
Google to reject Chrome extensions outside of Chrome Web Store - IBM
http://techcrunch.com/2013/11/07/chrome-on-windows-to-start-rejecting-extensions-from-outside-the-chrome-web-store-in-january/
======
Zikes
There's a comment on the Chromium blog [1] (via magicalist's comment [2]) that
nails this: if security is all they cared about, a signed certificate is all
that's necessary.

Knowing that option exists and persisting with their store-only approach means
they must have an ulterior motive of some sort, most likely control and money.
Ad blockers that target Google Ads will be no more, as well as anything else
that the user might want to use to subvert or circumvent. Extensions will also
have to adhere to Google's moral code, and developers will once again be
beholden to a greater authority in order to operate their business.

Just like with Facebook and the Apple app store, if you build a business on
Google Chrome Extensions you now face having the plug pulled at any time for
any reason, with absolutely no recourse.

[1] [http://blog.chromium.org/2013/11/protecting-windows-users-
fr...](http://blog.chromium.org/2013/11/protecting-windows-users-from-
malicious.html)

[2]
[https://news.ycombinator.com/user?id=magicalist](https://news.ycombinator.com/user?id=magicalist)

~~~
jfoster
Would a signed certificate approach allow them to deny extensions, or not? If
yes, they could still deny ad blockers that way. If no, it is a weaker form of
security than this is.

~~~
Zikes
The alleged reasoning is to stop malware. A signed certificate must come from
an authority willing to put their own reputation on the line, but Google does
not need to be the only such authority.

~~~
haberman
Great! I am the "Definitely Not A Malware Author" certificate authority and I
have signed this "Definitely Not Malware" extension.

~~~
sirsar
Not quite. The DNAMA would quickly lose hard-won reputation once DNM was shown
to be malware. Google not being the only CA doesn't mean everyone gets to be a
CA.

~~~
haberman
> Not quite. The DNAMA would quickly lose hard-won reputation once DNM was
> shown to be malware.

No problem. I am a completely different "Definitely Not A Malware Author 2"
certificate authority and I have signed this "Definitely Not Malware"
extension.

> Google not being the only CA doesn't mean everyone gets to be a CA.

Oh. In that case who gets to decide who gets to be a CA?

~~~
JSadowski
Who decides who gets to be a CA for SSL certs? Similar process. Somehow my
browser doesn't recognize a CA that would allow any random person to pretend
to be Facebook.

~~~
haberman
The web browser authors/distributors decide what root CAs will be included in
their browsers. So in this case concerning Chrome, Google decides.

Which means Google is still in charge, ultimately.

Which means that this digital signature scheme hasn't actually accomplished
anything.

~~~
Zikes
Google controls the entire browser, meaning they are in absolute control,
ultimately. They could inject code into your banking web sites, they could
block all the porn, whatever they want.

The idea isn't that the certificates would wrest control away from Google,
it's that they wouldn't be able to use "omg the malwares" as a shield for
their intentions. If there's a root CA that's handing out certs for malware
extensions then sure, pull the plug, but if the root CA is handing out certs
for ad blockers and Google pulls the plug then it'll be plain as day what
they're doing.

Heck, all the browsers nowadays use extensions of some sort, maybe they could
form a consortium for extension certifications so no one company would be in
complete control. You could bet Mozilla would keep that sort of behavior in
check, at least.

~~~
haberman
> If there's a root CA that's handing out certs for malware extensions then
> sure, pull the plug, but if the root CA is handing out certs for ad blockers
> and Google pulls the plug then it'll be plain as day what they're doing.

Pulling a root CA is no more public than blocking an extension from the Chrome
Web Store. In both cases it is clear that Google has taken the action, and
whoever has gotten blocked can protest it publicly (just like people do now
for Apple App Store rejections). The Chrome Web Store doesn't give Google any
kind of "cover" or "shield."

Additionally, revoking an entire root CA that was letting malware through
(intentionally or unintentionally) would be far more intrusive than pulling a
single extension from the Web Store, because every extension that the CA had
approved would be affected, even if they were not malware.

What annoys me about this entire thread is that the OP (which was voted to the
top of the story's comments) presumes that you can sprinkle some crypto fairy
dust and get just as much security against malware without having to give up
any control. And it goes so far as to assume bad intentions on Google's part
for not doing it. But it's not that easy; crypto isn't a magic wand that lets
you have your cake and eat it too.

> (OP:) if security is all they cared about, a signed certificate is all
> that's necessary.

Um no. It's not that simple.

------
taway2012
I am displeased by this change. Although the Firefox version of my extension
is more work to develop, I will be pouring most of my resources into that in
the future.

I currently have a product that uses a Chrome extension to work. I am
privately beta'ing it out by hosting it on my own website.

Because I don't want to be killed with negative reviews of my unpolished first
version in the Chrome store.

Now I am forced to show my work and suffer brickbats in public even before I
finish it. WTF.

Second =======

And post-Snowden, the Chrome web store publication process is _LESS_ secure
for my users than me hosting the app myself. In the Chrome store, you send
Google your raw source (possibly minimized) files. They will sign it and push
a blob to the end user. [https://developers.google.com/chrome/web-
store/docs/publish](https://developers.google.com/chrome/web-
store/docs/publish)

AFAIK, there is no way for the end user to have any assurance that the file
being pushed by Google was the file that the developer intended to push.

With a privately-served version, the equivalent of a secret key created by the
developer needs to be compromised to push updates.

Please correct me if I'm mistaken about this.

~~~
ender7
IIRC, the CWS allows you to distribute alphas and betas to a specific set of
users.

~~~
taway2012
Yeah, I looked into that. There doesn't seem to be a way to have a "hidden"
extension whose URL isn't public, but which can be downloaded without signing
into a Google account.

That sucks for people in my network who are being kind enough to test my
software.

Instead of just messaging them on
Facebook/Twitter/Skype/Email/SMS/iMessage/Linkedin with a URL, I need to find
out their Google account and add it to a dashboard and they need to be logged
in before they download.

------
mtgx
The security excuse is BS. Show me the numbers for what an enormous problem
this is, to justify why such an _extreme measure_ is needed, Google!

And even if it does affect a ton of users, I'm sure there are other ways for
Google to fix this, even if not completely. But assuming for a moment this
wasn't a _malicious_ move from Google's part, I'm still angry with the lazy
decision to "just close off non-store extensions" to fix the problem.

Should I expect side-loading to be gone from Android soon, too, Google? Don't
you dare!

The way Android handles this issue is the best possible _compromise_ (there
will always be a compromise between security and freedom - and that's a _great
thing_ ). In Android sideloading is disabled by default, and if a user knows
what he's doing, he'll enable it and do whatever he wants.

So why can't Google do the same with Chrome?! Disable sideloading by default,
but still keep the option in settings somewhere. What's the big deal? Unless
they have a completely different agenda behind this...

Also, I'm not sure, but do Chrome extensions work in Opera or Safari? I think
it's about time we call Google on this and ask them to open up the format, so
other browsers can use the same extensions. The browser _shouldn 't_ be
another vector for "lock-in".

------
magicalist
actual source instead of useless techcrunch filler:
[http://blog.chromium.org/2013/11/protecting-windows-users-
fr...](http://blog.chromium.org/2013/11/protecting-windows-users-from-
malicious.html)

Wasn't this already largely the case? You have to manually download extensions
and then drag them into the extensions manager to install them outside the
store right now, don't you?

The only change here seems to be that now you need a checked "Developer mode"
box in order for that to work. I guess that discourages randomly checking the
box, but if they had just labelled it "Allow third party extensions" it would
make the change seem less overbearing.

~~~
Oletros
Developer mode only allows installing unpacked extensions, no?

~~~
recuter
No. If that's the case I think that's new.

~~~
hayksaakian
this was the case at least a year ago when I was making a chrome app/extension

------
zmmmmm
Very disappointing if there is no workaround available to the "ordinary" user.
Enough to make me fully question whether I want to use Chrome at all.

Question: what is the situation with ChromeOS? If this applies to ChromeOS
then it is essentially in the same locked down, anti-competitive state that
the Apple app store is in. It is the main reason I avoid Apple devices and
would pretty much put ChromeOS devices on the same blacklist as well for me.

~~~
chestnut-tree
_" Question: what is the situation with ChromeOS?"_

I don't know, but why would anyone even consider running ChromeOS? The fact
that you have to sign in (with a Google account) gives Google _unprecedented_
opportunity to track your activity in the OS. Even something as simple as
printing to your desktop printer requires sending your documents via Google's
cloud print service.

Imagine having to sign in to Windows or your Mac with your email address and
having to remain signed in always to use the OS. Most of us would be
horrified. I'm just astonished by how little comment is made of Google's
insatiable appetite to track and record online behaviour.

~~~
zmmmmm
I am not concerned about "tracking" very much. I'm not sure what the giant
issue is that you and others have with that (ie: exactly where and what is the
harm you perceive, in concrete terms?).

Btw, new versions of Windows all but force users to sign in with an email
address and then proceed store all documents by default in SkyDrive. Skype is
turned on and signing out is not allowed, thus you are every minute constantly
advertising your presence and activity to Microsoft. Plus even searching your
hard drive sends the query to Bing and shows ads to you as a result. So I am
not sure Windows is on track to be much better than ChromeOS in that regard.

But while I don't mind the "tracking", I consider freedom essential. An
operating system must allow the freedom to develop applications that are
hostile to the interests of the platform owner. That is the only defence
against a descent into a monopolistic kind of dark ages. Eg: imagine if
FireFox had never been allowed to run on Windows? We'd probably still be using
IE6. New disruptive technologies can only develop when they have the freedom
to do so, and it is rarely in the interests of the incumbents for it to
happen. So this is what I care about far more than the implications for
privacy and tracking etc.

------
Deeehem
This has made me very, very irritated. I was quite upset at the initial change
to preventing installation of third party extensions via a download, but then
I realised it was for the best.

However, to fully remove the ability to install third party extensions is just
ludicrous.

I develop a small Chrome application for internal use at my workplace. The
staff love it, it helps them do their jobs a lot quicker. I don't see any easy
way other than (as mentioned), building Chromium to remove this limit, as has
been done before with crx files.

Might just move to Firefox and take my workforce following with me!

~~~
jfoster
Private extensions are possible via the Chrome Web Store. You can make it
available to anyone with the link, or a list of "trusted testers".

------
JohnTHaller
Let's start betting on when Google starts to squeeze ad blockers through
feature changes or right out of the web store.

~~~
winslow
And Firefox will be there with open arms :)

~~~
throwaway2048
Funded almost solely by Google.

~~~
Encosia
Microsoft would probably be more than happy to take Google's place there, even
if Firefox does compete with IE.

------
makomk
Naturally, extensions that block certain kinds of Google ads (such as Youtube
ads) are not allowed in the Chrome Web Store.

~~~
thesnider
Seriously? What about [https://chrome.google.com/webstore/detail/adblock-
plus/cfhdo...](https://chrome.google.com/webstore/detail/adblock-
plus/cfhdojbkjhnklbpkdaibdccddilifddb) (AdBlock Plus), for instance?

~~~
dingaling
Adblock Plus by default whitelists Google ads.

[https://easylist-
downloads.adblockplus.org/exceptionrules.tx...](https://easylist-
downloads.adblockplus.org/exceptionrules.txt)

------
Newky
So for normal (non-admin) users there is no way to opt-in to this. I can't
understand that.

I don't think anyone would have a problem if this was a simple opt-in system
like downloading unofficial apk's on android. Only a select few would be
opting in, and those are not the core audience that Google is pretending to be
security conscious about.

Giving no ability to switch on this ability for a normal user makes Google
lose face with the general tech community. I don't understand the reasons
behind this.

~~~
Jochim
Don't you usually want to limit non-admin users from installing things you
don't know about anyway?

~~~
Newky
If this was something that a lot of admin users wanted to restrict from their
users surely Google could have made the complete disabling of this feature
from all users available in the admin panel.

But that should be an opt in feature for the admin.

------
jack-r-abbit
Someone called "Google OS" posted[1] this about installing extensions not in
the web store:

 _The developer option will still work: replace the crx extension with zip,
extract the files to a new folder, go to the Chrome extensions page, enable
developer mode, load unpacked extension and select the folder you 've
created._

Sounds like a huge pain in the ass but at least people doing this are less
likely to be in the same group of people that are complaining about malware.

[1] [http://blog.chromium.org/2013/11/protecting-windows-users-
fr...](http://blog.chromium.org/2013/11/protecting-windows-users-from-
malicious.html)

------
dustywusty
Finding it very strange that this change is presented under the guise of
safety, as there are absolutely very malicious extensions currently
circulating on the Chrome Web Store.

~~~
jfoster
They do seem to have very little policing of the Chrome Web Store. It's
actually annoying to have an app on there that is legit, as so many of the top
places in the store are taken up by unscrupulous rip-offs of Super Mario Bros
and Sonic the Hedgehog. I could make some money too by putting classic games
into a javascript emulator, plastering the page with ads, and submitting a few
hundred apps (one for each game) to the Chrome Web Store. I'd rather play by
the rules and have Google properly run their marketplace, though.

------
splatzone
Another day, another step closer to Apple.

~~~
Touche
Presumably Chromium has no such restriction.

~~~
jack-r-abbit
I'll admit I don't fully understand the Chromium <=> Chrome relationship. (I
believe that Chrome is Google's browser built on the open-source Chromium
code.) But isn't this an announcement made on the Chromium blog? It would
appear to me that this is going to be in the Chromium source... not just
Chrome. Am I missing something?

~~~
Touche
Not sure if the Chromium binaries have this restriction turned on but it
doesn't matter as someone will compile it without it (probably the official
Linux channels, for instance).

------
BrianEatWorld
Does this really solve the problem?

I imagine most of these complaints come from people who pick up the extensions
via bundling (not opting out of something when installing software). As those
bundles run off of executables with admin privileges in Windows, the last
change was circumvented simply by altering some files in the user's chrome
directory and the registry. I imagine a similar tactic will defeat this
measure. At least before the removal of the third party installation route,
Chrome was able to control the messaging and generate warnings. These changes
are simply pushing the malevolent even further underground.

------
zobzu
Surprise surprise. Closed garden mode.

------
kmfrk
Amazing, an actual reason to consider the Blink build of Opera.

------
Joona
I'm guessing it's time for alternatives then. Has anyone tried the new Opera,
and what other browsers are out there?

Or maybe I'm just overreacting.

~~~
zobzu
Firefox, Chromium.

~~~
SudoNick
I think Mozilla may be headed in the same direction.

Add-on File Registration System: [http://www.ghacks.net/2013/11/01/mozillas-
add-file-registrat...](http://www.ghacks.net/2013/11/01/mozillas-add-file-
registration-system-serious-consequences-developers/)

Merging of AMO with Firefox Marketplace:
[http://www.ghacks.net/2013/10/26/thunderbird-seamonkey-
kicke...](http://www.ghacks.net/2013/10/26/thunderbird-seamonkey-kicked-
mozilla-amo/)

~~~
jeorgun
In Firefox's case, at least, it's clear that the only motive in doing so would
be genuine concern for the safety of their users— Mozilla wouldn't have any
incentive to stop people installing extensions that hurt their own business
model.

------
hexis
Today's serving of feudal security is brought to you by...

------
fiatjaf
People who commented until now don't know how blessed is this measure. If
you're a programmer, you probably don't get lots of malware in your computer,
but if you ever had to use the same Windows PC as your uncle, mother or
brother-in-law, even for a short time, you would know how bad it is to see
huge amounts of malware and changed home pages, new tab pages, default search
engines, everything messed up inside Chrome.

I don't know how these people get all these malwares, but is a fact that they
get them installed. And if you don't have a better solution, Google at least
has a temporary potentially good one.

------
quasque
Does anyone know if this will include Greasemonkey-style scripts as well?
(e.g. like the ones from userscripts.org)

------
signed0
Just for Windows users.

~~~
lowboy
So far.

I believe that part of Goog's motivation is to stop malware, but part of their
motivation is platform control. I just don't know the proportion.

