Though I use Google Chrome all-day, every-day…I radically minimize the use of plugins and extensions. Why? Because it’s like going to the hardware store to get a new housekey made and having to agree in writing that, “You agree the locksmith can make a duplicate key and use it whenever he/she cares to do so.”
The thing is, as I described in my September 2011 post, “Don’t Just “Allow” Permissions for Cloud Apps,” there are just too many opportunities for rogue infiltration of my computers if I load ones that are inherently insecure (because I’d have to grant access to all my tabs, web history and more). I just don’t agree willy-nilly to terms and conditions and actually think-through what sorts of potential insecurities and “holes” I’m opening myself up to if I choose to use an extension or plugin.
Google makes it clear that you have to be very, very careful when you load Google Chrome extensions. I’m often blown away when I see how many developers, many of whom are outside the U.S., deliver NPAPI extensions. Google says on that page that developers should strongly consider these security considerations with NPAPI:
Including an NPAPI plugin in your extension is dangerous because plugins have unrestricted access to the local machine. If your plugin contains a vulnerability, an attacker might be able to exploit that vulnerability to install malicious software on the user’s machine. Instead, avoid including an NPAPI plugin whenever possible.
Though Google is working on an experimental new plugin/extension API called “Pepper,” today I decided (in advance of a client session) to experiment with Google Remote Desktop. It works well, my client uses Chrome, but when I went to implement the extension on my main machine I encountered this:
Wait a second. What is that last sentence, “Perform these operations when I’m not using the application” I’m agreeing to if I install it?
Figuring that it would be fast to discover more detail behind that bullet point and get comfortable I wasn’t opening myself (and our entire office network) to who-knows-what, I did a Google search on that phrase. Basically I found nothing. Then I went to the Google Chromium project (the project behind Chrome the ChromeOS, etc.) and looked at their “security brag sheet.” Again, nothing.
Does this mean that, if my computer and Chrome are running and I’m not around, that Google (or whomever they grant access to) can view any of my computer’s desktops? Security neophytes would think, “Come on…your locksmith analogy is a straw man argument and Google would never allow that sort of intrusiveness.” Maybe, but if CISPA passes (PDF), like I posted about yesterday, Google won’t have a choice in opening up desktops to intelligence and policing agencies (though, in Google’s defense, they are rattling their sabers).
I clicked “No thanks” to using Google Remote Desktop until Google reveals—and their description is verified by security specialists—that Google Remote Desktop isn’t a backdoor. You should too until Google makes it crystal clear what we’re signing up for when we install their, and third-party, extensions.