Google To Warn of Chrome Extensions From New or Untrusted Developers (therecord.media) 13
Google says it will scan the extensions users install in their Chrome browsers and warn users if they are adding an extension from a new or untrusted developer. From a report: The new extension scanning feature will be part of a Google security feature called Enhanced Safe Browsing, which Google added to Chrome in May last year. Google says trusted developers are those who adhere to the Chrome Web Store Developer Program Policies. "For new developers, it will take at least a few months of respecting these conditions to become trusted," the browser maker said in a blog post today. Currently, Google said that almost 75% of all extensions hosted on the Chrome Web Store were developed by "trusted developers." For the rest, the browser will show an alert like the one below if users had enabled Enhanced Safe Browsing in their Chrome settings page.
but but but (Score:2)
I want my FREEDOM to have toxic extensions!!
Re: (Score:3)
I want my FREEDOM to have toxic extensions!!
Right ... because Google would never interfere with, say, an extension that blocks their ads ...
Um... you have that freedom (Score:3)
The problem is when extensions change hands (Score:3)
No (Score:3)
Have they done a statistical analysis of problematic extensions (and the subset of major security breach problems) vs. "Trusted" status of that developer, had it been applied back then?
Also, I recall a Paypal scandal where a guy spent a year building up a great reputation as a seller, then introduced an investment for $200k and fled with the all the money.
maybe google should (Score:2)
Re: (Score:2)
They're just too lazy to implement the evil bit.
What about changes in control? (Score:3)
This doesn't seem like an outright bad tool or anything; but it seems like the metric that they should be focusing on is how many people are affected by malicious extensions, rather than how many extensions are malicious. If some random cookie-cutter shovelware is malicious but has 2 users, the developer and his sockpuppet; it barely matters. If one of the top 100, probably even top 1000, go rogue however, that's a ton of affected users.
Also pronounced as... (Score:4, Interesting)
I believe this should be pronounced "security model for Chrome extensions is not good enough".
Telling users to "be careful" is shifting the blame for when bad stuff happens, from the people making software to the people using software.
Re: (Score:2)
I believe this should be pronounced "security model for Chrome extensions is not good enough".
Telling users to "be careful" is shifting the blame for when bad stuff happens, from the people making software to the people using software.
I have to agree. Any new extensions I submit can take up to 1~1.5 weeks to be approved. This is [supposedly] so they can human review the code to make sure it isn't doing anything malicious. But given how many malicious extensions are out there, I have to wonder how much reviewing there actually is. Quite frankly, I've gotten more/better and faster human reviews from firefox extensions than I have google's side. These days (within the last 6 months or so), my updates and new extensions are passing within a
Experienced developers: raise your rates (Score:2)
The message to any developer of extensions who is "Trusted" is clear: raise your rates for any development work you do - because extensions developed by you will not cause a security warning while those developed by that other guy trying to enter the business will cause you support issues.
Chrome still doesn't question add-on installation (Score:3)
The number of times people will get an add-on/plugin in Chrome where they never got a warning is at 100% or so. I've yet to see anyone who actually got warned about "free maps toolbar" getting installed under Chrome. When ANY extension can get installed without the user being asked to verify the installation, that is a huge security concern.