Chrome Adds Warning For Extensions That Take Over Your Proxy Settings (bleepingcomputer.com)

← Back to Stories (view on slashdot.org)

Chrome Adds Warning For Extensions That Take Over Your Proxy Settings (bleepingcomputer.com)

Posted by BeauHD on Wednesday August 23, 2017 @12:45PM from the heads-up dept.

An anonymous reader writes: "Google engineers have added two new features to the Chrome browser that will alert users of extensions that hijack proxy settings or the new tab page," reports Bleeping Computer. Google has been testing these two techniques sparingly with a small subset of users for more than a year, but they have now landed in Google Canary. The techniques are used by malicious Chrome extensions to hijack traffic and insert ads, or to redirect search traffic to affiliate search engine programs. The addition of these popup alerts are part of Google's plan to fight malicious Chrome extensions that have been starting to plague the Web Store.

36 comments

Min score:

Reason:

Sort:

Hey Google, don't let extensions do this. by Anonymous Coward · 2017-08-23 12:46 · Score: 2, Insightful

That would solve the problem, no? There really is no valid reason why this should be allowed ever. WTF.
1. Re: Hey Google, don't let extensions do this. by KGIII · 2017-08-23 18:13 · Score: 2
  
  Umm... They do have VPN extensions that change your proxy settings and custom new tab extensions. Those kinda presuppose the ability to do both of those things. That's probably, you know, why they allow it.
  
  --
  "So long and thanks for all the fish."
2. Re: Hey Google, don't let extensions do this. by Anonymous Coward · 2017-08-23 23:53 · Score: 0
  
  Why exactly does a browser need a VPN extension? Any VPN should be lying add or just above the network layer of the OS. It kind of redefines our notion of bloatware doesn't it?
  Don't give me any Chrome OS crap. If this is the kind of crap they have to do in the browser to maintain a single code base with the OS then I think it's time we get out our pitchforks.
3. Re: Hey Google, don't let extensions do this. by Cajun+Hell · 2017-08-24 04:51 · Score: 1
  
  I'd take that as a reason to not allow it. It doesn't many any sense to have a VPN extension in a web browser.
  If they think OS UIs suck too much for people to add VPNs at the correct level, then making it stop working in the browser is a good way to unleash pressure and incentive for the OS' defects to finally get addressed.
  
  --
  "Believe me!" -- Donald Trump
4. Re: Hey Google, don't let extensions do this. by KGIII · 2017-08-24 05:43 · Score: 1
  
  Need? Nobody "needs" it. Want? It'd appear lots of people want it. If the user wants to add it, I'm pretty sure that makes it not bloatware. Bloatware is from the vendor. The user adding stuff isn't really bloatware, at least in my thinking.
  You're gonna argue for fewer choices... I'm not sure we can have a productive conversation.
  
  --
  "So long and thanks for all the fish."
5. Re: Hey Google, don't let extensions do this. by KGIII · 2017-08-24 05:54 · Score: 1
  
  VPNs at the browser level can make sense. Maybe you only want to mask your browser traffic? Maybe you use more than one browser and want one masked? I can probably come up with a bunch of other good reasons.
  
  --
  "So long and thanks for all the fish."
Why? by Frosty+Piss · 2017-08-23 12:47 · Score: 4, Insightful

Chrome Adds Warning For Extensions That Take Over Your Proxy Settings...
Why does Chrome allow extensions that can hijack proxy settings?

--
If you want news from today, you have to come back tomorrow.
1. Re:Why? by Sigma+7 · 2017-08-23 12:58 · Score: 3
  
  Why does Chrome allow extensions that can hijack proxy settings?
  The use case is an extension that changes proxy settings. For example, if you need/want to visit a specific website for a proxy server (such as 127.0.0.1:8080, to cache/save websites as you browse them), you can enable or disable it at a click of a button.
  Of course, a better question asks why extensions have better access to the browser settings than the user. Editing proxy settings manually has to be done on the OS level, while extensions can tell Chrome to use a given proxy through an API.
2. Re:Why? by Anonymous Coward · 2017-08-23 13:02 · Score: 0
  
  Schools and businesses want the ability to enforce the use of their proxy.
3. Re: Why? by Anonymous Coward · 2017-08-23 13:05 · Score: 1
  
  I use FoxyProxy, which changes the proxy setting depending on the site I'm visiting. That way I can access work sites through the VPN, while any other site I visit my work doesn't need to know about.
4. Re: Why? by Anonymous Coward · 2017-08-23 13:14 · Score: 0
  
  They might alert the user to something apocryphal, like two genders, or men can't give birth.
5. Re:Why? by Anonymous Coward · 2017-08-23 13:24 · Score: 0
  
  If you run a late enough version of Chrome OS, extensions are the only way to change it.
6. Re:Why? by Anonymous Coward · 2017-08-23 13:40 · Score: 0
  
  If you run a late enough version of Chrome OS, extensions are the only way to change it.
  Which is a serious design flaw. There should not be an API for this. It should be something that can only be done manually by the user. Sadly, this sort of stupidity has become standard operating procedure for most software. And then they have to spend time fixing problems caused by their stupid design decisions.
  Of course, Google could also spend 0.000000000000000001% of the money they make every month to properly vet extensions before allowing them to be added to the App Store. But that's never going to happen.
7. Re:Why? by AHuxley · 2017-08-23 14:15 · Score: 1
  
  To better detect competing ad services trying work arounds.
  Alert the user and the proxy will only pass the approved ads.
  
  --
  Domestic spying is now "Benign Information Gathering"
8. Re:Why? by Anonymous Coward · 2017-08-23 14:40 · Score: 0
  
  Why do you need a extension to force the use of a proxy, you just make the proxy the only what out of your firewall, then it has to be set to enforce it.
  This is a no brainer.
9. Re:Why? by TuballoyThunder · 2017-08-23 15:19 · Score: 1
  
  Considering that Google makes around $90 billion/year, 0.000000000000000001% will be less than $1/month. I don't think you will get much vetting for less than $1/month.
10. Re:Why? by nicolaiplum · 2017-08-23 18:20 · Score: 2
  
  Instead ask why people have a need for such features?
  That is because Chrome does not allow any sort of complex proxy settings. That's why I use Firefox, because it makes it easy to customise proxy settings without needing an extension. This is commonly needed in corporate environments where network access is not straightforward.
  Chrome could reduce the problem by adding better controls itself - instead Google have left this for "the market to provide" extensions, and that is where the mess comes from today.
  They do this in other places, such as the lack of any builtin Bluetooth file transfer or other features in Android (when my Nokia phone had built-in Bluetooth file transfer 15 years ago). They made this problem much worse than it has to be.
  
  --
  "For a successful technology, reality must take precedence over public relations, for Nature cannot be fooled"
11. Re:Why? by tlhIngan · 2017-08-23 19:46 · Score: 1
  
  Why does Chrome allow extensions that can hijack proxy settings?
  Presumably, to allow VPN apps to exist for Chrome. Sure you can get traditional VPN apps that use your system VPN clients, but often those may require elevated priviledges. Client VPNs often use the browser to host the VPN session and route all traffic through it for the browser. Not as useful (because they only route traffic for the browser) but are quick and simple to use and require no system reconfiguration.
12. Re:Why? by thegarbz · 2017-08-23 20:57 · Score: 1
  
  Why does Chrome allow extensions that can hijack proxy settings?
  Every browser allows plugins that can change proxy settings. This is kind of fundamental to changing networks automatically e.g. joining a VPN. A proxy is a network setting that is often set dynamically.
13. Re:Why? by gravewax · 2017-08-23 21:23 · Score: 1
  
  VPN, debuggers and web traffic analysers (e.g. fiddler), I am sure their are many other valid uses for it too.
14. Re:Why? by mjwx · 2017-08-23 22:35 · Score: 1
  
  Chrome Adds Warning For Extensions That Take Over Your Proxy Settings...
  Why does Chrome allow extensions that can hijack proxy settings?
  Because sometimes, thats what we want an extention to do. Getting around government restrictions forced on us by Hollywood is just one of the many reasons.
  
  What we don't want are extensions that surreptitiously change proxy settings to inject ads or malware.
  
  --
  Calling someone a "hater" only means you can not rationally rebut their argument.
15. Re: Why? by Anonymous Coward · 2017-08-23 23:55 · Score: 0
  
  Design flaw #2- shipping this bullshit in the browser just because ChromeOS needs it.
16. Re:Why? by Anonymous Coward · 2017-08-24 02:32 · Score: 0
  
  You can also change the proxy settings for chrome via the command line. (Or shortcut settings in Windows.)
  Only under broken Windows must a user be an admin to change the proxy settings. (Which are used globally for all connections.) This isn't so much a Chrome issue as a "Windows' proxy code was written way back in the 90's and hasn't been looked at since" issue.
  The issue I'll have with this is if they decide that any proxy settings change (or use of a proxy) is "bad" and must have a constant warning displayed. It's gotten to the point where anything but a direct HTTPS link is considered "evil" despite the legitimate needs of the network / system operators. (Enterprise / Organization). Then I get 10 million calls about "why is it not secure anymore?" and have to tell them to ignore it while at work. (And hope to high hell, they DO pay attention to it anywhere else.)
17. Re:Why? by Anonymous Coward · 2017-08-24 18:15 · Score: 0
  
  that isn't a "broken" windows decision, that is purely a broken google decision.
18. Re: Why? by Anonymous Coward · 2017-08-25 03:51 · Score: 0
  
  The wininet proxy settings are per-user by default you dumb fuck. There is a admin policy you can set to force HKLM.
Now I feel safe by Anonymous Coward · 2017-08-23 12:48 · Score: 0

Because only Teh G is allowed to snoop me!
Nanny Google. by msauve · 2017-08-23 12:50 · Score: 2

" will alert users of extensions that hijack proxy settings"

Next up, the user won't have a choice, like their removing legacy but perfectly functional encryption methods, or lying to users that "your network may be monitored" if you install a private CA on Android. For being a business based on the net, Google is pretty clueless about how it actually works (try doing plaintext email with their Android MUA).

--
"National Security is the chief cause of national insecurity." - Celine's First Law
1. Re:Nanny Google. by Anonymous Coward · 2017-08-23 14:11 · Score: 1
  
  extensions that hijack proxy settings, insert links into the newtab page, or alter search engine settings, affect google's bottom line by steering unsuspecting users away from its own properties.
  there's no "nanny" here, just accountants and executives, trying to protect google's profits and market share.
  captcha: alphabet
Hijack proxy settings ? by ddtmm · 2017-08-23 14:44 · Score: 1

I have an idea... why don't they just build a browser that doesn't let extensions hijack the browser's proxy settings?
1. Re:Hijack proxy settings ? by msauve · 2017-08-23 15:37 · Score: 2
  
  "Hijack" is a biased and erroneous pejorative. There are legitimate reasons for an extension to control the proxy.
  
  --
  "National Security is the chief cause of national insecurity." - Celine's First Law
Meanwhile, on Android by Actually,+I+do+RTFA · 2017-08-23 16:19 · Score: 1

It's frustrating how Google refuses to allow extensions to Chrome on Android. Which is too bad, because extensions are kinda a required feature to navigate the web these days.

--
Your ad here. Ask me how!
1. Re:Meanwhile, on Android by JaredOfEuropa · 2017-08-23 18:45 · Score: 1
  
  If that's the case, then the web is seriously broken.
  
  --
  If construction was anything like programming, an incorrectly fitted lock would bring down the entire building...
2. Re:Meanwhile, on Android by KozmoStevnNaut · 2017-08-24 01:51 · Score: 2
  
  Yes. Yes, it is.
  The mainstream web as of 2017 is borderline useless without an adblocker at the very least, and preferably an extension to stop autoplaying media content as well.
  
  --
  Eat the rich.
3. Re:Meanwhile, on Android by Cajun+Hell · 2017-08-24 04:56 · Score: 1
  
  No, it just means that Chrome-for-Android is broken. (And it is. Chrome is basically unusable on Android, however much you may like it on your desktop.) It's a big part of the reason that Firefox(!!?!) happens to be best browser (that I've seen so far) on Android.
  
  --
  "Believe me!" -- Donald Trump
4. Re:Meanwhile, on Android by Actually,+I+do+RTFA · 2017-08-24 10:24 · Score: 1
  
  It isn't? You browse with Javascript on? Or without an adblocker? Or accepting hotlinks to any 3rd party site?
  
  --
  Your ad here. Ask me how!
Mozilla by Anonymous Coward · 2017-08-23 17:43 · Score: 0

Meanwhile, Mozilla deprecates all add-ons.