Google to intensify Chrome add-on lock-down in January
Citing continued abuse of loopholes, will require all Windows extensions to be published on the Chrome Web Store
Computerworld - Google on Thursday said that starting in January, only extensions offered through its own e-market can be installed on the Windows version of Chrome.
The move will be one more in a series of steps that Google has taken in the last 15 months to lock down the browser, pushing it and its add-ons toward the closed markets modeled by Apple's and Microsoft's mobile app environments.
Erik Kay, director of Chrome engineering, announced the change on the Chromium blog, saying that it was driven by "our continuing security efforts," and adding, "We believe this change will help those whose browser has been compromised by unwanted extensions.
Google has used similar explanations for previous steps to bar extensions from the browser.
At some point in early 2014, users of the "Stable" and "Beta" builds of Chrome on Windows will be able to install extensions -- what other browser makers call "add-ons" -- only from the Chrome Web Store, Google's official distribution channel.
Currently, some extensions not hosted on the Chrome Web Store can still be installed in the browser, including those associated with a desktop application -- and offered during the installation process of that program -- and ones written by a business for its workers. Generically, Google calls them "external extensions."
But Google has been clamping down on what it has viewed as rogue extensions since July 2012, when it first required that add-ons move to the Chrome Web Store. As of Chrome 21, which launched that month, the browser would not accept extensions installed directly from websites, but only from the Chrome Web Store. Before that, any website could prompt a Chrome user to install an add-on.
Then in February 2013 Google tightened its policies when it debuted a new security feature that blocked silent installations of add-ons and disabled those that had snuck into the browser.
Silent extension installation had been possible only on Windows; OS X and Linux did not offer slippery websites a way to sneak an add-on into Chrome.
Apparently, those moves weren't enough for Google.
"Many services bundle useful companion extensions, which causes Chrome to ask whether you want to install them (or not)," wrote Kay yesterday. "However, bad actors have abused this mechanism, bypassing the prompt to silently install malicious extensions that override browser settings and alter the user experience in undesired ways."
That prompted the company's more draconian move to require every extension to be hosted on the Chrome Web Store, so that Google can vet the software and, if necessary, yank the add-on if it turned out to be malicious.
Starting in January, extensions that had been installed locally or by businesses internally must be published to the Chrome Web Store, closing the remaining loopholes on Windows. Businesses can hide their extensions on the store from the public at large -- or continue to use group policies to offer the add-ons to their workforce from their own servers -- and developers will still be able to initiate "in-line" installs from their website, assuming the add-on is in the Chrome Web Store.
The move was not completely unexpected. In a May 2012 thread discussing the changes planned for Chrome 21, a Chromium developer noted that, "Our hope and belief is that this installation mechanism will be sufficiently complex that it will reduce the number of off-store extension installs performed. If it doesn't help, we'll try something else."
The new rules will not affect the "Dev" build of Chrome, the roughest-edged version, or "Canary," an even less-polished browser from the Chromium project, the open-source foundation of Chrome. Web apps will not be affected by the policy change.
Google did not specify which version of Chrome will be the first to require all extensions to originate from the browser's store, but by the company's usual tempo, it will likely be Chrome 33.
As of Friday, Chrome Stable was at version 30, and Beta was at version 31.
Browser extensions can be found at the Chrome Web Store.
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, or subscribe to Gregg's RSS feed . His email address is firstname.lastname@example.org.
- Chrome users attack Google for zapping unsanctioned Windows add-ons
- Google postpones add-on 'kill switch' for Chrome on Windows
- Google yanks option to restore Chrome's old-style new tab page, riles users all over again
- Google's 3D tech could be boon to Glass, robots and virtual reality
- Google bots are coming!
- Antitrust deal leaves Google unscathed
- Google agrees to give equal prominence to rivals' services to settle EU antitrust case
- Lenovo-Moto deal's impact on Apple? Zip
- With Motorola sold, Google can focus on robots, Glass and smart homes
- Google is developing a smart contact lens
Read more about Internet in Computerworld's Internet Topic Center.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- IDC Report: The Future of eMail is Social This paper discusses the changing nature of collaboration and work fueled by the social Web by examining current email trends and the emergence...
- The Business of Social Business Social business represents a significant transformational opportunity for organizations. Read this whitepaper to learn more.
- Six Ways Your Small Business Can Save with Internet Phone Service Traditional phone systems present two main problems for businesses: limited features and high costs. As a result, small businesses are migrating to Internet...
- Is Your Big Data Solution Production-Ready? Read "Is Your Big Data Solution Production-Ready?" now, and discover best practices and actionable steps to implementing a production-ready big data solution.
- Live Webcast Best Practices for the Hyperconverged Enterprise Network To the Age of Constant Connectivity and Information overload
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Supercharge Your Web and Mobile App Development with High-Productivity Hybrid Cloud Webinar: Hear from industry experts about the amazing power at the intersection of next-generation web and mobile application development and cloud platforms.
- Webinar: Building a Big Data solution that's production-ready Big data solutions are no longer just a nice-to-have. All Internet White Papers | Webcasts