

Q2 Summary from Chrome Security - pdknsk
https://groups.google.com/a/chromium.org/forum/#!topic/chromium-dev/ASLmY69v4Hk

======
pdknsk
> Plans for Q3 include reinvigorating participation in the rewards program
> through a more generous reward structure and coming up with clever ways to
> keep researchers engaged.

------
higherpurpose
Glad to see Chrome continues to focus on security so much, but can you please
roll back the "extensions can only be installed from the store" change? It
removes a major user feature for very little security benefit, and you know
it.

I understood why you removed user script support. I understood why you made
3rd party extensions to be installed only with drag and drop on the Extensions
page. I even understood why the user had to enable Developer Mode to do it.
But this one I really don't understand. The trade-off just doesn't come out
positive for the user.

The developer mode should be more than enough to stop malicious extensions
from auto-installing. And if it isn't I'm sure you can find a work around,
such as Developer Mode creating a Windows prompt, or even password protecting
it.

But I want to be able to sideload extensions again. Android allows it, and it
has 3x the market share of Chrome, while it continues to grow, and Mac OS
allows it, too - and I think both of their apps can be much more dangerous
than a "rogue Chrome extension".

So the reasoning for allowing Chrome extensions to be installed only from the
store because it "increases security", with the very big trade-off for the
user of not being able to install extensions Google might not approve of, is a
very weak one.

So roll it back. The change was made to serve Google's interests more than
those of the user, under the misleading reasoning of increased security, when
in reality it doesn't improve much over having to activate Developer Mode, or
it could _easily_ be fixed in some other way.

