)
SOME users experience fatigue and click themselves into deep shit, others pay attention and click themselves out of it.
And what is lost compared to not even having the choice? That's like initializing user_fatigue with the maximum value.
As I just said, you give each user the choice how much of an idiot they want to be, instead of forcing ALL users to be idiots.
Re:Yeah! (Score:5, Interesting)
How many extensions do you think the average user wants/needs? I really don't see fatigue being much of an issue with browser extensions. A user should only be seeing a couple of warnings a year.
If the click through presents a warning and defaults to No, then users are much more likely to opt-out, clicking themselves to safety. Even better if there's a 'don't let this site bother me again' option.
Re:Yeah! (Score:5, Interesting)
Same here, so don't ask me :P
I think saying "user fatigue!" is really just the last FUD straw of someone who doesn't like that Google made an innocent good move for a change. There is nothing wrong with this change, which is why the "arguments" against it are so desperate and funny. I can sympathize with that, I'm all for being unfair to Google haha, but this is too much of a stretch.
Fuck "user fatigue" - unless you mean being tired of users, then more power to you, of course. Look out for the disabled, for those who need help, and of course streamline stuff where it makes sense. But fuck catering to lazyness and mindlessness. If most people are lazy then most people are obsolete. I don't think they are, but that's what I respond to that argument. Ignore them now before they feel even more entitled. Personally, I'd be all for hunting them down (not being lazy and all that), but I am willing to compromise.
Re: (Score:2)
I really don't see fatigue being much of an issue with browser extensions. A user should only be seeing a couple of warnings a year.
This is chrome we are talking about here. They've probably made 3 major releases just since they announced this feature in release 25. I mean how long has Chrome been around? The only software version that has a higher number than Chrome is Windows 98.
Re: (Score:3)
Re: (Score:2)
Yeah, why not. I'm all for making it easier to make responsible, conscious decisions, and to automate tasks based on those conscious decisions... it's the "let's make it so easy nobody even has to think" bits I have issues with, or the "let's measure people and give them more about they already have (or: let's put people into bins and then normalize those bins)". It's degrading, it has no good motivations and no good results.
Re: (Score:2)
Re: (Score:2)
Re:Yeah! (Score:5, Insightful)
When your "lock" consists of a lever with a little sign saying "push this lever if you're supposed to be here" you might as well leave it unlocked....
Re: (Score:2)
Yes, but the lever would be on the INSIDE side of the door.
Re: (Score:3)
Re: (Score:2)
That's sensible, for the lack of anything resembling a Linux distribution's repository for Windows. I've before been told here on /. that "Google is your repository/app centre" - i.e. search for the software on Google and download it. That's just the way it goes in the Windows world. And to get Firefox, I happen to know to go to getfirefox.com but if I need say a pdf reader (not that bloated pos from Acrobat) then I'd also just go to Google, and select one or two of the top rated results, download it, run i
Re: (Score:2)
Well, you could always follow the NRA's advice and get a gun and shoot everyone who walks through the door. You gotta gun, you don't need locks.
Re:Yeah! (Score:5, Insightful)
Re: (Score:1, Funny)
Fact: saying fact before a statement makes it an inarguable universal truth.
Pro-tip: use the Fact: prefix before making stating any opinion in an online forum.
FWIW I happen to agree. But for $DEITY's sake, just state your case.
Re: (Score:3)
Fact: saying fact before a statement makes it an inarguable universal truth.
Pro-tip: use the Fact: prefix before making stating any opinion in an online forum.
FWIW I happen to agree. But for $DEITY's sake, just state your case.
Try reading the GP comment for the reason.
Hint: he (Symbolset) is responding to that poster's arrogance.
Hint #2: the GP's comment states 3 "facts" as though stating such that makes them inarguable truths.
FWIW, I agree that it's bad form, but it was a response-in-kind that you replied to.
Cheers
Re:Yeah! (Score:5, Funny)
Pro-tip: use the Fact: prefix before making stating any opinion in an online forum.
And adding the "Period" suffix after your opinion makes it a universal truth. Period.
Re: (Score:3)
Re: (Score:2)
This. Adding 'this' always makes the parent true.
"Yields falsehood when preceded by its quotation" yields falsehood when preceded by its quotation.
Re: (Score:2)
Fact: Using Fact and Period makes your point even more universally true. Period.
Re: (Score:2)
Pro-tip: use the Fact: prefix before making stating any opinion in an online forum.
And adding the "Period" suffix after your opinion makes it a universal truth. Period.
I don't believe you.
Fact: Your statement was not prefixed with the appropriate "Fact:" flag and is therefore untrustworthy. End of line.
Adding end of line at the end of your line makes you sound like you are the MCP. End of line.
Re: (Score:3)
Re: (Score:1)
So install the old version again? Really, not that hard. Of course, the old version most likely doesn't have security fixes, and the extensions you have can easily be updated, but where's the fun in that?
Re: (Score:2)
Re: (Score:2)
Re: Comodo Dragon (Score:2)
.
The wikipedia page on it ( http://en.wikipedia.org/wiki/Comodo_dragon [wikipedia.org] ) has more info about chromium vs. comodo though the last two items look like they were respun by someone who prefers google chromium, while comodo's page ( http://forums.comodo.com/help-cd/how-is-dragon-better-t67998.0.html [comodo.com] ) points out that google keeps track of the time it was installed (the better
Re: (Score:2)
Dragon removed Privalert (Score:2)
Privalert lasted all of about a week. They pulled it for "stability" reasons with an auto-update. https://forums.comodo.com/news-announcements-feedback-cd/23400-update-removes-privalert-t89212.0.html [comodo.com]
I suspect the real reason they pulled it was that many people pointed out it was exactly the same as Ghostery but without Ghostery being given any credit. Exact same process flow, exact same number of items in the blocklist, despite their CEO claiming on their forum that it was entirely their own code and entire
Re:Yeah! (Score:5, Insightful)
There is no reason why a legitimate extension needs to install without asking the operator for permission any more than a program on a disk or share needs to autorun on mounting the volume.
Then explain Chrome's silent updates? By your logic there should be no reason why an application would update itself without operator permission -- Why, if it were small part of a larger system it could even bring the entire intranet down. What I see is friction between notification of updates and desire to have less notification noise. IMO, the best answer when there is a choice to make that involves users' usage is to let them decide:
An update for Chrome is available.
( ) Skip this update.
( ) Download the update and ask again later.
(o) Download and Install Automatically
[x] Remember this choice and don't ask again.
____
A plugin update is available for: NotScript
( ) Skip this update.
( ) Download the update and ask again later.
(o) Download and Install Automatically.
[_] Remember my choices for future updates.
[x] Make this the default for all plugins.
____
Status Notification:
42 Updates are being downloaded and installed. [Options...]
I thought we solved this shit in the 70's? You know, with our rocket science... The answer is almost never: Less Choice; It's almost always: Sane defaults & Discoverable options.
See also above comment by: girlinatrainingbra (2738457)
Re:Yeah! (Score:4, Funny)
Re: (Score:1)
There is no reason why a legitimate extension needs to install without asking the operator for permission any more than a program on a disk or share needs to autorun on mounting the volume.
Then explain Chrome's silent updates?
Chrome specifically asks to install itself (and make subsequent updates). Your argument makes no sense.
Re: (Score:1)
The malware extensions only can do anything if they are already running. I'd expect Chrome to check the extensions before starting them.
Re: (Score:2)
Fact: Google will exempt itself from this practice.
Fact: TFA doesn't say this. Please back up your personal believes before stating them as if they were facts.
More importantly; this is all a trust issue. Chrome is Google's browser. Assuming Google trusts itself, I can see why they would exempt themselves.
I have a lock on my door to keep unwanted people out, but I have given myself a key to get in whenever I want because I trust myself not to steal from myself.
Re: (Score:2)
It's a matter of principle. Windows doesn't automatically allow something to be run if it's signed by Microsoft, neither does OS X, as far as I've seen.
Re: (Score:2)
"Legit extensions installed with other software"... Like that bullshit Ask Toolbar that got silently installed into Chrome when I loaded some crappy unrelated shareware the other day? Yeah, the world is sure going to lose out when that kind of anti-social behavior is made more difficult.
I can't think
Re: (Score:2)
All my extensions were disabled by the dev channel when that update came through. It gave me a messagebox when it ran the update letting me know it disabled them, and it doesn't give you a way to re-enable them. You do have to dig through the menu to re-enable them. This is after a previous version already made it so to distribute them internally you had to save the crx file, open the extensions page, and drag it on there.
I understand the point is security, but they're making legit purposes harder to deal w
Check out the Chrome 82 Beta (Score:1)
It's pretty awesome.
I'm on Chrome LightSpeed (Score:1)
Chrome 299729548 is even better.
Re: (Score:1)
Dark Helmet: No, no, no, light speed is too slow.
Colonel Sandurz: Light speed, too slow?
Dark Helmet: Yes, we're gonna have to go right to ludicrous speed.
Impossible (Score:5, Insightful)
How exactly can they block silent installs if the process that wants to add the extensions has the same rights as Chrome -- or strictly higher? The other program can emulate whatever way Chrome uses to mark something as legitimately installed.
It's only a feel-good measure, that can stop only "nice" extensions which would play by the rules in the first place, and does nothing against malware or the operating system itself (looking at you, Microsoft).
Re: (Score:1, Insightful)
Because the solution isn't perfect we should do nothing at all instead.
Re: (Score:2)
Re: (Score:3, Insightful)
Re: (Score:1)
we learned allready, that DRM will and CANNOT possibly work ;)
Re: (Score:2)
They do have all encryption keys Chrome could possibly have -- and if they'd be stored remotely, they are in the same position wrt asking Google's servers.
Re:Impossible (Score:5, Insightful)
Re: (Score:3, Interesting)
One way is to keep record of installed plugins by user interaction on google server and recall the list and compare extension lists on startup.
Another way is to sign the extensions with a special per user key that is kept on google server. If key may also be kept on the user pc but needs a public private key signing system. The signing and reading key needs to be created on user plugin installation with all plugins re-signed with new signing key and then that key is destroyed leaving only the reading key. T
Re: (Score:2)
Re:Impossible (Score:5, Insightful)
Most people and the Courts treat things differently depending on whether you broke a lock to enter a place or the door wasn't even latched in the first place.
Re: (Score:2)
Except that your average malware toolbar does ask for permission when whatever software it is attached to is being installed. It will just helpfully save you from having to do another step, after you click "ok" to "install and enable XXX?".
Re: (Score:2)
Why would malware in the system itself bother with a Chrome extension? What does that give you that you don't already have? Honest curiosity.
Nah. There are plenty of "hey, it's just some ads/game/whatever, we from value add corp LOVE our customers!" extensions. Of course they're not "nice", but they otherwise use the standard process for extensions, and aren't malware by any stretch of the imagination.
Re:Impossible (Score:4, Insightful)
I don't know about you, but personally I find it hard to believe that any extension that installs itself without notifying the user has that user's best interests at heart. Even if they're not actually malware, they're probably doing something their author doesn't want us to know about and that's enough to make sure that I, for one, would never trust them.
Re: (Score:2)
That still doesn't make them malware in the stricter sense (all malware is evilware, but not all evilware is malware) Certainly when talking about bypassing the browser via having the OS infected.. if you have *that*, you can do anything; sure it'd be *nicer* to have an extension that makes grabbing web passwords super simple, but you don't really *need* it; you can already monitor all traffic, take screencaps, log keys, do whatever.. so what's the point of using root to install a chrome extension?
I honestl
Re: (Score:2)
I hate it as much as you do, but just to play Devil's advocate for a moment I can at least understand why an app like Adobe Reader might install a plug-in. When a normal user installs an app they expect certain things to just work, such as double clicking on a PDF opening in the PDF reader they just downloaded. So from Adobe's point of view it makes sense to allow PDFs on the web to open natively in the browser too.
As to why they don't ask if you want it my guess would be that they don't think users will un
Re: (Score:2)
Re: (Score:2)
The typical scheme on Windows is, one of ten "Ok" dialogs during installing an unrelated piece of software instead says "install Bonzi Buddy Toolbar", and you need to read them all carefully and press "cancel" instead, which most people fail to do. Or often, it's just a pre-checked check box on a long page.
All that will change is that the question instead of "install BBT?" will be "install and enable BBT?".
Re: (Score:3)
You can't. But this will interfere with network Administrators implementing a technical policy of pre-deploying specified extensions for all users.
The only solution I can think of right now is to ban Chrome; and only allow IE or Firefox; which will allow admin-deployed extensions.
Re: (Score:2)
It's only a feel-good measure, that can stop only "nice" extensions which would play by the rules in the first place, and does nothing against malware or the operating system itself (looking at you, Microsoft).
Most of the crap toolbars people install for internet explorer are semi legitimate... They can be removed, often, you install program X it'll ask you if you wish to add toolbar Y to IE. The guys behind these toolbars pray on the fact that people forget to click, don't install this useless crap toolbar...
Raising the bar and forcing people to make the actual choice is a good idea.
Most of these toolbars are not removed by Anti virus, because they are perfectly legal, Yahoo toolbar is a good example.
Grante
I'm not sure I understand... (Score:1)
Re: (Score:2)
Means you have to update the version number.
I suggest adding a 3000.
Because that's cooler.
Actually, you've hit on a good idea. Just like Netscape Navigator skipped from version 4.7 to 6 so they could jump ahead of Internet Explorer 5, Firefox should return to that practice. The next version of Firefox should be 29. Then they will be forever cooler and more modern than Chrome.
I'm serious.
Re: (Score:1)
Actually, they could restrict version numbers to be prime numbers afterwards, then they will appear to progress much faster. ... thinking about it, they probably would soon reach primes so large that they would face export restrictions from the version number alone. :-)
Although
Re: (Score:1)
no. 42 or 1337
Re: (Score:2)
Actually, you've hit on a good idea. Just like Netscape Navigator skipped from version 4.7 to 6 so they could jump ahead of Internet Explorer 5...
I'm guessing you weren't around at the time, because there were in fact two versions of Netscape 5.0 [wikipedia.org], which you could download and play with (and I did; and I therefore take serious issue with the implication by the Wikipedia article that no binaries were ever built/released).
In any case, you're wrong. NS 5.0 was scrapped because they junked the the old codebase. NS 6.0/Mozilla (the latter of which eventually became Firefox) was a complete rewrite.
That UI is getting tired. Anyone agree? (Score:2)
While I love the Google's Chrome browser, it is my opinion that its UI is getting tired. Anyone agree? A refresh wouldn't do any harm at this point. Would it?
Re: (Score:3, Insightful)
Have you learnt nothing?
Re: (Score:1)
To be frank, I don't know what other UI you could implement. It's a web browser. It has some tabs and some forward and back buttons and a giant viewport.
Re: (Score:3)
No. I'm not wild about the three-bar option button, but the rest is OK.
Re: (Score:2)
NO.
If you want constant UI refreshes, there's Firefox. Please don't mess up the only remaining sane browser.
Trolls are everywhere!!! (Score:4, Insightful)
Someone needs to get a handle on these trolls on this site or I'm calling the POLICE!!!!!
I think malda himself might be trolling and I'm SICK OF IT!!!
Re:Adware? (Score:5, Interesting)
It should. The add-ons can be dumped into the folders, but the browser will leave them disabled and non-functioning until you manually enable them. At least until the adware makers start figuring out how to dig into the internals of the browser config files and modify things directly to convince the browser the add-ons have already been enabled. That's doable but not simple, so I expect it'll take a while for that to become common. And there's simple methods the browser can use to make that modification even more difficult, eg. tagging each enabled extension with an encrypted hash of the extension's file so that the adware would have to find the browser's encryption key before it could successfully modify the configuration.
Note that none of these will do anything about add-ons that convince the user to manually install them.
Re: (Score:2)
Version 25? (Score:2)
What the hell. Since 2008?
Who the hell does their versioning? That's just pathetic.
Re: (Score:1)
i am still in for versionschemes like this: yyyymmdd.hhmm-optionaltext/branch/whatever
Re: (Score:1)
Fortunately, it's just you.
Re: (Score:2)
Will they also stop installing into Firefox? (Score:1)
I will not trust in Chrome until they stop adding their plugin into Firefox.
If they care so much about what's run inside Chrome, why do they inject their Google Updater into Firefox and put their update code in a bazillion places?
Yes, they say that it's mean to always have the latest version available, but if I'm not using it daily, why should I waste CPU cicles and bandwith trying to upgrade it until I use it?
I have Chrome installed only because I need to use it for testing, but I strongly dislike
Limiting user choice. (Score:1)
Re: (Score:2)
I think we've entered the happy period of time when all three major browsers are pretty much equal, and users can pick which on they want to use based purely on aesthetics and functionality.
IE10 is pretty competent, I just can't stand its UI, and I have a historical bias against it. I also worry that MS with withhold updates from people who don't buy their newest OS at some point.
Firefox is okay. It feels a bit clunky to me, but that probably is subjective. I don't really trust Mozilla's development cycl