
Chrome Remote Desktop for Linux - vfclists
https://productforums.google.com/forum/#!category-topic/chrome/8PMxG69VJ6o
======
AaronFriel
Do features like Chrome Remote Desktop give anyone else goosebumps?

I love that Chrome automatically updates with security and performance
updates. But an IT professional and someone who is security conscious, it's
concerning that users' web browsers automatically install new attack vectors.

I'm sure the NSA, every other three letter agency, and skillful botnet
programmers and hackers are just tickled that Chrome is opening up new avenues
for infection.

Here's the how-to if you have some spare Google account credentials:

1\. Install Chrome and sign in with target's credentials

2\. Enable Chrome extension sync

3\. Install Chrome remote access extension

4\. Wait

5\. ???

6\. Profit!

Welp, at least Chrome for Windows has group policies to control (some) of
this, but the policies often lag behind the new features. Chrome for Linux
users? I guess they're SOL. Hope your company's administrators have init.d
locked down or something to prevent Chrome from installing its hooks into your
system during a regular apt-get/yum update.

 _Edited in P.S.:_ Google, are you there? Are you listening? As a system
administrator, what would tickle me would be the ability to freeze the attack
surface area of user's machines. i.e.: they can't install new extensions and
apps, they won't have any features that add new remote access features
enabled, etc. I would like to be able to say, "I trust my ability to lock down
Google Chrome 37", configure that, and not have to worry about an automatic
update annihilating my security policies.

Finally, automatic extension updates give me the creeps. At any moment, _bam_
, suddenly my users' harmless extension is now owned by Shady Joe's Botnets
'R' Us, and their passwords, web traffic, and safety is compromised.

~~~
SergeyUlanov
Hello, I'm one of the engineers on the team.

Extension sync doesn't automatically enable remote access to your machine.
User must explicitly enable access on each machine that needs to be accessible
(and to do that the user must be administrator).

Also the remoting service needs to be installed separately from chrome - it's
not part of the extension. It's not possible to package native binaries with
chrome apps/extensions, by design (except for NPAPI plugins, but extensions
with NPAPI plugins are not synced and NPAPI support is being removed from
Chrome).

On Linux you can disable automatic update both chrome and CRD. Just set
repo_reenable_on_distupgrade to false in /etc/default/google-chrome and
/etc/default/chrome-remote-desktop

~~~
AaronFriel
If I could still edit it, I would correct my post to say that a user that has
not activated remote desktop does have to enable it manually.

But there is still _no way_ to control Chrome's surface area in the future,
and features like this give me the heebie-jeebies. Two things:

1\. Users that have already enable Chrome Remote Desktop don't need to
authorize the set of computers that can access it remotely. You authorize one
endpoint, but not the other. And since Chrome will occasionally install new
extensions and apps in its regular updates, there's no notification for a lay
user to know why they got "Chrome Remote Desktop". For that matter, anyone
with access to a Google account can leverage one Chrome sync feature to gain
access to others (mainly: from an extensions into completely owning their
machine), allowing them to leverage Google account access into a much greater
vulnerability on remote physical machines. Passwords, open tabs, history, form
data, credit card information.

Let me walk you through this. Alice is using her computer at work. Eve has
obtained Alice's credentials, and sets up a Chrome account on a machine and
enables full sync, and installs the Chrome Remote Desktop extension on her
computer.

Alice sees a new extension appear on her computer. Why is it there? Alice is
never informed, and Google adds new apps and extensions with updates
occasionally, so Alice proceeds to install Chrome Remote Desktop. Why not?
Chrome seemed to think it was safe to put on her front page or in her app bar.
Eve can pin it to her bookmark bar with a title like "Connect from home!", or
even install multiple bookmarks to do this:

"Connect from home" "now today" "with Google Chrome" "Remote Desktop!"

Now it's just a matter of time. Eve could also use her access to the account
to synchronize new extensions silently and in the background, allowing them to
siphon off passwords and credit card numbers, even if Alice disallowed those
items from synchronizing. Extensions are simply _too powerful_ and the
automatic update feature makes every extension from a third party developer a
ticking time bomb.

2\. You don't really offer a great way of blocking increases to the attack
surface area of Chrome. You offer a way to totally turn off all _Google
Chrome_ automatic updates, but woe is the administrator that tries to use your
policy tools to lock down Chrome. As Chrome is becoming an operating system
unto itself, I find myself at a loss to understand why policies for this new
operating system lag behind. Your suggestion doesn't prevent Chrome from
automatically updating or synchronizing new extensions, and doesn't provide
the average user with protection from a hijacked Chrome account. Disabling
Chrome's automatic updates, if anything, makes them _less secure_.

No, what I want is the ability to lock Chrome's surface area to a particular
version, not lock Chrome to the version itself. I want to see ways to limit my
liability as an administrator to what I know and understand - and the Chrome
team seems to think they know better than I do how to keep lay users safe. I
disagree - given the fact that me, the security paranoid user, has already
been bit by Chrome's security policies, I have no hope that they will avoid
the same fate.

~~~
lern_too_spel
Now it's just a matter of time for what? For Alice to enable remote access on
her machine and set the mandatory pin? How does this help Eve?

Moreover, your scenario presupposes that Eve has Alice's Google credentials.
At that point, Alice is already owned. Given that most of a user's information
is online instead of on a particular device these days, accessing Alice's
desktop is not significantly useful. Eve can already pretend to be Alice and
send trojans to her friends and then pretend to be Alice's friends and send
trojans to her.

------
isaacdl
I wish there was a better way for deal with screen resolution. I know that
scrolling is a pain, but I'd still prefer it to default to the resolution of
the physical display attached to the host computer. (Actually, I'd _really_
prefer it to adopt the resolution of the client machine, a la MS Remote
Desktop, but that probably introduces a lot of complexity).

~~~
stinos
_I 'd really prefer it to adopt the resolution of the client machine_

Even broader: any resolution you want. I genuinely have always wondered what
is at the bottom of this problem. Why is it that on an otherwise so versatile
and configurable OS it is seemingly so hard to change the resolution when
logged in remotely? Is it something in X that makes it like that? Was it
originally never meant for headless use? Having used, and cursed the fixed
resolution of, VNC for years I still remember the first time I used rdp on
Windows, my jaw was like on the floor. That is how it should be: logging in
without being bound to a hardware screen, and in a seperate session (latter
needs a fix though since the default client on non-server windows doesn't
allow it)

~~~
laymil
There are several versions of VNC that support xrandr resizing. Arch documents
this working with TigerVNC [0]. Additionally, you can use xrdp + x11rdp.

[0]
[https://wiki.archlinux.org/index.php/xrandr#Using_xrandr_wit...](https://wiki.archlinux.org/index.php/xrandr#Using_xrandr_with_VNC)

------
hocuspocus
I'm really confused. I've been using this extension to take remote control of
my mom's computer, running Ubuntu, for like 2 years or so. And it didn't
require to install a .deb besides the extension. Am I missing something?

------
skizm
Finally. Now all 3 of my environments are now supported. I can start
downloading games/movies at work and get home to a fully installed game or
movie ready to go.

~~~
brunoqc
You could use a torrent client with a web interface and Steam's remote install
feature.

------
vfclists
This is the first time I got to know about it from frequenting r/Chrome for
help with customization.

Just like all most Google products it looks like it requires both parties to
be logged into their Google accounts, so concerns about Google's privacy
policies are still valid with it.

PS. Does it use websockets?

------
tdicola
Nice to see this was finally added. I remember trying this when I got a
Chromebook earlier in the year and was really surprised and puzzled to see the
lack of support on Linux. There's even a year+ old thread about it that didn't
look good:
[https://productforums.google.com/forum/#!topic/chrome/VT2_wL...](https://productforums.google.com/forum/#!topic/chrome/VT2_wLZ3ppc)
Great to see support now!

------
jebblue
I tried it, had issues installing it, here's what I did:

1) Tried sudo dpkg -i chrome-remote-desktop_current_amd64.deb 2) It complained
about missing dependencies. 3) I tried aptitude and one of its choices was to
remove the Linux kernel, nah. 4) So I ran my trusty Synaptic and it
immediately detected the broken package, I clicked Fix, Apply, and it worked
fine.

It seems quite responsive.

------
bitL
How does this differ from running a VNC client inside _any_ browser?

~~~
vfclists
It probably has its own intermediate proxy which doesn't require firewall
configuration? It is probably better optimized as well.

~~~
panzi
It probably has its own intermediate proxy with a "lawful" intercept interface
(i.e. pies everything to the NSA). Well, I wouldn't be surprised if that
conspiracy theory would be true.

~~~
masto
I wouldn't be surprised if that's a load of bullshit.

~~~
panzi
Well, I don't know about that, but it is law that services over a certain size
have to have a lawful intercept interface (e.g. Skype has one) and it is know
that this interface gets abused by secret services.

------
chambo622
Awesome to have this, will definitely set this up on my desktop.

Kind of crazy that this got released and we still don't have a Google Drive
client for Linux.

------
darkstar999
Anyone know how to get this running on Linux Mint?

~~~
fiatjaf
[https://plus.google.com/+NickMossie/posts/TB32wTtMSZS](https://plus.google.com/+NickMossie/posts/TB32wTtMSZS)

------
seanmcelroy
What an interesting way to encourage users to stay logged into Chrome all the
time. Who needs cookies anyway?
[http://online.wsj.com/news/articles/SB1000142412788732480770...](http://online.wsj.com/news/articles/SB10001424127887324807704579083723267549160)

~~~
LeoPanthera
Ironically, that story is behind a paywall.

------
aceperry
Yeah baby!!! For _LINUX_ , woot!

Love it when linux gets cool tools like that.

