Clarification on this article (External Extensions and Chromium)

[APN QATest]

http://blog.chromium.org/2013/11/protecting-windows-users-from-malicious.html

 

"Since these malicious extensions are not hosted on the Chrome Web Store, it’s difficult to limit the damage they can cause to our users. As part of our continuing security efforts, we’re announcing a stronger measure to protect Windows users: starting in January on the Windows stable and beta channels, we’ll require all extensions to be hosted in the Chrome Web Store. We’ll continue to support local extension installs during development as well as installs via Enterprise policy, and Chrome Apps will also continue to be supported normally.

If your extensions are currently hosted outside the Chrome Web Store you should migrate them as soon as possible. There will be no impact to your users, who will still be able to use your extension as if nothing changed"

 

Need some questions answered:

 

1. What happens if the extension is not hosted in the Chrome web store after January? I don't use the CWS as the distribution channel for my product and the extension id is obviously not registered with CWS.

a. Will they be all flagged as malicious for new installs? What should I expect?

b. Will existing users that already have the extension be affected?

 

 

 

 

[PhistucK]

1, a. You will not be able to install them using the external extension feature, only using the Enterprise policy method. The question remains whether drag and drop into chrome:extensions would continue to work.

b. No. I think the blog post mentions that. "There will be no impact to your users, who will still be able to use your extension as if nothing changed.".

☆PhistucK

--
You received this message because you are subscribed to the Google Groups "Chromium-extensions" group.
To unsubscribe from this group and stop receiving emails from it, send an email to chromium-extens...@chromium.org.
To post to this group, send email to chromium-...@chromium.org.
Visit this group at http://groups.google.com/a/chromium.org/group/chromium-extensions/.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/chromium-extensions/5a2cfb00-f5d9-42f0-82fd-870b38ed0eb2%40chromium.org.
For more options, visit https://groups.google.com/a/chromium.org/groups/opt_out.

[Róbert Csala]

As for 1b: I am not sure they mean the already installed extensions, or the migrated ones. But even that is true, and the installed extensions will work as they should, you will probably not be able to publish updates for them. 

On Friday, 8 November 2013 21:05:28 UTC, PhistucK wrote:

1, a. You will not be able to install them using the external extension feature, only using the Enterprise policy method. The question remains whether drag and drop into chrome:extensions would continue to work.

b. No. I think the blog post mentions that. "There will be no impact to your users, who will still be able to use your extension as if nothing changed.".

☆PhistucK

On Fri, Nov 8, 2013 at 10:21 PM, APN QATest <apnq...@gmail.com> wrote:

http://blog.chromium.org/2013/11/protecting-windows-users-from-malicious.html

 

"Since these malicious extensions are not hosted on the Chrome Web Store, it’s difficult to limit the damage they can cause to our users. As part of our continuing security efforts, we’re announcing a stronger measure to protect Windows users: starting in January on the Windows stable and beta channels, we’ll require all extensions to be hosted in the Chrome Web Store. We’ll continue to support local extension installs during development as well as installs via Enterprise policy, and Chrome Apps will also continue to be supported normally.

If your extensions are currently hosted outside the Chrome Web Store you should migrate them as soon as possible. There will be no impact to your users, who will still be able to use your extension as if nothing changed"

 

Need some questions answered:

 

1. What happens if the extension is not hosted in the Chrome web store after January? I don't use the CWS as the distribution channel for my product and the extension id is obviously not registered with CWS.

a. Will they be all flagged as malicious for new installs? What should I expect?

b. Will existing users that already have the extension be affected?

 

 

 

 

--
You received this message because you are subscribed to the Google Groups "Chromium-extensions" group.

To unsubscribe from this group and stop receiving emails from it, send an email to chromium-extensions+unsub...@chromium.org.

[PhistucK]

1b. I highly doubt you will not be able to publish (self hosted) updates for them. Preventing updates may pose a great security risk, which is exactly what they are trying to prevent.

☆PhistucK

To unsubscribe from this group and stop receiving emails from it, send an email to chromium-extens...@chromium.org.

To post to this group, send email to chromium-...@chromium.org.
Visit this group at http://groups.google.com/a/chromium.org/group/chromium-extensions/.

To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/chromium-extensions/a6e3c729-4049-47ef-88ef-c2eda718da8f%40chromium.org.

[Róbert Csala]

Yes, that is one possible way to see it. The other is to say that the users can always disable/remove the faulty/unsecure extension and download the fixed version from the store.

It really depends on how the CWS team decides, I hope they prefer your viewpoint.

On Tuesday, 12 November 2013 15:17:24 UTC, PhistucK wrote:

1b. I highly doubt you will not be able to publish (self hosted) updates for them. Preventing updates may pose a great security risk, which is exactly what they are trying to prevent.

☆PhistucK

On Tue, Nov 12, 2013 at 4:50 PM, Róbert Csala <robert...@gmail.com> wrote:

As for 1b: I am not sure they mean the already installed extensions, or the migrated ones. But even that is true, and the installed extensions will work as they should, you will probably not be able to publish updates for them. 

On Friday, 8 November 2013 21:05:28 UTC, PhistucK wrote:

1, a. You will not be able to install them using the external extension feature, only using the Enterprise policy method. The question remains whether drag and drop into chrome:extensions would continue to work.

b. No. I think the blog post mentions that. "There will be no impact to your users, who will still be able to use your extension as if nothing changed.".

☆PhistucK

On Fri, Nov 8, 2013 at 10:21 PM, APN QATest <apnq...@gmail.com> wrote:

http://blog.chromium.org/2013/11/protecting-windows-users-from-malicious.html

 

"Since these malicious extensions are not hosted on the Chrome Web Store, it’s difficult to limit the damage they can cause to our users. As part of our continuing security efforts, we’re announcing a stronger measure to protect Windows users: starting in January on the Windows stable and beta channels, we’ll require all extensions to be hosted in the Chrome Web Store. We’ll continue to support local extension installs during development as well as installs via Enterprise policy, and Chrome Apps will also continue to be supported normally.

If your extensions are currently hosted outside the Chrome Web Store you should migrate them as soon as possible. There will be no impact to your users, who will still be able to use your extension as if nothing changed"

 

Need some questions answered:

 

1. What happens if the extension is not hosted in the Chrome web store after January? I don't use the CWS as the distribution channel for my product and the extension id is obviously not registered with CWS.

a. Will they be all flagged as malicious for new installs? What should I expect?

b. Will existing users that already have the extension be affected?

 

 

 

 

--
You received this message because you are subscribed to the Google Groups "Chromium-extensions" group.

To unsubscribe from this group and stop receiving emails from it, send an email to chromium-extensions+unsubscribe...@chromium.org.

To post to this group, send email to chromium-...@chromium.org.

Visit this group at http://groups.google.com/a/chromium.org/group/chromium-extensions/.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/chromium-extensions/5a2cfb00-f5d9-42f0-82fd-870b38ed0eb2%40chromium.org.
For more options, visit https://groups.google.com/a/chromium.org/groups/opt_out.

--
You received this message because you are subscribed to the Google Groups "Chromium-extensions" group.
To unsubscribe from this group and stop receiving emails from it, send an email to chromium-extensions+unsub...@chromium.org.
To post to this group, send email to chromium-...@chromium.org.
Visit this group at http://groups.google.com/a/chromium.org/group/chromium-extensions/.

[PhistucK]

Antony, can you, please, clarify?

☆PhistucK

To unsubscribe from this group and stop receiving emails from it, send an email to chromium-extens...@chromium.org.

To post to this group, send email to chromium-...@chromium.org.
Visit this group at http://groups.google.com/a/chromium.org/group/chromium-extensions/.

To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/chromium-extensions/369889d4-9eed-4b00-99fd-15d77ff1c010%40chromium.org.

[Antony Sargent]

Unfortunately at chrome startup time, when reading a preferences file that malicious software may have tampered with, there's no way to tell the difference between an extension a user may have willingly installed at some point in the past and one that was forced on them. (This is not a theoretical threat - we already see this happening today by malicious software forcing installs on users and working around the mechanism we put in place last year to ensure users get a chance to opt-in). 

The statement "There will be no impact to your users, who will still be able to use your extension as if nothing changed" is connected to the previous sentence; that is, you *must* migrate your item to the webstore for there to be no impact to users. 

Starting in January, chrome on windows stable/beta will verify that each installed extension* is either:

-hosted in the webstore

-configured via enterprise policy  

-loaded for development (this should only be used by developers though, not end users)

*This just applies to extensions, not apps or themes.

Again, we very much wish we did not need to do this, but we've seen such increasing levels of windows users getting infected with forced installs, despite our earlier efforts to prevent it, that we felt we had to do something more restrictive. Windows users will still have the following options if they want to run items that aren't from the webstore or enterprise policy:

-Install the canary channel (canary channel can be installed side-by-side with chrome stable/beta), or switch to chrome dev channel.

-Use a build of chromium

-Switch to mac/linux where we aren't enforcing these restrictions

[Ross Presser]

Fourth option: freeze your installation of Chrome where it is right now, preventing updates.

Fifth option: run away from Google before it mutates into Apple.

[Don Chapo]

Dear Antony

if we host our (migrated) extension in the web store (hidden), can we still install the extension via Windows Installer (Windows Registry “HKEY_LOCAL_MACHINE\SOFTWARE\Google\Chrome\Extensions…”)? If the installed extension have a higher Version (e.g. Beta or Alpha version), will Chrome load the extension? Or can we disable the auto update for our extension?

Thanks in advance,

Don

[Antony Sargent]

Don-

That's an interesting use case. I think the best recommendation I can give is to have separate entries in the webstore for the stable, beta and alpha verisons - is that feasible for your case?

--

You received this message because you are subscribed to the Google Groups "Chromium-extensions" group.
To unsubscribe from this group and stop receiving emails from it, send an email to chromium-extens...@chromium.org.
To post to this group, send email to chromium-...@chromium.org.
Visit this group at http://groups.google.com/a/chromium.org/group/chromium-extensions/.

To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/chromium-extensions/b72d6563-4832-4025-94c6-85c63ccaf3fe%40chromium.org.

[Don Chapo]

Dear Antony,

thanks for your quick reply. We could give this a try. I understand correct, that chrome wont load newer versions of a extensions?

MSI - Installation:

Can we still install our extension via Registry?

Existing Extensions:

Will Chrome load in January existing/installed “npapi” – extensions? We could not update all our installations in the next month (our migrated extension uses native messaging. Host application must installed via setup). Also our business customers (> 1000 employees) don’t install newer versions immediately.

 

Testing:

Can we test this “feature”? Chrome “32.0.1700.19 beta-m Aura” loads our npapi – extension (not available in the web store).

 

Thanks a lot!

 

Best regards,

Don

[Don Chapo]

Someone from the google chrome team who can answer my questions?

Thanks alot!

Best regards,
Don

[Finnur Thorarinsson]

I'm not the authoritative source on this, but I'll take a stab at answering.

On Fri, Nov 22, 2013 at 7:15 AM, Don Chapo <donchapou...@gmail.com> wrote:

Dear Antony,

thanks for your quick reply. We could give this a try. I understand correct, that chrome wont load newer versions of a extensions?

MSI - Installation:

Can we still install our extension via Registry?

I don't see how that would be affected --- if your extension is in the store then this mechanism should work more or less as it does now, I presume.

 

Existing Extensions:

Will Chrome load in January existing/installed “npapi” – extensions? We could not update all our installations in the next month (our migrated extension uses native messaging. Host application must installed via setup). Also our business customers (> 1000 employees) don’t install newer versions immediately.

I believe the answers you are looking for are here:

http://blog.chromium.org/2013/09/saying-goodbye-to-our-old-friend-npapi.html

Selected quotes:

"Starting in January 2014, Chrome will block webpage-instantiated NPAPI plug-ins by default on the Stable channel."

"In the short term, end users and enterprise administrators will be able to whitelist specific plug-ins. Eventually, however, NPAPI support will be completely removed from Chrome. We expect this to happen before the end of 2014"

There are further details on the phase-out of NPAPI on that blog post, so I encourage you to read it.

 

Testing:

Can we test this “feature”? Chrome “32.0.1700.19 beta-m Aura” loads our npapi – extension (not available in the web store).

I think you are best served by installing the Chrome Canary build. That's where you are likely to see the changes first as they start there and then trickle down the dev, beta and finally (after they've been baked for some time on the other channels) to the stable channel.

 

Thanks a lot!

 

Best regards,

Don

--

You received this message because you are subscribed to the Google Groups "Chromium-extensions" group.
To unsubscribe from this group and stop receiving emails from it, send an email to chromium-extens...@chromium.org.
To post to this group, send email to chromium-...@chromium.org.
Visit this group at http://groups.google.com/a/chromium.org/group/chromium-extensions/.

To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/chromium-extensions/73cfb053-4057-4fcf-8e10-d35de2af2a85%40chromium.org.

[Dan Jung]

Hi, what is the official way of setting the enterprise policy for enabling extensions if I don't want to force install them?

If i add the URL to "ExtensionInstallSources" will that be enough? Do I need to add the extension id to the whitelist? Based on the documentation, the whitelist has no effect if the blacklist is not enabled? Will this still be true?

Thanks,

Dan

[Finnur Thorarinsson]

I've been involved much with the enterprise side of things, but you might find your answers here:

https://support.google.com/chrome/a/answer/188447

(see questions on that page and further links in the column on the left).

--

You received this message because you are subscribed to the Google Groups "Chromium-extensions" group.
To unsubscribe from this group and stop receiving emails from it, send an email to chromium-extens...@chromium.org.
To post to this group, send email to chromium-...@chromium.org.
Visit this group at http://groups.google.com/a/chromium.org/group/chromium-extensions/.

To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/chromium-extensions/d7ad7bec-6378-41e2-b853-b58d3c42bf12%40chromium.org.

[Finnur Thorarinsson]

On Tue, Nov 26, 2013 at 2:23 AM, Finnur Thorarinsson <fin...@chromium.org> wrote:

I'm not the authoritative source on this, but I'll take a stab at answering.

On Fri, Nov 22, 2013 at 7:15 AM, Don Chapo <donchapou...@gmail.com> wrote:

Dear Antony,

thanks for your quick reply. We could give this a try. I understand correct, that chrome wont load newer versions of a extensions?

MSI - Installation:

Can we still install our extension via Registry?

I don't see how that would be affected --- if your extension is in the store then this mechanism should work more or less as it does now, I presume.

 

Update: I found out today that there is a change coming here so I wanted to augment my answer here. 

You will be able to still use the registry sideloading mechanism to do the initial install (and uninstall) of your extension, but all subsequent updates of your extension will go through the webstore. 

This has important implications for developers who install extensions alongside their native applications, particularly if they need to keep the two in sync with each other. That's because they will now need to make sure their native application is more tolerant of version mismatches with their extension (because the native app is now on a potentially slower update cycle than your extension).

[Antony Sargent]

On Tue, Nov 26, 2013 at 7:44 AM, Dan Jung <danj...@gmail.com> wrote:

Hi, what is the official way of setting the enterprise policy for enabling extensions if I don't want to force install them?

If i add the URL to "ExtensionInstallSources" will that be enough? Do I need to add the extension id to the whitelist? Based on the documentation, the whitelist has no effect if the blacklist is not enabled? Will this still be true?

Hi Dan-

 

We're augmenting the meaning of the "ExtensionInstallWhitelist" policy value for you to specify extension ids that should be allowed by enterprise policy but are not force-installed (via ExtensionInstallForcelist). Previously this key was only useful when you also specified a ExtensionInstallBlacklist of "*" meaning everything is blacklisted except anything on the whitelist. 

http://dev.chromium.org/administrators/policy-list-3#ExtensionInstallWhitelist 

[Dan Jung]

Thanks.

What version of Chrome will these changes take effect? 

Will there be a way to test that chrome is honoring the ExtensionInstallWhitelist policy before the security changes go into effect?

Dan

On Thursday, December 5, 2013 1:19:19 PM UTC-6, Antony Sargent wrote:

On Tue, Nov 26, 2013 at 7:44 AM, Dan Jung <danj...@gmail.com> wrote:

Hi, what is the official way of setting the enterprise policy for enabling extensions if I don't want to force install them?

If i add the URL to "ExtensionInstallSources" will that be enough? Do I need to add the extension id to the whitelist? Based on the documentation, the whitelist has no effect if the blacklist is not enabled? Will this still be true?

Hi Dan-

 

We're augmenting the meaning of the "ExtensionInstallWhitelist" policy value for you to specify extension ids that should be allowed by enterprise policy but are not force-installed (via ExtensionInstallForcelist). Previously this key was only useful when you also specified a ExtensionInstallBlacklist of "*" meaning everything is blacklisted except anything on the whitelist. 

http://dev.chromium.org/administrators/policy-list-3#ExtensionInstallWhitelist 

 

Thanks,

Dan

--
You received this message because you are subscribed to the Google Groups "Chromium-extensions" group.

To unsubscribe from this group and stop receiving emails from it, send an email to chromium-extensions+unsub...@chromium.org.

To post to this group, send email to chromium-...@chromium.org.
Visit this group at http://groups.google.com/a/chromium.org/group/chromium-extensions/.

[Antony Sargent]

The blog post announced the policy change becomes effective in January. The code actually enforcing the policy change will be rolling out in one of the releases early in the new year, depending on how quickly we can finish fixing some important bugs like https://code.google.com/p/chromium/issues/detail?id=327137.

To unsubscribe from this group and stop receiving emails from it, send an email to chromium-extens...@chromium.org.

To post to this group, send email to chromium-...@chromium.org.
Visit this group at http://groups.google.com/a/chromium.org/group/chromium-extensions/.

To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/chromium-extensions/9f8f28be-f96c-47ba-8885-2fde738485bd%40chromium.org.