Slashdot Mirror
Google Chrome 25 Will Disable Silent Extension Installation
An anonymous reader writes "Google on Friday announced that it is changing its stance for silently installing extensions in its browser. As of Chrome 25, external extension deployment options on Windows will be disabled by default and all extensions previously installed using them will be automatically disabled."
How exactly can they block silent installs if the process that wants to add the extensions has the same rights as Chrome -- or strictly higher? The other program can emulate whatever way Chrome uses to mark something as legitimately installed.
It's only a feel-good measure, that can stop only "nice" extensions which would play by the rules in the first place, and does nothing against malware or the operating system itself (looking at you, Microsoft).
The creatures outside looked from Alt-Right to Antifa; but already it was impossible to say which was which.
Whats to get excited about, this just causes problems for legitimate extensions.
Fact: Dirty/Malware extensions can work around it by just sitting whatever flags need to be set where ever they need to be set to make Chrome think they are approved.
Fact: Legit extensions installed with other software will now at the minimum need an annoying popup to allow them, or worse, digging through menus to figure out how to term them on instead of 'just working'.
Fact: Google will exempt itself from this practice.
As someone who wrote extensions for Firefox until we got tired of supporting its broken every release API, it was trivial to work around this sort of crap with firefox, the same will be true of Chrome.
Persistent Volume manager for Kubernetes - https://github.com/dwimsey/openshift-pvmanager
Have you learnt nothing?
Someone needs to get a handle on these trolls on this site or I'm calling the POLICE!!!!!
I think malda himself might be trolling and I'm SICK OF IT!!!
You're so right. We should also leave all of our doors and windows unlocked because face it, a determined intruder will just find a way in, and we could be blocking legitimate friends and family. We might actually have to get up and answer the door!
Fact: silent browser extension installation is like a browser version of Microsoft's AutoRun. There is no reason why a legitimate extension needs to install without asking the operator for permission any more than a program on a disk or share needs to autorun on mounting the volume.
Help stamp out iliturcy.
There is such a thing as user fatigue.
If you keep harping at the user about every little thing they will just accept without reading and move on.
So in what way have you empowered the broad user base by adding this?
Treating the symptoms instead of finding the cause is the problem. Although there is no easy way to solve this particular riddle, the solutions provided do nothing to educate and help the user.
SOME users experience fatigue and click themselves into deep shit, others pay attention and click themselves out of it.
And what is lost compared to not even having the choice? That's like initializing user_fatigue with the maximum value.
As I just said, you give each user the choice how much of an idiot they want to be, instead of forcing ALL users to be idiots.
No. I'm not wild about the three-bar option button, but the rest is OK.
Hail Eris, full of mischief...
E pluribus sanguinem
How many extensions do you think the average user wants/needs? I really don't see fatigue being much of an issue with browser extensions. A user should only be seeing a couple of warnings a year.
If the click through presents a warning and defaults to No, then users are much more likely to opt-out, clicking themselves to safety. Even better if there's a 'don't let this site bother me again' option.
Same here, so don't ask me :P
I think saying "user fatigue!" is really just the last FUD straw of someone who doesn't like that Google made an innocent good move for a change. There is nothing wrong with this change, which is why the "arguments" against it are so desperate and funny. I can sympathize with that, I'm all for being unfair to Google haha, but this is too much of a stretch.
Fuck "user fatigue" - unless you mean being tired of users, then more power to you, of course. Look out for the disabled, for those who need help, and of course streamline stuff where it makes sense. But fuck catering to lazyness and mindlessness. If most people are lazy then most people are obsolete. I don't think they are, but that's what I respond to that argument. Ignore them now before they feel even more entitled. Personally, I'd be all for hunting them down (not being lazy and all that), but I am willing to compromise.
It should. The add-ons can be dumped into the folders, but the browser will leave them disabled and non-functioning until you manually enable them. At least until the adware makers start figuring out how to dig into the internals of the browser config files and modify things directly to convince the browser the add-ons have already been enabled. That's doable but not simple, so I expect it'll take a while for that to become common. And there's simple methods the browser can use to make that modification even more difficult, eg. tagging each enabled extension with an encrypted hash of the extension's file so that the adware would have to find the browser's encryption key before it could successfully modify the configuration.
Note that none of these will do anything about add-ons that convince the user to manually install them.
When your "lock" consists of a lever with a little sign saying "push this lever if you're supposed to be here" you might as well leave it unlocked....
"City hall" in German is "Rathaus" Kinda explains a few things......
Fact: saying fact before a statement makes it an inarguable universal truth.
Pro-tip: use the Fact: prefix before making stating any opinion in an online forum.
FWIW I happen to agree. But for $DEITY's sake, just state your case.
Try reading the GP comment for the reason.
Hint: he (Symbolset) is responding to that poster's arrogance.
Hint #2: the GP's comment states 3 "facts" as though stating such that makes them inarguable truths.
FWIW, I agree that it's bad form, but it was a response-in-kind that you replied to.
Cheers
Same problem with auto-update on Firefox. At some point, I was running version X of Firefox off of a live-boot-usb-stick, and I hadn't configured Firefox completely, and I forgot to do it for a day. Next afternoon, my version of Firefox had updated to X+2 and then the next day it was updated to Firefox 17 with all of the googley-crap put back into the search box and all of the javascript options I had disabled being re-enabled and all of my addons such as adblock and noscript were disabled because the versions I had installed with saved .xpi files were not compatible with FF17. DAMN IT! If I wanted to fucking upgrade my version of FF I'd have done it myself. And upgrading the whole f*cking browser is fuckloads of worse shit than just sneaking in browser extensions. (Can you tell that I was pissed off? Still am, aren't I? Apologies to those with tender ears)
Pro-tip: use the Fact: prefix before making stating any opinion in an online forum.
And adding the "Period" suffix after your opinion makes it a universal truth. Period.
Windows users still install programs by downloading executables from the internet and running them as root. It doesn't matter what we do to our windows and doors when one wall of our house is missing.
There is no reason why a legitimate extension needs to install without asking the operator for permission any more than a program on a disk or share needs to autorun on mounting the volume.
Then explain Chrome's silent updates? By your logic there should be no reason why an application would update itself without operator permission -- Why, if it were small part of a larger system it could even bring the entire intranet down. What I see is friction between notification of updates and desire to have less notification noise. IMO, the best answer when there is a choice to make that involves users' usage is to let them decide:
An update for Chrome is available.
( ) Skip this update.
( ) Download the update and ask again later.
(o) Download and Install Automatically
[x] Remember this choice and don't ask again.
____
A plugin update is available for: NotScript
( ) Skip this update.
( ) Download the update and ask again later.
(o) Download and Install Automatically.
[_] Remember my choices for future updates.
[x] Make this the default for all plugins.
____
Status Notification:
42 Updates are being downloaded and installed. [Options...]
I thought we solved this shit in the 70's? You know, with our rocket science... The answer is almost never: Less Choice; It's almost always: Sane defaults & Discoverable options.
See also above comment by: girlinatrainingbra (2738457)
Well I guess the only reasonable response to this is: don't eat lead-based paint chips. Your post has nothing to do with my post.
Help stamp out iliturcy.
How about simply having a checkbox that says "trust installs by this publisher" and call it a day? why not that? on the one hand i don't want to be clicking my ass off and on the other hand i don't want shit installing silently, so why not a compromise?
ACs don't waste your time replying, your posts are never seen by me.
This. Adding 'this' always makes the parent true.