On Sep 9, 1:33 pm, Peter da Silva <res...@gmail.com> wrote:
> When I went to install Google Chrome, as soon as I clicked on theThen you had the GoogleOneClick plugin installed before. Maybe through
> download button in Firefox the Google Update engine started
> downloading Google Chrome.
Google Gears. The culprit is called npgoogleoneclick5.dll for Firefox
and other browsers, except Internet Explorer which gets some nasty
ActiveX component instead .
> looks like Google could have kicked off the download without clicking
> ANYTHING on the page, using "_GU_*()" calls.
functions which wrap up the whole process and create the necessary
query parameters. The plugin API (maybe just a subset) is shown here:
The two plugin functions are GetOneClickVersion() and Install(r,i,k).
> This means that the security of the Google Update service is prettyI think we have to separate a bit the Google Update background task
that I've mentioned from this plugin. But yes, definitely you're right
about the security. It's important in both cases.
The plugin needs internal security checks to prevent evil sites from
abusing it. Since there is no source code for the plugin we have a
black box situation - security through obscurity. Same as for the
Google Updater attached to Chrome for his update checks.
> I've sent mail to Google asking for some information about theHopefully you get some illuminating feedback beyond "we aren't evil"
> security model used by Google Update
> and I'm going to hold off on checking out Chrome until this is resolvedI don't trust Chrome as long as it's bundled with closed source
components and silently installs some backdoor services like the
Google Updater (which tags you and your box) and plugins (which allow
Google and others? to automatically install software). Maybe I'll
check out Chromium or a fork, when it hits a stable Linux version.
Some more information:
You must Sign in before you can post messages.
To post a message you must first join this group.
Please update your nickname on the subscription settings page before posting.
You do not have the permission required to post.