Can developer name be anything?

[Hao Nguyen]

I see some extension and themes that claim to be offered by "google", but they don't seem to be really created by Google. For examples:

https://chrome.google.com/webstore/detail/shaas-free/gdgepmanibfcolhnbhkcainmjdppficn

https://chrome.google.com/webstore/detail/finfux/hkamfaenmknibpcjhcifklcjmmnhdagn

https://chrome.google.com/webstore/detail/earth-and-beyond/bfbfhknmbjnejfidmbjjklohcfkmenhl

Can a publisher claim to be anything without any verification? And that we cannot trust publisher name unless it shows the verified domain badge?

But then how come some extensions have the "By Google" tag but no verified google.com badge like https://chrome.google.com/webstore/detail/google-keep-chrome-extens/lpcaedmchfhocbbapmcbpinfpgnhiddi, while others have the verified google.com badge but no "By Google" tag like https://chrome.google.com/webstore/detail/black-hole-sun/cjflaldchiphekckakjglcfjiomhjobc

So, for a given extension/theme, how do we know for sure if it is really made by Google (or any other publisher), or if it is made by an imposter instead?

Thanks,

Hao

[Simeon Vincent]

Thanks for highlighting those items impersonating Google. I'll pass them on to some old colleagues for additional consideration.

Can a publisher claim to be anything without any verification? And that we cannot trust publisher name unless it shows the verified domain badge?

Unfortunately, I think the answer to both of these questions is "yes."

But then how come some extensions have the "By Google" tag but no verified google.com badge like https://chrome.google.com/webstore/detail/google-keep-chrome-extens/lpcaedmchfhocbbapmcbpinfpgnhiddi, while others have the verified google.combadge but no "By Google" tag like https://chrome.google.com/webstore/detail/black-hole-sun/cjflaldchiphekckakjglcfjiomhjobc

The domain verification system and "By Google" badge are separate features that both aim to provide the user with more confirmation that the extension is coming from who they think it is. I can't say for sure, but I'd be willing to bet that the domain verification process is the same for Google employees as it is for external folks, and that over the years it's become harder and harder for individual employees to complete one of the verification methods required to prove that they control google.com. 

Idle speculation aside, I agree that the lack of consistency between the two signals is unfortunate.

So, for a given extension/theme, how do we know for sure if it is really made by Google (or any other publisher), or if it is made by an imposter instead?

Extensions and themes made by Google will either have the "By Google" badge, have a verified Google domain, or both.

Simeon - @dotproto

incremental.software

--
You received this message because you are subscribed to the Google Groups "Chromium Extensions" group.
To unsubscribe from this group and stop receiving emails from it, send an email to chromium-extens...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/chromium-extensions/2502623b-8cdd-43ae-bd92-54b8b7c0fb3bn%40chromium.org.

[Stryder Crown]

I'm getting ready to start publishing some extensions for Chrome so I'm very interested in these kinds of concerns. This incident suggests that anybody could imitate my company on the Google Play Store without any intervention/prevention by Google itself. Is the expectation from Google that publishers should be 'policing' the store themselves for these kinds of potential trademark/fraud/misrepresentation issues?  I guess I had previously presumed that Google was more active in preventing these sorts of things given that the Play Store is more or less a direct pipeline into a customer's machine.  Is there an API we can use to pro-actively search for these kinds of problems to help protect ourselves/IP?

To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/chromium-extensions/CACA%3D7_b2aRQeHVs2hVHGSrOxTY6%3Dbe1%3Dt78vG_AjMdK92wVqhg%40mail.gmail.com.

[Patrick Kettner]

Hey Stryder,

Could you confirm that you do mean the Chrome Web Store? I only ask because you mention the Play store a few times. 

As for Hao's original question...

We do have verification. It is shown as a checkmark surrounded by a star symbol, to the left of the domain. When hovered/interacted with, the user is shown a message like the one in the below image

For non Google properties, it looks like this

We are always on the lookout for folks impersonating Google, but welcome everyone to report any extensions that they believe are violating our impersonation policy via CWS One-Stop Support.

I really appreciate you pointing this out, Hao, and I have been discussing this with the store team to see what else we can do to combat impersonations via this channel.

patrick

To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/chromium-extensions/CADq%3D7qu9SPB0ReD1xXD56EfwhG5OWJNr1UvHMfJ6_d18DVi%2BOg%40mail.gmail.com.

[Patrick Kettner]

Great question - there is no issue with using a personal domain

On Tue, Nov 28, 2023 at 8:06 AM Simeon Velichkov <simeonv...@gmail.com> wrote:

BTW about the verified domain badge, do you think that it will be appropriate to verify my personal web site as a domain for an extension? I'm asking because I am not a business and I certainly don't have a specific domain for any of my extensions either, and I was wondering if that would make sense as obviously the intent for the verified domain for an extension item in general was to verify the domain for the web site of that product in particular.