post

Google Chrome: Why I Said, “No thanks”

chrome-iconThough I use Google Chrome all-day, every-day…I radically minimize the use of plugins and extensions. Why? Because it’s like going to the hardware store to get a new housekey made and having to agree in writing that, “You agree the locksmith can make a duplicate key and use it whenever he/she cares to do so.

The thing is, as I described in my September 2011 post, “Don’t Just “Allow” Permissions for Cloud Apps,” there are just too many opportunities for rogue infiltration of my computers if I load ones that are inherently insecure (because I’d have to grant access to all my tabs, web history and more). I just don’t agree willy-nilly to terms and conditions and actually think-through what sorts of potential insecurities and “holes” I’m opening myself up to if I choose to use an extension or plugin.

Google makes it clear that you have to be very, very careful when you load Google Chrome extensions. I’m often blown away when I see how many developers, many of whom are outside the U.S., deliver NPAPI extensionsGoogle says on that page that developers should strongly consider these security considerations with NPAPI:

Including an NPAPI plugin in your extension is dangerous because plugins have unrestricted access to the local machine. If your plugin contains a vulnerability, an attacker might be able to exploit that vulnerability to install malicious software on the user’s machine. Instead, avoid including an NPAPI plugin whenever possible.

Though Google is working on an experimental new plugin/extension API called “Pepper,” today I decided (in advance of a client session) to experiment with Google Remote Desktop. It works well, my client uses Chrome, but when I went to implement the extension on my main machine I encountered this:

Chrome Remote Desktop 'agreement'

Wait a second. What is that last sentence, “Perform these operations when I’m not using the application” I’m agreeing to if I install it?

Figuring that it would be fast to discover more detail behind that bullet point and get comfortable I wasn’t opening myself (and our entire office network) to who-knows-what, I did a Google search on that phrase. Basically I found nothing. Then I went to the Google Chromium project (the project behind Chrome the ChromeOS, etc.) and looked at their “security brag sheet.” Again, nothing.

Does this mean that, if my computer and Chrome are running and I’m not around, that Google (or whomever they grant access to) can view any of my computer’s desktops? Security neophytes would think, “Come on…your locksmith analogy is a straw man argument and Google would never allow that sort of intrusiveness.” Maybe, but if CISPA passes (PDF), like I posted about yesterday, Google won’t have a choice in opening up desktops to intelligence and policing agencies (though, in Google’s defense, they are rattling their sabers).

I clicked “No thanks” to using Google Remote Desktop until Google reveals—and their description is verified by security specialists—that Google Remote Desktop isn’t a backdoor. You should too until Google makes it crystal clear what we’re signing up for when we install their, and third-party, extensions.

About Steve Borsch

I'm CEO of Marketing Directions, Inc., a trend forecasting, consulting and publishing firm in Minnesota. Prior to that I was Vice President, Strategic Alliances at Lawson Software in St. Paul where I was responsible for all partnerships at this major vendor of enterprise resource planning software products and services. Read more about me here unless you're already weary of me telling you how incredible and awesome I am.

Comments

  1. Other major community distributions on Open – Solaris are the following:.
    They’re often traced to a corrupt or incompatible driver,
    or flaky software. I bought my Macbook Pro for school, and my
    grades would be horrible if I used it a lot for games anyway.

  2. It’s cystal clear here:
    https://support.google.com/chrome/answer/1649523?hl=en

    You can click Allow access now.

  3. In order to access your machine when it is not logged in and chrome is not running, Google is actually installing an external application. This application, or service, is what you connect to when logging in remotely. You are not connecting to a chrome extension. The extension is just a gui. This is what that bullet means.

Leave a Comment