Hacker News new | past | comments | ask | show | jobs | submit login

It's true that AV software has root so it can always win but it's hard for AV vendors to claim they're making legitimate software if they enter into a very public arms race to crack a browser's security.

And all just so they can put an extra bullet point on their marketing. It'd be easier and less damaging just to make a standard extension.




FYI: Chrome did the same thing with the OS Security.

On Windows and on most OSs, software is installed in a location that the standard user doesn't have write access to, and you require root/admin authorization to install. Chrome bypasses the OS security by installing itself in a way so that it can auto-install software/updates without the explicit consent of the user. If all software did this, it would soon be a security nightmare.


Those 'standard extensions' are pointless though, aren't they? Capable of absolutely nothing of importance? They're just scraps of HTML and some CSS with extreme limitations on what they can access is my understanding. If Chrome has a security hole that AV vendor X knows about, would such an extension have the power to prevent Chrome from loading it and getting exploited anyway?


> If Chrome has a security hole that AV vendor X knows about, would such an extension have the power to prevent Chrome from loading it and getting exploited anyway?

Very probably yes. One of the best ways to fend off viruses is ublock, after all.


In principle an AV extension could read the scripts on a page and either analyze them there (or background web worker or something) or (if the APIs allow) pass them off to the native AV process for examination; it could theoretically be useful to go beyond simple blocklists and try to identify badly behaved or malicious scripts before they actually get executed in the users browser.

Unfortunately, AV vendors have not really demonstrated the ability to do anything like that in a reliable or secure way.


They can message between native applications (e.g. the AV software) and Chrome. They can also inject scripts into every page (something AV software loves doing for some reason).

If Chrome has a security hole that the AV vendors know about then they can fix it at source. This is a lot more robust than opening a giant hole in Chrome's sandbox in order to insert its own code inside.




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: