Hacker News new | past | comments | ask | show | jobs | submit login

Those 'standard extensions' are pointless though, aren't they? Capable of absolutely nothing of importance? They're just scraps of HTML and some CSS with extreme limitations on what they can access is my understanding. If Chrome has a security hole that AV vendor X knows about, would such an extension have the power to prevent Chrome from loading it and getting exploited anyway?



> If Chrome has a security hole that AV vendor X knows about, would such an extension have the power to prevent Chrome from loading it and getting exploited anyway?

Very probably yes. One of the best ways to fend off viruses is ublock, after all.


In principle an AV extension could read the scripts on a page and either analyze them there (or background web worker or something) or (if the APIs allow) pass them off to the native AV process for examination; it could theoretically be useful to go beyond simple blocklists and try to identify badly behaved or malicious scripts before they actually get executed in the users browser.

Unfortunately, AV vendors have not really demonstrated the ability to do anything like that in a reliable or secure way.


They can message between native applications (e.g. the AV software) and Chrome. They can also inject scripts into every page (something AV software loves doing for some reason).

If Chrome has a security hole that the AV vendors know about then they can fix it at source. This is a lot more robust than opening a giant hole in Chrome's sandbox in order to insert its own code inside.




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: