post

Google Chrome: Why I Said, “No thanks”

chrome-iconThough I use Google Chrome all-day, every-day…I radically minimize the use of plugins and extensions. Why? Because it’s like going to the hardware store to get a new housekey made and having to agree in writing that, “You agree the locksmith can make a duplicate key and use it whenever he/she cares to do so.

The thing is, as I described in my September 2011 post, “Don’t Just “Allow” Permissions for Cloud Apps,” there are just too many opportunities for rogue infiltration of my computers if I load ones that are inherently insecure (because I’d have to grant access to all my tabs, web history and more). I just don’t agree willy-nilly to terms and conditions and actually think-through what sorts of potential insecurities and “holes” I’m opening myself up to if I choose to use an extension or plugin.

Google makes it clear that you have to be very, very careful when you load Google Chrome extensions. I’m often blown away when I see how many developers, many of whom are outside the U.S., deliver NPAPI extensionsGoogle says on that page that developers should strongly consider these security considerations with NPAPI:

Including an NPAPI plugin in your extension is dangerous because plugins have unrestricted access to the local machine. If your plugin contains a vulnerability, an attacker might be able to exploit that vulnerability to install malicious software on the user’s machine. Instead, avoid including an NPAPI plugin whenever possible.

Though Google is working on an experimental new plugin/extension API called “Pepper,” today I decided (in advance of a client session) to experiment with Google Remote Desktop. It works well, my client uses Chrome, but when I went to implement the extension on my main machine I encountered this:

Chrome Remote Desktop 'agreement'

Wait a second. What is that last sentence, “Perform these operations when I’m not using the application” I’m agreeing to if I install it?

Figuring that it would be fast to discover more detail behind that bullet point and get comfortable I wasn’t opening myself (and our entire office network) to who-knows-what, I did a Google search on that phrase. Basically I found nothing. Then I went to the Google Chromium project (the project behind Chrome the ChromeOS, etc.) and looked at their “security brag sheet.” Again, nothing.

Does this mean that, if my computer and Chrome are running and I’m not around, that Google (or whomever they grant access to) can view any of my computer’s desktops? Security neophytes would think, “Come on…your locksmith analogy is a straw man argument and Google would never allow that sort of intrusiveness.” Maybe, but if CISPA passes (PDF), like I posted about yesterday, Google won’t have a choice in opening up desktops to intelligence and policing agencies (though, in Google’s defense, they are rattling their sabers).

I clicked “No thanks” to using Google Remote Desktop until Google reveals—and their description is verified by security specialists—that Google Remote Desktop isn’t a backdoor. You should too until Google makes it crystal clear what we’re signing up for when we install their, and third-party, extensions.

About Steve Borsch

I'm CEO of Marketing Directions, Inc., a trend forecasting, consulting and publishing firm in Minnesota. Prior to that I was Vice President, Strategic Alliances at Lawson Software in St. Paul where I was responsible for all partnerships at this major vendor of enterprise resource planning software products and services. Read more about me here unless you're already weary of me telling you how incredible and awesome I am.

Comments

  1. Other major community distributions on Open – Solaris are the following:.
    They’re often traced to a corrupt or incompatible driver,
    or flaky software. I bought my Macbook Pro for school, and my
    grades would be horrible if I used it a lot for games anyway.

  2. It’s cystal clear here:
    https://support.google.com/chrome/answer/1649523?hl=en

    You can click Allow access now.

  3. In order to access your machine when it is not logged in and chrome is not running, Google is actually installing an external application. This application, or service, is what you connect to when logging in remotely. You are not connecting to a chrome extension. The extension is just a gui. This is what that bullet means.

  4. The last sentence of the installation window makes sense. You are away from your computer and you want to access it. Your PC is idle with no application running, hence not even Chrome Remote Desktop. So, when you want to access it from another PC how would the application be able to know that is you that you require peer to peer validation and let you to access the PIN popup window? In my personal opinion Google’s solution is the only one that provides 2 level security. Even if your Google account gets compromised, the intruder still has to break your PIN which is compulsory to be minimum than 6 numbers and those numbers are stored in your PC. Run the maths for the possible combinations. The latter makes it, possibly, safer than WRD app due to the fact that 90% of the people use it with the default settings and they put passwords easy to remember. Hence, an experienced hacker just has to find out your public IP, the rest is routine.

  5. Steve Borsch says:

    Thanks for the comment Vic. This post is now a year and half old and a lot has changed…making it mostly a non-issue now.

  6. Sorry Steve, just a friend sent me your post while he was researching RD apps. I simply told him my opinion and also posted it. To be honest did not even notice the date, just the content.

  7. Steve Borsch says:

    No worries Vic. Thanks for the followup.

    It does bring up the issue for me which is this: There are dozens of my posts which *still* get hundreds of pageviews per month (and a good share of commenting) even though some date back to 2005. Wish I had the time, energy and effort to update them all! ;-)

Leave a Comment