Account Options

  1. Sign in
The old Google Groups will be going away soon, but your browser is incompatible with the new version.
Google Groups Home
« Groups Home
Chromium-discuss
Home
About this group
Join this group
Message from discussion When will the Google Updater src code be available?
The group you are posting to is a Usenet group. Messages posted to this group will make your email address visible to anyone on the Internet.
Your reply message has not been sent.
Your post was successful
 
From:
To:
Cc:
Followup To:
Add Cc | Add Followup-to | Edit Subject
Subject:
Validation:
For verification purposes please type the characters you see in the picture below or the numbers you hear by clicking the accessibility icon. Listen and type the numbers you hear
 
boardraider  
View profile  
 More options Sep 10 2008, 8:48 am
From: boardraider <boardrai...@googlemail.com>
Date: Wed, 10 Sep 2008 05:48:42 -0700 (PDT)
Local: Wed, Sep 10 2008 8:48 am
Subject: Re: When will the Google Updater src code be available?
Print | View thread | Show original | Report this message | Find messages by this author
On Sep 9, 1:33 pm, Peter da Silva <res...@gmail.com> wrote:

> When I went to install Google Chrome, as soon as I clicked on the
> download button in Firefox the Google Update engine started
> downloading Google Chrome.

Then you had the GoogleOneClick plugin installed before. Maybe through
Google Gears. The culprit is called npgoogleoneclick5.dll for Firefox
and other browsers, except Internet Explorer which gets some nasty
ActiveX component instead [1][2][3][4][5][6].

> Examining the source code for the page, it
> looks like Google could have kicked off the download without clicking
> ANYTHING on the page, using "_GU_*()" calls.

The _GU_*() calls are not that important. These are just JavaScript
functions which wrap up the whole process and create the necessary
query parameters. The plugin API (maybe just a subset) is shown here:

--snip--
window.google.update.oneclick = {
    getOneClickVersion: function() {
        try {
            return
window.google.update.oneclickPlugin_.GetOneClickVersion()
        } catch(f) {
            return -1
        }
    },
    install: function(f,h,j,i,k) {
        var l="http://tools.google.com";
        l+="/service/update2/installping";
        var o=GU_buildGlobalExtra(h,j),p='"'+GU_BuildTag(f,o)+'"';
        for (a=0; a<f.length; ++a) {
            var m=l;
            m+="?appid="+encodeURIComponent(f[a].c);
            m+="&lang="+encodeURIComponent(h);
            m+="&iid="+encodeURIComponent(_GU_getIid());
            m+="&installsource=oneclick";
            var q=new Image;
            q.src=m
        }
        var r="/install "+p;
        try {
            window.google.update.oneclickPlugin_.Install(r,i,k)
        } catch(s) {
            var n = s.g;
            n||(n = -2);
            k(n)
        }
    }

}

--/snip--

The two plugin functions are GetOneClickVersion() and Install(r,i,k).
The first call returns the version number ("5"), the second one
triggers the automatic install process. The parameter r locates the
program that will be installed, i and k seem to be callback functions
- i in case of success and k as fallback in case of an error [7][8].

> This means that the security of the Google Update service is pretty
> important

I think we have to separate a bit the Google Update background task
that I've mentioned from this plugin. But yes, definitely you're right
about the security. It's important in both cases.
The plugin needs internal security checks to prevent evil sites from
abusing it. Since there is no source code for the plugin we have a
black box situation - security through obscurity. Same as for the
Google Updater attached to Chrome for his update checks.

> I've sent mail to Google asking for some information about the
> security model used by Google Update

Hopefully you get some illuminating feedback beyond "we aren't evil"
*eg*

> and I'm going to hold off on checking out Chrome until this is resolved

I don't trust Chrome as long as it's bundled with closed source
components and silently installs some backdoor services like the
Google Updater (which tags you and your box) and plugins (which allow
Google and others? to automatically install software). Maybe I'll
check out Chromium or a fork, when it hits a stable Linux version.

References:
[1] http://groups.google.com/group/lively-help-how-do-i/browse_thread/thr...
[2] http://tech.slashdot.org/comments.pl?sid=952157&cid=24859505
[3] http://translate.google.com/translate?tl=en&sl=fr&u=http://www.korben...
[4] http://translate.google.com/translate?sl=fr&tl=en&u=http://flyingover...
[5] http://translate.google.com/translate?u=http%3A%2F%2Fosnews.pl%2Fgoog...
[6] http://translate.google.com/translate?sl=pl&tl=en&u=http://my.opera.c...
[7] http://paste-bin.com/view/57ab54c3
[8] http://paste-bin.com/view/30dd8f4b

Some more information:
[8] https://bugzilla.mozilla.org/show_bug.cgi?id=453869
[9] http://code.google.com/p/chromium/issues/detail?id=1585


 
You must Sign in before you can post messages.
To post a message you must first join this group.
Please update your nickname on the subscription settings page before posting.
You do not have the permission required to post.
Create a group - Google Groups - Google Home - Terms of Service - Privacy Policy
©2013 Google