Can Google make Chrome Extensions "Tamper Proof"

[John Crawford]

Here is the problem as I see it.

Some people (me included) want to try to monetize their chrome extensions. Nothing expensive just $1-2.

The issue is that any licensing solution can be negated by tech savy people who are able to open the code of your extension and edit the licensing section out of your extension.

if(isLicensed) {

  // extension code here

} 

changed to 

If(true) {

  // extension code here

}

So the idea is this:

1. You register you Chrome Extension with the Chrome store and on submission a "CheckSum" is calculated and stored as a property of the extension.
   
2. Google add a small similar bit of client side code in Chrome that does the following, on loading the extension
   
1. On loading the extension, calculate the check sum based upon the entire contents of the chrome extension as stored on disk on the client computer.
2. Compare the calculated checksum against the stored verison in the chrome store.
3. If the checksum's match the code has not been tampered with and continue to load.
4. else if they don't match, someone has tampered with the code so error and fail to load the extension.

This would allow you to implement your licensing code without people being able to easily switch it off.

Your thoughts on this Mr Google?

[Scott Fujan]

This is already done. This is exactly what the crx file format does, only better by using a private key and signature instead of a checksum and central authority. http://developer.chrome.com/extensions/crx.html

This makes it so that no one can take your extension id. It does not protect against taking code and features and running a separate extension id locally.

PS: I explicitly tested this just now and I did get a CRX_SIGNATURE_VERIFICATION_FAILED, so it's working

--
You received this message because you are subscribed to the Google Groups "Chromium Apps" group.
To unsubscribe from this group and stop receiving emails from it, send an email to chromium-app...@chromium.org.
To post to this group, send email to chromi...@chromium.org.
Visit this group at http://groups.google.com/a/chromium.org/group/chromium-apps/?hl=en.
For more options, visit https://groups.google.com/a/chromium.org/groups/opt_out.
 
 

[Omnray]

Interesting is this something new in Chrome v26 or was there for a long time. My users often goes to the extension directory and modify the css files for example. I saw such advices in reviews. None of them meet any CRX_SIGNATURE_VERIFICATION_FAILED as i understand.

[Omnray]

On Tuesday, May 21, 2013 6:05:48 PM UTC+3, John Crawford wrote:

Here is the problem as I see it.

Some people (me included) want to try to monetize their chrome extensions. Nothing expensive just $1-2.

The issue is that any licensing solution can be negated by tech savy people who are able to open the code of your extension and edit the licensing section out of your extension.

I think that is not the hazard actually. For any tech savy spending a hour to come around even the simplest if-else protection, and then obtain troubles with father updates, is way more annoying than to spent $1-2. Or even $5-10.

But will be cool to know the real data of course.

The real danger is in pirates who will distribute and promote the cracked version.
This is actually what place many small developers from the Windows market on a path of complete extinctions.
Saw several sales graphics, for small sharewares, with a big collapse on a day when the cracked version goes air.

[Omnray]

I just check - the unpacked extension in the target folder where the Chrome is unpack the crx  is easily editable without any problems, and loaded successfully as original one.

On Tuesday, May 21, 2013 7:16:00 PM UTC+3, Scott wrote:

[Japhy Bartlett]

John misunderstood a little.. the crx format protects users from malicious (and fake) publishers, but it doesn't protect the publisher from the user.

You as a publisher could route some key functionality through your servers, but otherwise you're facing the same DRM dilemma as everyone else. 

[John Crawford]

In my defense I thing you will find that scott was the person who suggested CRX :-), 

I was suggesting a functionality enhancement in Chrome to protect the IP inside these chrome extensions and allow us developers a way to successfully monetise simple extensions. 

"You as a publisher could route some key functionality through your servers".

I have seen this done in the "Powerbot for Gmail" but this is integrating between Gmail and Evernote, so there is a clear server API layer that can be disabled to stop the system working if people do not pay for a license.

In the case of a simple extension (like one I have helped develop, "Actions for Gmail" check it out, inline delete/archive actions for Gmail. ;-) the functionality is all contained within chrome.

You could go to the effort of implementing all sorts of schemes to validate back to base and disable access if people have not paid, but again, I don't see the point if anyone can open the extension and just rip out the license validation code.

So, I take it the that the CRX does not solve the problem, then does anyone think there is merit in my idea?

I think the only downfall is that people can still make copies and load them in chrome as an unpacked extension and do what ever they want.

An extra idea, perhaps the CRX files (which are essentially Zip files from what I have read) can be password protected?. Again only chrome via the chrome store can open the extension. There would obviously be some overhead in extracting the extension on load, but most extensions are pretty small.. 

I understand as it is today there is no way to lock down your extension, you can obfuscate but that only makes it a bit harder not impossible. So I am hoping by thinking out loud on this, there might be some merit to the idea and maybe google could enhance chrome? I know its a long shot.

Cheers

[Japhy Bartlett]

Ah sorry, I meant to say "Scott was mistaken". 

Without speaking to the technical feasibility of building this functionality into an open source project, imho, the drama google would face for implementing DRM would dramatically outweigh whatever it might gain them with extension authors.  

[David Brodbeck]

On Wed, May 22, 2013 at 9:13 AM, Japhy Bartlett <jbar...@lakeshoreint.com> wrote:

Ah sorry, I meant to say "Scott was mistaken". 

Without speaking to the technical feasibility of building this functionality into an open source project, imho, the drama google would face for implementing DRM would dramatically outweigh whatever it might gain them with extension authors.  

Also, since Chrome is open-source, you've only moved the problem up a notch; now it just becomes a matter of editing the source code to yank out the DRM protection, then rebuilding Chromium.

I really think the only way to reliably monetize a Chrome app or extension is to come up with some kind of value-added, server-based feature that people will be willing to pay for.  Then you can authenticate access to the service based on whether someone has paid.

I think the energy barrier to copying the actual extension or app itself is so low that charging for it is just asking for piracy, and not worth the trouble.

[John Crawford]

Thanks, I think that succinctly sums up the situation. 

Give the cost benefit of trying to license your simple chrome extension, my conclusion is:

if you wish to generate any revenue from a simple chrome extension, then provide a donate button and hope you have 1 Million+ downloads and get a decent donation conversion ratio.

Cheers

[Omnray]

Not everyone is a computer geek. Install custom Chromium builds, unpacked pirated extensions, without support and updates,... all of this too much even for me - for 2-3$/m, I am going to pay this amount for anything i really use, even if the pirated version is appears in the auto complete box when i search the title of original, just to not waste my time on all of this.

[Omnray]

Saying all of this it will be really cool if Google just add some more energy barriers, and make the process of installing cracked versions a little more complex for general public. For example giving the possibility to load unpacked extension in Chrome only if there is some command line switch, which enable such mode. This will be sufficient enough for most of the users to not waste time with pirated extensions if original cost 2-3$.

And the editing sources of the original extension in unpacked location is not an issue, as any update overwrite such edits. And updates can be released daily.

[Omnray]

Unfortunately donates does not work at all.

[Omnray]

Even more, sometimes it's really looks like when users download something for free from the CWS that many of them feels as they makes you an astonishing favor. 

This one summarize it really good:

http://xkit-extension.tumblr.com/post/39661077609/clarification-on-the-big-update-friday-post
.....

I really appreciate all the thank you asks, promotions, bug reports, feature requests, and donations. I would appreciate this whole thing if people stopped acting like they’ve paid $150 just to download XKit. 

....

sometimes I feel same.

[Omnray]

I am of course  exaggerate all of this actually. Only very rare people behaves as such, but for some reason they are most visible and leaves most strong memories after contacts.

[Omnray]

Donates was never worked actually, even 5-10 years ago, when there was some other atmosphere.
And now most of the people just expect everything to be free, especially in the CWS. 
On a 5 stars extension with a 1M active users you maybe will be doing 1000$/m on donations,

and this will also add a full day of support to you,

but before you will get to this 1M you will most likely spent a year or two of full time work.

On Thursday, May 23, 2013 5:52:21 AM UTC+3, John Crawford wrote:

[David Brodbeck]

On Wed, May 22, 2013 at 7:52 PM, Omnray <omn...@gmail.com> wrote:

On Wednesday, May 22, 2013 8:41:41 PM UTC+3, Orville wrote:

Also, since Chrome is open-source, you've only moved the problem up a notch; now it just becomes a matter of editing the source code to yank out the DRM protection, then rebuilding Chromium.

 

Not everyone is a computer geek. Install custom Chromium builds, unpacked pirated extensions, without support and updates,... all of this too much even for me - for 2-3$/m, I am going to pay this amount for anything i really use, even if the pirated version is appears in the auto complete box when i search the title of original, just to not waste my time on all of this.

Well, true.  But it only takes one geek to break the DRM and then publish a free version of your paid app.  It wouldn't be worth my trouble, but some freetard will do it.