Sophos Cloud Optix
As of Tuesday, 12 June, Google started on a phase-out of Chrome extensions that come from third-party websites. In the coming months, that means that extensions have got to either hit the Chrome Web Store or hit the highway.
It’s about time, many will say – third-party extensions cause too many headaches.
Extensions Platform Product Manager James Wagner said in an announcement on the Chromium blog that inline extensions (i.e., those from third-party sites) are far more likely to cause Chrome users problems than the ones they get from the Chrome Web Store:
When installed through the Chrome Web Store, extensions are significantly less likely to be uninstalled or cause user complaints, compared to extensions installed through inline installation.
Here’s the timeline:
- Starting on Tuesday 12 June 2018, inline installation was made unavailable to all newly published extensions. Extensions first published on that day or later that attempt to call the
chrome.webstore.install()function will now automatically redirect the user to the Chrome Web Store in a new tab to complete the installation. - Starting 12 September 2018, inline installation will be disabled for existing extensions, and users will be automatically redirected to the Chrome Web Store to complete the installation.
- In early December 2018, the inline install API method will be removed from Chrome 71.
Wagner advised developers who distribute an extension using inline installation that they’ll have to update install buttons on their websites to link to their extension’s Chrome Web Store page prior to the stable release of Chrome 71.
He also suggested that if you haven’t already, “be sure to read up on how to create a high-quality store listing, and consider using our install badge on your site.”
Wagner said that it’s “crucial” that users have “robust information” about extensions before they install them, so that they fully understand how the extensions will affect their browsing experience. He says that Google is confident that the walled-garden approach will “improve transparency for all users about their extension choices in Chrome.”
A little recent extensions history: in October, Google was embarrassed when a fake adblocker – one that posed as the massively popular AdBlock Plus – wound up sneaking past Google’s security checks and weaseling its way into the Chrome Web Store. The “adblocker” turned out not to be an adblocker at all. Rather, ironically enough, it was adware. It served ads. To people who wanted to block ads.
At the time, Google said it had plans to improve the vetting of its browser extensions:
We know the issue spans beyond this single app. We can’t go into details publicly about solutions we are currently considering, but we wanted to let the community know that we are working on it…
Of course these problems aren’t unique to Google, they turn up everywhere vendors provide walled-garden access to apps, plugins, add-ons or whatever else they call the bits of somebody else’s code you can use to extend their products.
In most cases the security of a walled garden beats not having a walled garden, but keeping the bad stuff out is an on-going and evolving struggle.
Nice article! The concept of a walled garden does enhance security while at the same time crushing development. Windows is rapidly becoming a closed world, Google is doing the same thing and I am sure many others will follow. Just think where we would be if this walled garden concept had been in place when home computers first arrived. I think we would still be typing programs in basic and hoping the walled garden fall.
I don’t understand why Google didn’t take the Android approach and make it somewhat cumbersome for people who want to install plug ins outside of their walled garden. Chock full of warnings and dire looking pop-ups.
But then again, maybe I do. Perhaps Google wants to control what we do with Chrome to make sure people don’t do things like download YouTube Videos with extensions . I have no doubt that in the next 10 years or so, we will have reverted back to 1980’s terminal->mainframe setups (with the mainframe being euphemistically called “The Cloud”). It will be sold to us as a ‘safer’ and a convenience – to have your desktop/files/applications on a Google or Microsoft virtual machine in the “cloud”,
Oh and Google/Microsoft/Big Brother/Cambridge Analytica will have all your data and control what you do with it, but you’re already OK with that, aren’t you? You did click “Agree”, remember?
Time to watch the Firefox market share start going back up, perhaps?
I’m just waiting for the inevitable google credit agency to offer “enhanced risk factor analysis based on deep knowledge of your customers”. At least it probably won’t leak data by accident, i guess…