Disable Developer Mode Extensions (incredibly annoying popup)

[Si Robertson]

I have recently updated Google Chrome to version 33.0.1750.117m and an incredibly annoying popup, telling me to disable developer mode extensions, is now appearing whenever I start the browser. There appears to be no way to disable the popup.

I use a couple of my own unpacked extensions on my own computer, one of which is simply used as a replacement for the "new tab" page. Apart from those custom extensions I have no other extensions installed. I do not, repeat do not, want to be constantly told to disable them. I also have to ask why Google believe non tech savvy users would enable and install developer mode extensions in the first place. Anyone who does enable and install them will be aware of what they are doing and also understand the risks involved.

Please do something about this, the fact that Chrome is still using the terrible new UI is bad enough (despite the fact a much better design has been available in Canary for weeks), and I know for a fact that some longterm Chrome users have already moved to Firefox because of these recent changes. I am on the verge of making the move to Firefox myself now.

Who is making these bad decisions at Google?

[PhistucK]

To answer your question about non tech savvy - this is exactly the point, the users are not enabling or installing them, the malware does.

I believe this clears thing up.

☆PhistucK

--
--
Chromium Discussion mailing list: chromium...@chromium.org
View archives, change email options, or unsubscribe:
http://groups.google.com/a/chromium.org/group/chromium-discuss
 

To unsubscribe from this group and stop receiving emails from it, send an email to chromium-discu...@chromium.org.

[Si Robertson]

In that case we need a setting to disable the popup warning, or would that be subject to malware manipulation as well? Let's be honest, if malware is able to configure Chrome at this level then potentially malicious browser extensions are the last thing end-users should be concerned about.

[Finnur Thorarinsson]

> Anyone who does enable and install them will be aware of what they are doing and also understand the risks involved.

As PhistucK pointed out, that statement is certainly not true when it comes to malware that can load extensions unpacked without the user knowing it (until now, hopefully).

Loading unpacked extensions is primarily a developer feature, and as such you might consider being on the Chrome Dev channel, which does not have this warning bubble. Other alternatives include using Chrome on other platforms than Windows or simply uploading your extension to the Chrome Web Store (your extension doesn't have to be listed publicly) and installing it from there (removing the one you loaded unpacked). That would also take care of the warning bubble. Yet another alternative (may or may not work for your use case) is to use your extension solely on the Chrome Canary (you seem to indicate you've already installed that). Hopefully some of those options work out.

We'd love to make a kill switch for this bubble but that would defeat the whole purpose of this bubble (to make devmode extensions visible to the user) because malware can (and will) then just flip the kill switch. 

[PhistucK]

The problem with using Chrome dev or the canary builds is that you are not developing on a platform for which the users are using (stable).

There can be differences, new features, bug fixes and until you test it using the stable Chrome, you will never know they exist.

Also, since the web store currently does not provide an API for uploading a version, it makes the process quite tedious and very, very hard to automate.

Note that I am just pointing these out - I am aware there is no other solution at the moment.

☆PhistucK

[Torne (Richard Coles)]

On 25 February 2014 13:43, PhistucK <phis...@gmail.com> wrote:

The problem with using Chrome dev or the canary builds is that you are not developing on a platform for which the users are using (stable).

There can be differences, new features, bug fixes and until you test it using the stable Chrome, you will never know they exist.

Also, since the web store currently does not provide an API for uploading a version, it makes the process quite tedious and very, very hard to automate.

Right, but if you're using stable for extension development/testing purposes you can probably live with dismissing the infobar letting you know about it since you aren't doing it all the time; the original poster sounds like they are just using the developer mode as a workaround for not being able to install off-store extensions any more.

[Finnur Thorarinsson]

On Tue, Feb 25, 2014 at 1:43 PM, PhistucK <phis...@gmail.com> wrote:

The problem with using Chrome dev or the canary builds is that you are not developing on a platform for which the users are using (stable).

And the problem with developing on Stable is that you don't get advance notice of potentially breaking changes, which results in late discovery (when the problem hits your userbase). 

That's why a developer should probably live on the Dev channel and test also on Stable.

But, we're digressing....

[PhistucK]

Yes, I see your point. Sounds like a good purpose for the canary (on Window and Macintosh, anyway).

☆PhistucK

[Finnur Thorarinsson]

Yup. That's subject to malware manipulation as well.

> Let's be honest, if malware is able to configure Chrome at this level then potentially malicious browser extensions are the last thing end-users should be concerned about.

We can't fix every computer out there that is infested, but the bubble is just one aspect of an effort to help at least surface the problem for users and address some of their pain points. As Antony Sargent wrote on another thread:

[...] after having already tried some less intrusive changes last year that have become commonly worked around, we've seen a really alarming trend in the growth of users affected by unwanted extensions that cause very poor user experience. Please take a look at the complaints link from our recent blog post to get an idea of the kind of frustration this causes affected people.

On Mon, Feb 24, 2014 at 7:16 PM, Si Robertson <retrom...@gmail.com> wrote:

In that case we need a setting to disable the popup warning, or would that be subject to malware manipulation as well? Let's be honest, if malware is able to configure Chrome at this level then potentially malicious browser extensions are the last thing end-users should be concerned about.

[Si Robertson]

The thing that would resolve this issue for me (can't speak for anyone else) is an option in the chrome://settings page to set the address of the HTML document that chrome://newtab opens. I use my own unpacked extension to deal with that at the moment, and I wouldn't need any extensions installed at all if I was able to tell Chrome what address to use for new tabs.

Sounds silly I know, but it's the little things that usually make the biggest difference :-)

[PhistucK]

There are extensions that do similar stuff. Have you searched the Chrome Web Store?

If not, you can just upload the one you created and make it private.

☆PhistucK

To unsubscribe from this group and stop receiving emails from it, send an email to chromium-discu...@chromium.org.

[Si Robertson]

I have considered doing that but it means using someone else's extension or paying Google $5 USD to upload a custom one for my own personal use. I know the latter is a one-off fee for developers but we shouldn't have to jump through those hoops to change the new tab page in Chrome. All I want to do is point Chrome at a HTML file on my local file system or on a remote server, I can't imagine any security issues arising from that, it would be no different than browsing to the file.

We can change the Home page - we should be able to change the New Tab page the same way :-)

[PhistucK]

What is the problem with using an extension by someone else? I am sure there is one that lets you define your own URL or something.

☆PhistucK

[ChrisW]

One concern with using an extension by someone else is that a number of extensions have recently been sold to people who use them to display ads or otherwise manipulate the user experience for their own financial gain, much to the user's detriment. I'll note that there seems to have been little interest in the past by those in charge of the Web Store to proactively police this sort of behavior and warn users of potential problems or disable the extensions entirely.

Another concern is the extension developer selling or otherwise using the information you provide (including your browsing history) to a third party, which seems a completely unnecessary risk when you could simply whip up a small extension to run on your own system, where you have control over the data.

The idea that it's necessary to create a focus-grabbing intrusive dialog on every startup is ridiculous. Why not use a system in which the state of the Developer Tools option is tracked, and upon a change, the popup is triggered. The user can choose to bypass it, and then the popup is not triggered again until another state change or update to the software. Someone above said that if you put in a kill switch, then malware developers will just figure out how to trigger it automatically. That may be, but surely there's a balance we can find here besides "sorry, you're SOL, use the dev or beta versions," which is not a valid option for people who merely want to use purpose-built content scripts and extensions for their exclusive personal use. 

Your own information about release channels indicates that beta and dev are not appropriate for those who don't want their experience negatively impacted by bugs. You're basically telling the power user that you don't want them to use your browser for anything that requires some confidence that the browser isn't going to crash in the middle of something important.

[PhistucK]

While I agree that using a non stable build is not ideal, an active extension author should be aware of the changes that happens in pre-stable releases, because they will eventually get to the stable channel and your extension may (but should not) break.

And, no, there is no balance here - the goal of this (annoying) feature is to protect the average, non tech savvy user (most of the user base of Chrome). If the malware gets its hand on a kill switch (and it surely would if one exists, especially a preference based one), the user is left unknowingly compromised and the goal is not achieved.

I agree that intentional private hacking (such as creating an unpacked extension due to the five dollar registration fee) was made harder (or simply more annoying), but I do not see a way to make it easier (or less annoying) without compromising users. Any suggestion (bearing the main goal of protecting the average user in mind)?

☆PhistucK

[Si Robertson]

The suggestion I have already posted is to allow the address of the new tab page to be changed the same way as the home page address - allowing that would also satisfy a lot of the other Chromium/NTP complaints I have seen doing the rounds recently.

My second suggestion would be to drop the Web Store developer fee until a developer releases a product publicly for the first time, i.e. if a developer simply wants to create private extensions they won't be charged for doing so.

Both of those would solve the problem without compromising Chromium's user security but the second suggestion would obviously require a lot more work outside of Chromium. The first suggestion should be incredibly easy for the Chromium team to implement.

Those are the only reasonable (safe) solutions I can think of at the moment.

This problem really does need to be resolved one way or another though, and sooner rather than later.

[ChrisW]

The problem is that this feature not only impacts extension developers who release their product to the public, but also people who merely create extensions for their own convenience, to improve bad websites or to otherwise make a positive change on their Internet experience. Should developers who release extensions to the public test their product in pre-stable releases? Absolutely. But to lump those devs in with hobbyist developers is a gross simplification of the situation. Nobody should have to move to an unstable browser merely to be able to use extensions they created purely for their own convenience. 

It sounds to me like the real root of the problem is not Developer Mode, or extensions loaded from non-Web Store sources, but that Chrome's preferences and other support files can be manipulated by malicious programs. Let's tackle that problem at the source, instead of applying fixes that will eventually be worked around by malware authors. 

Why not encrypt these files, for instance? All of the options that are configurable via preference files are also exposed via Chrome's internal tools (chrome://flags for instance). Encryption may not be the best answer to this problem, I don't know. But it's one example of treating the disease instead of the symptoms. Another user has brought forth the idea of having the default stable build be a "protected" build with these malware-defense features activated, but also making available another build where these features are disabled. This would be a great option since your average non-savvy user is going to download whatever default option is presented to them.

It seems that playing defense (as we've always done) with malware isn't working and is now causing the Chrome project to make decisions that disrupt the experience of those power users who, for a very long time, have been vocal and outspoken advocates of Chrome. I respectfully suggest that there is a balance that can be struck to both protect the average, non tech-savvy user, but also provide the features and flexibility that power users have come to know and love about Chrome.

[ChrisW]

My initial reply appears to have been deleted. Let's try this again. You ask specifically for a suggestion:

to make it easier (or less annoying) without compromising users.

The feature we're discussing is one treatment of a symptom, not the root cause. Developer Mode is not the root cause of the extensions being installed without user consent. The root cause is that Chrome's preferences and other support files can be manipulated by malicious programs, as mentioned in both this discussion thread and others. My suggestion is to address this root cause of this problem by protecting the preference and other support files against malicious modification. Encryption, storing settings in the cloud, using sync to confirm changes between browsers, and hashing preference files and comparing the hashes are a few things I came up with in a few minutes of brainstorming.

These example ideas might be unworkable, but that's not the point. The point is that it's better to address the root cause of a problem than pluck away useful features that can be used for both good and bad. If malware can't modify preferences, it can't override a setting to bypass the Developer Mode warning, nor can it turn on Developer Mode without the user's consent.

On Thursday, February 27, 2014 2:59:08 PM UTC-5, PhistucK wrote:

[PhistucK]

Your first suggestion only resolves the narrow case of replacing the new tab page.

Your second suggestion can still be harmful (if you can install it from the webstore, anyone can. Or - just trying to come up with ways here - the malware can, say, sign you into a certain Google account that has the private extension).

☆PhistucK

[Si Robertson]

So are you saying malware could gain control of Chromium, sign users into and out of various Google accounts, and install malicious public/private extensions? If that's true, Google have a losing battle on their hands here, nothing short of completely removing the extensions functionality from Chromium will solve this problem, and it makes the new dialog warning in Chromium seem extremely futile.

This is madness. I honestly don't know what else to say or suggest.

[PhistucK]

(I got both of your replies)

If the browser has to decrypt and encrypt the preference file, any malware can catch up to this in a matter of hours. It is a lost battle.

Do you have any other suggestion (and not "come up with something", because I can assure you the team has definitely tried to come up with something, as this decision was not taken lightly)?

However, creating a new (stable) edition of the browser that is aimed for developers (a simple boolean within the binary, I guess) and tech savvy users looks like a good compromise (to us). Since the number of people that actually create extensions for themselves (and are not kind enough to share them with the rest of the world... ;) I am kidding, of course) is very, very low, I reckon the team will not spend time on that, because it seems like a non trivial maintenance burden (but the team knows better than me).
(Of course, if a simple boolean within the binary is used, the malware can patch the browser to inverse the boolean, I guess, but perhaps this is a major undertaking... which I do not believe so, but, if a low number of users actually use the developer aimed edition, perhaps malware creators would not bother messing with it)

☆PhistucK

[Si Robertson]

Sorry, I have to ask this [non argumentative] question.

Considering how much control over Chromium malware can gain, and gain easily by the sounds of it, what purpose is the new popup warning actually serving apart from making casual Chromium users feel safe?

This conversation is now reminding me of the 1950s "Duck and Cover" public awareness campaign in the US :-D

[Finnur Thorarinsson]

The purpose of the popup is not to make anyone feel safe. And actually it is quite the opposite. It is to let people, who don't know someone is silently loading extensions for them through developer mode, know that something strange might be going on.

We realize this is inconvenient for people who knowingly load extensions this way, but finding a way to minimize that inconvenience without malware taking advantage of it too is tricky. I'm hoping this effort is temporary and we can eventually get rid of the bubble, but it is not my call. But there are many options on the table for you to get rid of this bubble today, including uploading the extension to the Chrome Web Store, using other channels than beta/stable and using other platforms than Windows, as we've mentioned.

[PhistucK]

Two critical notes about your suggestion -

Using platforms other than your current platform is a big deal and loading extensions is not really a good reason to do so.

Also, uploading to the Web Store requires the five dollar payment which exposes your credit card to Google (perhaps in the USA you can get a prepaid card or something, however, this is not possible everywhere).

And of course, using a non stable edition means putting up with much more bugs, crashes, security issues and general instability, which is also not really recommended or convenient.

☆PhistucK

[Finnur Thorarinsson]

Indeed. I'm fully aware that each of these options comes with a drawback. 

These drawbacks were all known when the decision was made and what it came down to was that the needs of the many seemed to outweigh the needs of the few in this case.

[Christopher Robbins]

Seems painfully obvious that there could be a ONE TIME popup for EACH NEW developer mode extension.

[Si Robertson]

Sounds reasonable to me, but I imagine we will see a "malware could manipulate the stored information" related response from someone.

[Torne (Richard Coles)]

Let me try and explain in more detail why this doesn't help; bear with me :)

1) The old situation, before this infobar was added:

1a) People who know what they're doing (developers, or just people who want to use a specific private/offstore/etc extension) can do what they want to by enabling developer mode.

1b) Software running on a user's computer can install any extension to Chrome without the user's consent or knowledge by enabling developer mode.

2) The current situation:

2a) People who know what they're doing have to dismiss the infobar on every start (or else use the dev channel or the other less convenient workarounds discussed in this thread)

2b) If software tries to install extensions without user consent by enabling developer mode, the user will be able to fix the situation from the infobar.

We made this change to protect the users from 1b), so any proposal to make life more convenient again for the users inconvenienced in 2a) has to leave users better off than 1b), because if the proposal *doesn't* provide any more security for users than the old, pre-infobar situation, then it would be simpler to just go back to the old situation, which was most convenient for developers. Makes sense, I hope?

So, the problem with having a one-time popup, whether it's one time to enable developer mode, or one time per developer mode extension, is that as Si mentions, we have to store the information about whether that one time already happened or not somewhere. If we store it in the local preferences along with the information about which extensions are installed, then any software that's able to try and install an extension as in 1b/2b can obviously just also set the flag to say "the user already saw, and accepted, the infobar for this extension", and then there is no more security for anyone than in 1b). If you want to store it somewhere else, then you'll have to propose where that somewhere else should be, how it will be protected, and how we can differentiate the user genuinely performing the action from some badly behaved software on their computer doing it.

We're open to proposals here, but we have decided that the security provided in situation 1) is not sufficient for our "typical" user - someone using chrome stable on windows who is not a web developer and doesn't have any desire to install off-store extensions. Any proposal has to do *something* to actually protect those users, or else it's no better than just asking us to revert this change, which we have already stated we aren't going to do.

This *does* inconvenience some users, and we knew it would, and we're sorry about that, but unless someone comes up with an alternative that is resilient against badly behaved software running on that "typical" user's computer trying to install extensions they don't want, it's unlikely to change. That's the threat model we're dealing with.

--

[PhistucK]

Has the notification changed in newer Chrome version from a focus grabbing bubble to an infobar?

Chrome 33 shows a focus grabbing bubble, not an infobar. A focus grabbing bubble is obviously much more annoying than a non focus grabbing infobar.

☆PhistucK

[Si Robertson]

The focus grabbing is actually the thing that annoys me, if the notification didn't grab focus I wouldn't mind it being displayed.

[Torne (Richard Coles)]

Oh, sorry, I haven't actually seen the UI for this :) My comments all still apply.

[PhistucK]

Then here is a suggestion - what about converting that annoying focus grabbing bubble into a raging infobar? :)

☆PhistucK

[Chris Webster]

You could even make it red, so it really jumps out at the user to tell them something Very Bad may be afoot, without stealing focus (which is also my primary objection to the popup).

[Isiah Meadows]

In direct response to the boolean switch, it would be better if that was a build flag instead of a hard coded boolean. That would completely eliminate the security hole there before it could ever surface

[PhistucK]

That depends on the implementation, of course. A hacker can still do it, it would just be more difficult (software is cracked all of the time).

☆PhistucK

On Tue, Mar 11, 2014 at 4:50 AM, Isiah Meadows <impi...@gmail.com> wrote:

In direct response to the boolean switch, it would be better if that was a build flag instead of a hard coded boolean. That would completely eliminate the security hole there before it could ever surface

[Finnur Thorarinsson]

Infobars are for messages that are contextual to the page you are on and as such would draw attention *away* from the actual extensions we are trying to highlight. A bubble, in comparison, points to the extensions in question so it is obvious what we are drawing attention to.

If I understand the build flag suggestion correctly, you are suggesting this feature could be turned off via a build flag. That's certainly true, but I don't see that it would help that many people (few are running custom builds of Chromium and all of them could just disable this feature in their build) so time would be better spent elsewhere.

[Isiah Meadows]

On Mar 11, 2014 3:41 AM, "PhistucK" <phis...@gmail.com> wrote:
>
> That depends on the implementation, of course. A hacker can still do it, it would just be more difficult (software is cracked all of the time).

It at least makes it substantially more difficult. And also, how hard is it to patch the base of Chromium via exploiting the Extension API?

>
>
> ☆PhistucK
>
>
> On Tue, Mar 11, 2014 at 4:50 AM, Isiah Meadows <impi...@gmail.com> wrote:
>>
>> In direct response to the boolean switch, it would be better if that was a build flag instead of a hard coded boolean. That would completely eliminate the security hole there before it could ever surface
>>
>> --
>> --
>> Chromium Discussion mailing list: chromium...@chromium.org
>> View archives, change email options, or unsubscribe:
>>     http://groups.google.com/a/chromium.org/group/chromium-discuss
>>
>> To unsubscribe from this group and stop receiving emails from it, send an email to chromium-discu...@chromium.org.
>
>

On Mar 11, 2014 6:35 AM, "Finnur Thorarinsson" <fin...@chromium.org> wrote:
>
> Infobars are for messages that are contextual to the page you are on and as such would draw attention *away* from the actual extensions we are trying to highlight. A bubble, in comparison, points to the extensions in question so it is obvious what we are drawing attention to.
>
> If I understand the build flag suggestion correctly, you are suggesting this feature could be turned off via a build flag. That's certainly true, but I don't see that it would help that many people (few are running custom builds of Chromium and all of them could just disable this feature in their build) so time would be better spent elsewhere.

I'm only suggesting a way to implement the original idea it *if* it would be. IMO the popup should be reduced to just once per extension installed with that flag set, not completely turned off (which would really endanger any user).

Also, it is something that could be done by Google for people to test extensions and apps on without a popup coming up every time.

[Finnur Thorarinsson]

> That depends on the implementation, of course. A hacker can still do it, it would just be 

more difficult (software is cracked all of the time).

People will surreptitiously patch our binaries but we're not aiming for this feature to be patching-proof.

  

IMO the popup should be reduced to just once per extension installed with that flag set, not completely turned off (which would really endanger any user).

We've come full circle here as this has already been discussed and an explanation provided as to why this isn't going to work. I suggest you read Torne's previous detailed explanation on this thread (the one that starts with the words "Let me try and explain in more detail...").

[PhistucK]

The infobar case has its exceptions. Session restore is confined to a single tab through an infobar, even though it is unrelated and should be a global window/browser infobar/bubble (according to the guideline you just mentioned).

☆PhistucK

[Hugo Ojendiz]

I feel like the kid that is bullied by a big dude every day, and the big dude says: "If you don't want to be annoyed, you can walk to the school using a different unstable route (Chrome-dev) or you can pay me $5 dollars and I will stop (chrome-store)"

I'm not a extension developer, I did a simple extension to help me with my work, now my co-workers don't want to use the extension because the annoying popup, and I wont force them to use chrome-dev!, not even I want to change to developer version. 

Also I won't pay $5 dollars to publish my one-time-developer-only-for-my-work-useless-to-others extension!

If you say that it's the best to keep the pop up then drop the fee for private chrome extensions.

[Finnur Thorarinsson]

It is certainly unfortunate that the least inconvenient way of moving off of dev-mode (which by the way is not intended to be used as an extension delivery mechanism to end users) involves paying a fee. But, the fee is necessary, unfortunately. Quoting the blog from the registration fee announcement back in August 2010:

"The developer signup fee is a one-time payment of $5. It is intended to create better safeguards against fraudulent extensions in the gallery and limit the activity of malicious developer accounts."

> I did a simple extension to help me with my work

Which might mean you can deploy your extension to users via the group policy instead of via dev-mode. That should take care of the warning (and it doesn't involve paying the developer registration fee).

Phistuck:

> The infobar case has its exceptions.

Do any of the exceptions involve highlighting Extension icons?

--

[PhistucK]

I do not know, but it does not really matter here. The point is that the infobar distinction is irrelevant if it is not enforced anyway.

But nevermind. It will not happen, I know.

☆PhistucK

[Dan Hlavenka]

I hate to resurrect an old discussion, but this "feature" is still a massive thorn in my side on a daily basis.

If someone has malware on their computer that's able to decrypt and modify Chrome's settings and make changes to logged-in Google accounts, that malware could also control the user's mouse to automatically dismiss the popup, or even directly modify the Chrome binary so the popup never shows up in the first place. Also, the only Chrome extension malware I've seen was all installed by enabling Enterprise features in Chrome and installing the extension that way, in which case not only does the user not hear a peep from Chrome, but the extension can't even be removed through Chrome's UI.

I think a fair compromise would be to allow an "authenticated" installation method, under which the user's Google account credentials are required to sign a hash containing the extension's ID each time a new unpacked extension is installed. If an attacker has a user's Google account password, or enough control over the network stack to spoof a reply from Google's servers, that user is probably screwed anyway. This solution still doesn't cover users who don't sign into Chrome due to privacy concerns, but since everything about this popup seems to be about ignoring the needs of the few in favor of those of the majority, I think "most" users probably do sign into their Google accounts, so a solution like this should be acceptable.

[Slapshot136]

On Monday, June 23, 2014 12:41:52 PM UTC-4, Dan Hlavenka wrote:

I hate to resurrect an old discussion, but this "feature" is still a massive thorn in my side on a daily basis.

x2 - none of the solutions suggested here are any better than just using an older version of chrome and not updating it, which is probably a bigger security issue than a random extension somehow installing itself (or using the dev build, which has it's own security issues)

so I would like to propose a solution where extensions can be installed with a temporary password instead - this password would need to be something that can't be generated by any malware, so I would suggest having it be sent/signed by google, perhaps to a phone number or e-mail address (please don't make it require a sign-in) - then chrome can "whitelist" the apps installed via this method that requires human interaction (I am sure we would be willing to help Google decipher a few street numbers as a one-time act) 

[PhistucK]

Admittedly, it is not that annoying for me anymore. I press Escape and go back to my business.

☆PhistucK

--

[Sergei Pointer]

Why popup is shown when starting every new Incognito window session?

Maybe it's enough to show it once after browser started?

[Finnur Thorarinsson]

That's a bug that's been fixed, but probably hasn't made its way to your channel yet.

On Sun, Jul 6, 2014 at 1:36 AM, Sergei Pointer <sag...@gmail.com> wrote:

Why popup is shown when starting every new Incognito window session?

Maybe it's enough to show it once after browser started?

--

[Freeaze SWE]

I have to ask; is it possible to get an answer to this? (I'm not the first to ask this, read this from another user)

What about making an alternative stable for us tech-sawy users. A one that a non-tech sawy would not click accidently when downloading the regular version?

I do understand that what I'm asking means that you have to release two (2) stable versions, two different ones.

I'm wondering however, how much would they differ? If you only remove the pop-up that warns you in developer mode, wouldn't that be just a few lines difference in code? (I can be hugely mistaken here). Instead of returning the pop-up, the... UI(?) instead returns blank?

Asking coders; or could it be possible that such a little change could break something else in the code? Sounds harmless to me?

[Freeaze SWE]

Can't edit my previous post. Anyway meant to quote what Torne (Richard Coles) said, not OP;

 

Re: [chromium-discuss] Re: Disable Developer Mode Extensions (incredibly annoying popup)

[Jason Fehr]

I think it's time to write an extension that emails the Chrome dev team every time I open the browser to make them aware of the fact that I am aware of the fact that I'm running developer extensions in my browser, since, you know, I wrote the bloody extensions and installed them myself.

[PhistucK]

You may.

You have installed in yourself, but normal users do not and they get malware, so this notifies them in order to protect them.

Just upload your extension to the web store and make it unlisted - no more annoying bubbles.

☆PhistucK

--

--
Chromium Discussion mailing list: chromium...@chromium.org
View archives, change email options, or unsubscribe:
http://groups.google.com/a/chromium.org/group/chromium-discuss

[Dan Hlavenka]

On Thursday, July 10, 2014 3:49:07 PM UTC-5, PhistucK wrote:

Just upload your extension to the web store

Have you ever USED the web store? Uploading an extension there is a massive pain, and shouldn't be necessary for people who just want to use an extension for themselves. Plus, a web store developer account costs money if you don't have one already. $5 isn't all that much, but it shouldn't cost any money to use your own browser properly.

On Thursday, July 10, 2014 3:49:07 PM UTC-5, PhistucK wrote:

normal users do not and they get malware, so this notifies them in order to protect them.

Well-made malware installs itself via enterprise policy, which bypasses this message entirely. Likewise, malware on their system could dismiss that popup each time Chrome launches, so the victim never sees it. If the user already has malware installed on their system, there is nothing Chrome can really do to fully protect them.

[Jason Fehr]

I don't care. I know what I'm doing. Give me an option to disable the warning.

Even Apple doesn't force their developers to upload development code to them before running it, and they are known as the epitome of a walled garden. All my extension does is give a search box on every page of an intranet app we use. I shouldn't have to upload that for Google's blessing.

[PhistucK]

I have used the web store and yes, it does ask for some irrelevant information (it used to need more, now it just needs a category and a language!), but nothing that cannot be overcome in a few seconds.

Luckily, I uploaded extensions to the initial edition of the web store (I forget its name now), so I did not have to pay. But five dollars are not a lot of money. I agree it is annoying, though.

As far as I know, the enterprise policy method is only supported in domain controlled systems. So normal, non enterprise users will not suffer from enterprise policy based installations.

The team is really sorry about this painful experience, but the majority of users are Windows stable users, not developers and they are affected by this, so the team had to bite the bullet on this one. They really did not want to do this, but they could not come up with a better idea that protects the user in a meaningful way.

☆PhistucK

--

[PhistucK]

Intranet? Sounds like an enterprise policy installation is the way to go in your case.

☆PhistucK

[Zachary Yaro]

I agree $5 is not a lot, but I have heard some developers are unable to pay the fee because of the countries in which they live.  (This does not affect me; I was just bringing up a problem I have heard mentioned.)

I would like to know, though, if there is any way to prevent the message popping up every time I open an incognito window.  I can deal with seeing the message when I initially launch Chrome (solution: never close Chrome? :P), but it gets on my nerves more when I see it every time I want to test something in incognito.

Also, it is still annoying that (last I tried) I have to verify a domain through the Webmaster Console just to upload a hosted app that only I can see or use.

Zachary Yaro

[Chris Webster]

On Jul 10, 2014 5:10 PM, "PhistucK" <phis...@gmail.com> wrote:
>
>
> As far as I know, the enterprise policy method is only supported in domain controlled systems. So normal, non enterprise users will not suffer from enterprise policy based installations.

Unless there was a change in the last month or so that would make this statement true, it's not. I work in a university computer repair center and Enterprise policy installations of malware extensions are happening on non-enterprise computers. It seems all of the pervasive malware is going this route because the extension is so challenging to remove.

Which is what makes this popup so silly in the first place. The *only* people who are warned are a) those users who already know and b) those who have fallen victim to crap malware. The sophisticated and well-distributed malware authors have already worked around the popup.

-Chris

[PhistucK]

The incognito situation is a bug that is fixed in beta or canary (I forget), as far as I remember.

☆PhistucK

[PhistucK]

I am sure the team will reconsider the bubble if this not as effective as they have hoped (as long as they have other ideas...).

The enterprise policy based installations on non domain controlled situation sounds like a bad bug, though. Perhaps you should file it on crbug.com if you cannot find one already.

☆PhistucK

[Dan Hlavenka]

On Thursday, July 10, 2014 4:26:48 PM UTC-5, Zachary Yaro wrote:

I would like to know, though, if there is any way to prevent the message popping up every time I open an incognito window.

A fix for that issue should be coming very soon: https://code.google.com/p/chromium/issues/detail?id=363153#c10

On Thursday, July 10, 2014 4:43:00 PM UTC-5, ChrisW wrote:

Enterprise policy installations of malware extensions are happening on non-enterprise computers. It seems all of the pervasive malware is going this route because the extension is so challenging to remove.

I can second this statement. This just backs up the fact that if someone's already infected with malware, Chrome can't really do anything to protect them, because the malware can and will bypass all of Chrome's protections. Chrome is not an antivirus, and it shouldn't try to be one.

On Thursday, July 10, 2014 4:10:55 PM UTC-5, PhistucK wrote:

The team is really sorry about this painful experience, but the majority of users are Windows stable users, not developers and they are affected by this, so the team had to bite the bullet on this one. They really did not want to do this, but they could not come up with a better idea that protects the user in a meaningful way.

Here's a thought that could have benefits outside this particular issue: a developer channel of Chrome. That's not to be confused with the current development channel, which is just a step between beta and canary. The developer version would be based on stable (since that's what web and extension developers test against most anyway), but could have some more developer-oriented settings enabled by default. The bothersome popup would be disabled in this channel (since, much like dev or canary, only people who know what they're doing will be installing this version), and some other nice developer things could be enabled as well. For example, I seem to recall the Task Manager had some extra features that had to be enabled via command-line arguments, and there's a couple things in chrome://flags that are useful for devs that could maybe be made more accessible.

This could be a terrible idea -- I just thought of it this morning -- but it seems to me it would allow developers to be left alone while still protecting normal users on stable.

[PhistucK]

It seems to me that a developer channel of Chrome demands too much effort (more testing) for little gain (a few power users that install their own extensions) and therefore I do not see it happening, but - who knows?

☆PhistucK

--

[Isiah Meadows]

If you want to see that changed now, please contribute by sending a patch! We always welcome patches for new or adjusted features (that don't break things). Also, you all aren't the only ones who've requested this.

This would most likely be best served as a flag (CLI and chrome://flags), so if you want to add it yourself, 

-- 
Isiah Meadows

--
Isiah Meadows

[Dan Hlavenka]

Would a simple CLI switch really be likely to get accepted? I was pretty sure that had been proposed long ago, and was shot down for the same reason every other idea has been (malware could change it and the user wouldn't know).

If that has changed, though, I'd almost be willing to set up a build environment, learn how everything's laid out in the source, hunt down all the appropriate places, and make the changes myself. The only reason I haven't done that already for personal use is that Chrome updates rather frequently and I don't want to have to keep re-patching and compiling after every update.

[PhistucK]

Like I wrote, the incognito issue was fixed, as far as I know, so there is not need to contribute a patch (unless you were referring to something else).

☆PhistucK

[PhistucK]

If you refer to the incognito issue, like I wrote, it was fixed, as far as I know, so there is not need to contribute a patch (unless you were referring to something else). Just wait for the next stable release (or next next, I do not remember).

☆PhistucK

On Fri, Jul 11, 2014 at 4:59 AM, Dan Hlavenka <danh...@gmail.com> wrote:

Would a simple CLI switch really be likely to get accepted? I was pretty sure that had been proposed long ago, and was shot down for the same reason every other idea has been (malware could change it and the user wouldn't know).

If that has changed, though, I'd almost be willing to set up a build environment, learn how everything's laid out in the source, hunt down all the appropriate places, and make the changes myself. The only reason I haven't done that already for personal use is that Chrome updates rather frequently and I don't want to have to keep re-patching and compiling after every update.

--

[Dan Hlavenka]

On Fri, Jul 11, 2014 at 12:51 AM, Isiah Meadows wrote:

Could you show me a link to that?

https://code.google.com/p/chromium/issues/detail?id=337734#c4

On Thu, Feb 6, 2014 at 1:49 PM, asar...@chromium.org wrote:

the malware writers have already shown that they are willing to modify command line flags and directly modify preferences files, so we don't see any way we could do that and have this warning still remain effective.

On Friday, July 11, 2014 3:30:32 AM UTC-5, PhistucK wrote:

If you refer to the incognito issue, like I wrote, it was fixed, as far as I know, so there is not need to contribute a patch (unless you were referring to something else). Just wait for the next stable release (or next next, I do not remember).

 I believe we were discussing the idea of adding a CLI switch to disable the notification entirely.

[PhistucK]

Oh, yeah, that will not happen. :)

☆PhistucK

--

[Dan Hlavenka]

On Friday, July 11, 2014 9:48:19 AM UTC-5, PhistucK wrote:

Oh, yeah, that will not happen. :)

I didn't think so. That's why I've been trying to come up with more "creative" solutions to the problem, such as requiring human verification before allowing an extension to be installed. That would also have the added benefit of actually giving some slight protection to users against surreptitiously installed extensions, rather than just the warning they're given currently. Obviously, those developer extensions would need to be re-verified on each browser load, but that could be done fairly quickly and transparently to the user. See my earlier post about hashing various things together as a rough example of how something like this could work.

[Chris Webster]

That's one idea, and it's the route Mozilla has gone with add-ons in Firefox... if one is installed outside of the "standard" way of installing an add-on, the next time Firefox is opened, it throws up a prompt (in a tab) explaining what's happened and offering the user an option to continue with the add-on enabled or to disable it. I find it works pretty well.

[PhistucK]

You will have to save that hash somewhere, so the malware will simply change stored hash. :(

☆PhistucK

--

[PhistucK]

A tab can be closed by the extension. Bang. A bubble cannot be dismissed by an extension (or maybe it can, if it closes the window?).

☆PhistucK

--

[Dan Hlavenka]

Malware could change that hash, but it can't change the way extension IDs are calculated. If the hash contains the extension ID along with some bit of user-supplied information, malware wouldn't be able to create a valid hash for a new extension.

[PhistucK]

And where would you store that user supplied information? Or will you prompt the user every time they open the browser? If so, this is not a transparent mechanism and makes it more annoying than a simple bubble...

☆PhistucK

--

[Dan Hlavenka]

On Friday, July 11, 2014 11:24:38 AM UTC-5, PhistucK wrote:

And where would you store that user supplied information? Or will you prompt the user every time they open the browser? If so, this is not a transparent mechanism and makes it more annoying than a simple bubble...

Store it in the same place saved passwords are stored. I believe there's already some amount of protection on that storage area, and if malware can get in there, the user has bigger problems.

You could also have something tied to their Google account and stored on Google's servers, but that could bring about issues with starting the browser without internet access. One possible solution there would be to cache the last response from Google for offline use, and only allow the browser to fall back on that cache if it's without internet access. Starting Chrome without internet access is already a bit of an edge case, and it's something I don't think most "normal" users would do.

Crypto and PFS aren't exactly my strongest points, so I'm still open to the idea that I may be missing something that would make an idea like this infeasible. Ultimately, though, I think there should be able to be some sort of "good enough" compromise that allows developers to not be nagged every time the re-launch their browsers (something many developers do more frequently than typical users), but still offer some protection to users infected with second-rate malware that hasn't just gone ahead and tied them into an Enterprise policy.

[PhistucK]

As far as I know, saved passwords are stored in the same way they are stored in Internet Explorer (with the same amount of encryption, that is). It is basically the right amount to prevent regular users from reading it because it is not some plain text, but not enough to prevent basic hackers from reading them.

Tying it to the Google account sounds interesting, but may interrupt with genuine use cases for developing extensions in non internet environments, but perhaps this is not such an important case to consider. I do not see a reason for it not to be effective at the moment.

I added Antony to the thread for possible counter arguments.

☆PhistucK

--

[Dan Hlavenka]

On Friday, July 11, 2014 1:01:29 PM UTC-5, PhistucK wrote:

Tying it to the Google account sounds interesting, but may interrupt with genuine use cases for developing extensions in non internet environments

This is a place where a user setting seems appropriate: you can either tie developer mode extensions to your Google account, or install them in "offline mode," in which case you'll get the same popup everyone sees today.

[Frédérik Labbé]

I think I understand why it jumped to this radical solution and why it's so dangerous to open a workaround to the user that the hackers could not take. I think this isn't mentioned yet in this thread (sorry if I missed few posts that were talking about it), but instead of trying to confuse the hacker, could it be easier and more convenient to everyone to just convert the actual focus-killing bubble into a alarming tooltip ? It would not "intensively" annoy the power user. This isn't the warning that is annoying but the fact that it grabs the focus after a few seconds, hence stopping any action that are started early - before the bubble shows up.

[PhistucK]

If the extension is deemed malicious or otherwise removed from the store, it will be removed from Chrome, so users can be protected more than if a local extension is installed. Chrome cannot block a specific unpacked extension (its ID is created according to its path, if I am not mistaken and the author can simply move it). It can either block all of them (but that makes extension development impossible), or block none of them and show an annoying popup in order to protect users (annoying, but hopefully helpful to users).

☆PhistucK

On Fri, Oct 10, 2014 at 10:59 PM, Yavor Tashev <y.ta...@gmail.com> wrote:

I would like to ask what is the exact difference between an extension that is i the store and one that I have locally. What is that makes the extension on the store more reliable? If it is going to have the same functionality, what kind of control is there?

Since you are not concidering removing the alert, I would like to suggest AN EMAIL CONFIRMATION.
If you have Google Chrome and have a Google account, Chrome could send you a confirmation on your email if you approve of the extension and chrome does not need to ask you any more. WHY NOT?

[bean5]

Is the button that comes with this new popup vulnerable to manipulation? If so, then we might as well allow a setting to disable it after it has appeared at least once...or just remove the feature. 

[Fanny Dwargee]

Another annoyed developer here. :(

What about showing that infamous ballon/bubble just for the first time the extension is used asking for user confirmation with a YES/NO choice?

You can put skulls and red colors here and there if you want just for the sake of "F.U.D." the user...

Btw, it seems to me that you're treating your users as a very... dumb ones? :)

Best regards.

2014 19:46:28 UTC+1, PhistucK wrote:

To answer your question about non tech savvy - this is exactly the point, the users are not enabling or installing them, the malware does.

I believe this clears thing up.

☆PhistucK

On Sun, Feb 23, 2014 at 4:12 PM, Si Robertson <retrom...@gmail.com> wrote:

I have recently updated Google Chrome to version 33.0.1750.117m and an incredibly annoying popup, telling me to disable developer mode extensions, is now appearing whenever I start the browser. There appears to be no way to disable the popup.

I use a couple of my own unpacked extensions on my own computer, one of which is simply used as a replacement for the "new tab" page. Apart from those custom extensions I have no other extensions installed. I do not, repeat do not, want to be constantly told to disable them. I also have to ask why Google believe non tech savvy users would enable and install developer mode extensions in the first place. Anyone who does enable and install them will be aware of what they are doing and also understand the risks involved.

Please do something about this, the fact that Chrome is still using the terrible new UI is bad enough (despite the fact a much better design has been available in Canary for weeks), and I know for a fact that some longterm Chrome users have already moved to Firefox because of these recent changes. I am on the verge of making the move to Firefox myself now.

Who is making these bad decisions at Google?

[Torne (Richard Coles)]

As has been explained multiple times, it's tricky to implement such a confirmation; we would have to store the information about which extensions have been confirmed by the user somewhere, and so an app that wants to install an extension without the user's permission would just go and also modify whatever file we used to store the list of which extensions have been confirmed to pretend that the user had already confirmed it.

[Si Robertson]

A one-shot confirmation box would be ideal, and it would match the behaviour seen when an external application (e.g. Google Drive) adds an extension to Chrome.

On 6 November 2014 14:30, Fanny Dwargee <fdwa...@gmail.com> wrote:

[PhistucK]

And Chrome is not treating its users as very dumb, but the malicious extensions as very sophisticated, actually. :)

☆PhistucK

[Si Robertson]

Understood. I think it's just wishful thinking on our part now :) Canary is a more suitable choice for testing extensions and it doesn't display the warning message.

[Fadi R]

That is utter non-sense. For a malware to take advantage of this, you have to have the developer pack installed. Normal users don't install the developer pack for the fun of it. Developers and moders do, people who are most likely running their own stuff unpacked. This warning is not really appropriate for that crowd. Even if there was a need to be extra careful and warn the unwary user about the dangers of running unpacked extensions in dev mode, there's a difference between warning the user about a potential danger and constantly harassing the user by omitting the capacity to disable the warning. Yes, a malware can modify the warning flag in the preference files to turn the warning off but it can't do through the limited functionality given to chrome extensions (ie., it can't do this out of the play store) nor are google chrome extension a good place to lace malware as the source code is there in the open for everyone to see as js and html. 

On Thursday, July 10, 2014 at 4:49:07 PM UTC-4, PhistucK wrote:

You may.

You have installed in yourself, but normal users do not and they get malware, so this notifies them in order to protect them.

Just upload your extension to the web store and make it unlisted - no more annoying bubbles.

☆PhistucK

On Thu, Jul 10, 2014 at 11:44 PM, Jason Fehr <jason...@gmail.com> wrote:

I think it's time to write an extension that emails the Chrome dev team every time I open the browser to make them aware of the fact that I am aware of the fact that I'm running developer extensions in my browser, since, you know, I wrote the bloody extensions and installed them myself.

On Sunday, February 23, 2014 7:12:55 AM UTC-7, Si Robertson wrote:

I have recently updated Google Chrome to version 33.0.1750.117m and an incredibly annoying popup, telling me to disable developer mode extensions, is now appearing whenever I start the browser. There appears to be no way to disable the popup.

I use a couple of my own unpacked extensions on my own computer, one of which is simply used as a replacement for the "new tab" page. Apart from those custom extensions I have no other extensions installed. I do not, repeat do not, want to be constantly told to disable them. I also have to ask why Google believe non tech savvy users would enable and install developer mode extensions in the first place. Anyone who does enable and install them will be aware of what they are doing and also understand the risks involved.

Please do something about this, the fact that Chrome is still using the terrible new UI is bad enough (despite the fact a much better design has been available in Canary for weeks), and I know for a fact that some longterm Chrome users have already moved to Firefox because of these recent changes. I am on the verge of making the move to Firefox myself now.

Who is making these bad decisions at Google?

[PhistucK]

If malware can add the unpacked extension to Chrome, it can surely modify the Preferences file and disable the warning, which defeats its purpose.

☆PhistucK

[Fadi R]

Chrome security is setup so that extensions are very limited in what they can do from within the extension framework and every extensions has its own preferences, resources and cannot modify the preferences/resources of other extensions. You can't even launch an executable or sh/bat script out of chrome. Even setting up a mechanism to open the source of a page directly in an external editor is more restricted then other browsers. It's very difficult to setup a malware as a chrome extension to compromise a pc from within the Chrome extension framework. And the source is out in the open. To compromise your pc, the malware would need to be introduced externally to chrome - in either freeware or pirated materials. Once your whole PA is fully compromised,  yes, it can mess with whatever it wants, including messing with the unpacked extensions or chrome preferences. But if your PC is already compromised to that point, the warning is not accomplishing anything, nor would it be of any interest for the hacker to attack unpacked extensions or turn off Google's warning in the preference as the PC is already compromised. Either way, that warning serves no purpose

[PhistucK]

It can (very easily) show you a Google/Facebook login screen and record your credentials, without any security warning (with a content script, it can just take stuff from the page. With a proxy server, Chrome might show a certificate error, I presume). Even though your whole system is compromised, it does not mean it can just draw your passwords, because they might not exist on disk (you never save a password, for example).

☆PhistucK

[Dan Hlavenka]

If a user's system is compromised to point that malware is able to change Chrome's settings, the same malware could just patch the Chrome binary to remove this little protection. That's an extreme example, but more likely is that malware interested in collecting login details would simply include a keylogger, and would then be able to collect all credentials from every site the user visits in any browser.

All the Chrome-related Windows malware I've ever seen has used Enterprise policies to install itself (because that's harder for the user to remove), and has also included a non-Chrome, binary component that did all the real heavy lifting. I really don't see what tangible benefit this annoying feature brings, and I think the length of this thread demonstrates that it really pisses off developers.

Anyway, I finally fixed this problem by just ditching my last Windows computer, so I'm unsubscribing from this thread. Please oh please don't bring these petty pseudo-security measures to the Linux version.

[Fadi R]

As Dan said, much more can easily be accomplished with a key logger if the entire system is compromised. If the system is not compromised, whatever can done by an unpacked extension can  be done by an  packed one and again people running unpacked extensions are developers, not end users.

[Fadi R]

It seems there's a Developer Specific version of Google Chrome. If you install it, the idiotic warning goes away: 

Win64:

https://www.google.com/chrome/browser/thankyou.html?standalone=1&extra=devchannel&platform=win64

Win32:

https://www.google.com/chrome/browser/thankyou.html?standalone=1&extra=devchannel

Be warned that it's a couple versions above the current stable version (the current dev version is at 42.0.2288.6 whereas current stable at 40.0.2214.93, beta is at 41 something). It may or may not be stable enough as a daily driver. Personally, I'll take the risk. I suggest keeping a backup of the stand alone installer in the event that someone at Google decides to add the warning to the dev version as well in the future or in the event that the next dev version is unstable. 

[Anon Ymouse]

Simple macro(.ahk-.exe) to click off the notification, rename the pinned icon to open the .bat to execute the the macro, include  echo off, starters for both chrome and the macro, a timeout between the both for few seconds and exit. your done!.. I have my own app made and it's working perfectly!! And no security lost because your not using the stand alones!!!!!!!!!!!!!!

#############################################################

[Uri Even-Chen]

Hi Si,

I just posted this question in the Google Chrome Help Forum and someone sent me here:

I'm a developer of Google Chrome extensions and I have 6 profiles with developer mode extensions. Every time after I restart the computer or after a Chrome crash (which happens very often), I get this notification - Google asks me if I want to disable developer mode extensions. I don't want to disable developer mode extensions! Is it possible to disable this annoying notification? I get it for every profile with developer mode extensions.

Did you find a way how to disable this popup notification, without changing the version of Chrome you are using?

Thanks,

Uri.

[Si Robertson]

I simply upload my personal extensions to the chrome app store now and keep them private, it seems like the easiest solution if you don't want to use Canary as your default web browser. I honestly don't think the notification will be removed from Chrome.

--

[Uri Even-Chen]

Thanks, but I change my extensions hundreds of time a day, I don't want to pack the extension each time I want to change something. Developer mode extensions are really a good solution for me, even if I have to close 6 notifications each time I restart my computer or after Chrome crashes.

Uri.

[Flavio Amaral]

And those geniuses at Google pretend we're stupid enough to believe that an annoying popup warning will make their browser safer.

C'mon Google, stop treating us as kids who need a popup nanny. Confess your real interest: to have the monopoly control over developers!

[Unique One]

Oh great... Now canary is doing it too... ffs google.

[Si Robertson]

The warning appearing in Chrome and Chrome Beta is understandable, and have with no issue with that, but Canary is a completely different matter. I sincerely hope the warning that is now appearing in Canary is simply an oversight and/or an incredibly bad judgement call, and not a permanent feature.

Standard issue Chrome users will not be using Canary. Developers will be using Canary and will be aware of the potential security risks.

[Si Robertson]

FYI - I have branched this discussion for Canary.

https://groups.google.com/a/chromium.org/forum/#!topic/chromium-discuss/Yfo0kEVmC9A