post

Google Chrome: Why I Said, "No thanks"

UPDATE on 11/20/16

chrome-iconThough I use Google Chrome all-day, every-day…I radically minimize the use of plugins and extensions. Why? Because it’s like going to the hardware store to get a new housekey made and having to agree in writing that, “You agree the locksmith can make a duplicate key and use it whenever he/she cares to do so.

The thing is, as I described in my September 2011 post, “Don’t Just “Allow” Permissions for Cloud Apps,” there are just too many opportunities for rogue infiltration of my computers if I load ones that are inherently insecure (because I’d have to grant access to all my tabs, web history and more). I just don’t agree willy-nilly to terms and conditions and actually think-through what sorts of potential insecurities and “holes” I’m opening myself up to if I choose to use an extension or plugin.

Google makes it clear that you have to be very, very careful when you load Google Chrome extensions. I’m often blown away when I see how many developers, many of whom are outside the U.S., deliver NPAPI extensionsGoogle says on that page that developers should strongly consider these security considerations with NPAPI:

Including an NPAPI plugin in your extension is dangerous because plugins have unrestricted access to the local machine. If your plugin contains a vulnerability, an attacker might be able to exploit that vulnerability to install malicious software on the user’s machine. Instead, avoid including an NPAPI plugin whenever possible.

Though Google is working on an experimental new plugin/extension API called “Pepper,” today I decided (in advance of a client session) to experiment with Google Remote Desktop. It works well, my client uses Chrome, but when I went to implement the extension on my main machine I encountered this:

Chrome Remote Desktop 'agreement'

Wait a second. What is that last sentence, “Perform these operations when I’m not using the application” I’m agreeing to if I install it?

Figuring that it would be fast to discover more detail behind that bullet point and get comfortable I wasn’t opening myself (and our entire office network) to who-knows-what, I did a Google search on that phrase. Basically I found nothing. Then I went to the Google Chromium project (the project behind Chrome the ChromeOS, etc.) and looked at their “security brag sheet.” Again, nothing.

Does this mean that, if my computer and Chrome are running and I’m not around, that Google (or whomever they grant access to) can view any of my computer’s desktops? Security neophytes would think, “Come on…your locksmith analogy is a straw man argument and Google would never allow that sort of intrusiveness.” Maybe, but if CISPA passes (PDF), like I posted about yesterday, Google won’t have a choice in opening up desktops to intelligence and policing agencies (though, in Google’s defense, they are rattling their sabers).

I clicked “No thanks” to using Google Remote Desktop until Google reveals—and their description is verified by security specialists—that Google Remote Desktop isn’t a backdoor. You should too until Google makes it crystal clear what we’re signing up for when we install their, and third-party, extensions.

About Steve Borsch

I'm CEO of Marketing Directions, Inc., a trend forecasting, consulting and publishing firm in Minnesota. Prior to that I was Vice President, Strategic Alliances at Lawson Software in St. Paul where I was responsible for all partnerships at this major vendor of enterprise resource planning software products and services. Read more about me here unless you're already weary of me telling you how incredible and awesome I am.

Comments

  1. Other major community distributions on Open – Solaris are the following:.
    They’re often traced to a corrupt or incompatible driver,
    or flaky software. I bought my Macbook Pro for school, and my
    grades would be horrible if I used it a lot for games anyway.

  2. It’s cystal clear here:
    https://support.google.com/chrome/answer/1649523?hl=en

    You can click Allow access now.

  3. In order to access your machine when it is not logged in and chrome is not running, Google is actually installing an external application. This application, or service, is what you connect to when logging in remotely. You are not connecting to a chrome extension. The extension is just a gui. This is what that bullet means.

  4. The last sentence of the installation window makes sense. You are away from your computer and you want to access it. Your PC is idle with no application running, hence not even Chrome Remote Desktop. So, when you want to access it from another PC how would the application be able to know that is you that you require peer to peer validation and let you to access the PIN popup window? In my personal opinion Google’s solution is the only one that provides 2 level security. Even if your Google account gets compromised, the intruder still has to break your PIN which is compulsory to be minimum than 6 numbers and those numbers are stored in your PC. Run the maths for the possible combinations. The latter makes it, possibly, safer than WRD app due to the fact that 90% of the people use it with the default settings and they put passwords easy to remember. Hence, an experienced hacker just has to find out your public IP, the rest is routine.

  5. Steve Borsch says:

    Thanks for the comment Vic. This post is now a year and half old and a lot has changed…making it mostly a non-issue now.

  6. Sorry Steve, just a friend sent me your post while he was researching RD apps. I simply told him my opinion and also posted it. To be honest did not even notice the date, just the content.

  7. Steve Borsch says:

    No worries Vic. Thanks for the followup.

    It does bring up the issue for me which is this: There are dozens of my posts which *still* get hundreds of pageviews per month (and a good share of commenting) even though some date back to 2005. Wish I had the time, energy and effort to update them all! 😉

  8. So are you ever gonna update this blog to explain why you were wrong to be freaked out by this?

  9. Steve Borsch says:

    No. It’s old news (from 2013!).

    BTW, the first thing I do when landing on a post is look at the date. Suggest you do the same.

  10. Fine. It’s old news but how does a reader know if it is still accurate. I just wasted my time reading it. Please either remove your post or update the first post to indicate this is no longer an issue.

  11. Steve Borsch says:

    Markn: Do people seriously not know how blogging works? There are over 2,000 posts in my blog and you expect me, or any blogger, to update them all? Not a chance. Besides, readers of blogs usually look at the date of a post before “wasting their time”.

  12. David Honig says:

    Steve, I agree in general bloggers don’t have time to go back and update ALL their posts. However, nobody is suggesting that. Bloggers should only update posts where they are wrong. This post in particular exposes how little you knew about the technology when you wrote it. Perhaps you should consider revising it. Wait! Before you write me back telling me how little time you have to update posts, realize that you could have already updated the post in about half the amount of time that you have already spent arguing with people about why you don’t have enough time to update the post.

  13. Steve Borsch says:

    “Steve, I agree in general bloggers don’t have time to go back and update ALL their posts. However, nobody is suggesting that.”

    Actually @David Honig, that’s exactly what you are suggesting as well as @Markn and @AnthonyPirtle did.

    If you went through my blog posts you’d undoubtedly find dozens (or maybe hundreds) of posts that pointed something out which ended up fixed afterwards. Or some criticism which was then made moot because the company addressed it, changed their business model, or any of a number of other reasons.

    Whenever I read *anything* online the first thing I do is look at when it was posted. If there isn’t a date I don’t read it (or take it with a grain-of-salt). I can’t be held responsible for the lack of critical thinking on the part of anyone landing here who happens to own a web browser.

    Also, should I go back and edit this post that talks about the core of Google Remote Desktop, WebRTC, and its IP leaking? This still occurs, but is now somewhat mitigated by uBlock Origin. Again, with three small businesses, a conference on IoT which I cofounded, running a Minnesota tech blog & podcast, and volunteering for two non-profits, the last thing I have time for is to fix old posts.

    So here is my final answer on this post: I’m not gonna change anything. Hopefully people will get over it or wake up and start looking at anything published by any individual or organization with a critical eye.

  14. This post is listed as the fifth result when searching for “chrome remote desktop security” Normally a blogger who knows things have changed would add an update at the top of the post and then leave the rest for reference.

    You shouldn’t assume people are going to read through the comments.

  15. Steve Borsch says:

    @reploidx said, “Normally a blogger who knows things have changed would add an update at the top of the post and then leave the rest for reference.”

    That might seem like a prudent approach but, since I’ve been blogging since 2004 and have over 2,000 posts published, should I go back and update them all? If your answer is “yes” then please add a link to your blog so I can see how it’s done.

  16. David Honig says:

    I know. It’s a simple solution. I can’t imagine why the author would not want to clarify his original post.

  17. Steve Borsch says:

    For all commenters bent-out-of-shape that I haven’t updated this post. I’ve done it now so you can stop whining.

Leave a Comment