Vivaldi's biggest security vulnerability: the Chrome store



  • With the recent kerfuffle over what went down with Nano Adblocker & Nano Defender (FYI: the original developer sold the extensions to some nefarious outfit that wasted no time in pushing updates for said extensions that opened users up to a world of potential hurt), it seems increasingly clear that Google's un-policed malware farm is the wrong place to be shopping for add-ons. It seems to me, then, that any amount of 'hardening' that you might do to Vivaldi or any other Chromium browser is immediately undone as soon as you install an extension.

    The obvious solution would be to avoid installing extensions, but for many of us extensions offer functionality that is essential to our workflows, and handicapping ourselves in this way might not make as much sense as, say, just switching to a browser that offers a more secure platform for extensions (Safari would be the gold standard in this regard, but I believe that Firefox and even Edge do better in this regard, maybe Opera as well?).

    What is the way forward for Vivaldi?



  • Common sense what extension to use.



  • @purgat0ri said in Vivaldi's biggest security vulnerability: the Chrome store:

    What is the way forward for Vivaldi?

    Maximum implementation of key extension functionality natively in Vivaldi.

    The Devs have promised me that all my preferred extensions are the first ones they're prioritising.
    😜


  • Vivaldi Translator

    This is not a new problem.
    The same problem exists with websites that hold user accounts.

    Vivaldi has folded a lot of functionality into the browser which saves using many extensions, but you have to draw a line somewhere.

    Google acted rapidly with regard to removing the extension which makes a refreshing change.

    To limit risk, don't allow access to private tabs and disable any extensions not used regularly anyway.
    Opt for open source extensions as this leads to problems being made obvious and public quickly, even if not resolved.

    You can use yet another extension "CRXcavator" to analyse extension behaviour and display useful privacy and security info on their site.

    There is also a "chrome extension source viewer" for times you want to dig into non-open source extensions.

    Qualys BrowserCheck extension can also advise if it finds any known bad extensions.

    Maybe Vivaldi can bolt in more security features, but I doubt it.
    Security features in browsers only get added after major issues happen not before.
    I and many others shouted for years about having encrypted DNS in the browser (like Yandex browser) while it is not an OS standard, but it took until google added it as standard for us to....
    still not have it.



  • @Steffie Wait... They made me the same promise ^_-

    @Dr-Flay Google acting rapidly for motives other than avarice? Must be a first! But I sincerely thank you for the education. The extension-checking extensions sound particularly interesting, though I wonder if Vivaldi could implement something like that natively? In fact, Brave has a lot of good ideas (and some that are less so) that I hope Vivaldi eventually borrows from, or even outright steals 🙂



  • I don't see any solution that allows users to install extensions that would provide meaningfully less risk, without severely limiting user choice. If Vivaldi were to create their own extension "store", with the ostensible purpose of screening every available extension to ensure there is no malware, spyware, whatever, it would create an enormous workload and present a huge barrier to extension developers. It would likely to lead to long delays in the ability of extension developers to publish updates, which itself presents a security risk. The very limited selection extensions and long delays in receiving updates would just lead to users installing the extensions manually instead of using the store, which again isn't an improvement. And all of this would still not prevent the exact same thing from occurring.

    When installing an extension, it should be understood that you're increasing the attack surface & complexity of the browser, and allowing arbitrary code to run. By definition, you're extending trust to the extension developers and so it is upon the user to do their own research and come to their own conclusion as to whether they wish to extend their trust to those developers. There's no one size fits all determination here, everyone has their own approach to risk analysis, and what features are worth the risk, what kinds of developers are worth their trust, etc.



  • @BoneTone Fwiw, i was not advocating extensions, i was advocating building in targeted extensions' [ie, MY ones, teehee] functionality natively into V core code. In my browser utopia, my V would have all my current native+extensions functionality, but 100% sans-extensions.



  • @purgat0ri While I don’t disagree with you, this story is a bad example. The extension developer, instead of looking for maintainers inside the community, made the greedy move and sold the extension instead. It is because of this very community that the updated extension was immediately flagged and then removed from the store. The situation was handled as well as one could wish for.


  • Vivaldi Translator

    There is a better way to handle extension stores.
    Copy the F-Droid policy.

    Once you only allow open source to be used and ban any advert systems you have a safer place.
    Unlike the google store, F-Droid have not had issues with becoming a malware distributor.
    If they had an extension store, I know where all my extensions would be coming from.


  • - Ambassador -

    Most extensions I use are Open Source and you can install them directly from GitHub. Download CRX file and drag them to the Extensions Page in developer mode. You don't need the Chrome Store.



  • @luetage Was it? An update containing malicious code made it to the store. There are probably still users running around with this extension installed in their Chromium browser—for my own part, the extension was reinstalled after I 86'd it thanks to Vivaldi's sync.

    One could wish that software/extension stores would review updates before they are published, and that did not happen here.



  • @purgat0ri An illusory setup that potentially lets slip malware through still. Totally unworkable for a project the size of chrome web store.


  • - Ambassador -

    @purgat0ri , some time ago I caught a highjacker with one of these New Tab Pages from the Chrome Store. Google does not review the apps and extensions of the Stores, neither in the Chrome Store nor in Google Play and removes them only after complaints from users.



  • @luetage What is the referent for your 'illusory setup'?

    @Catweazle Yes. That's why it's a terrible system.


  • - Ambassador -

    @purgat0ri , you can use extensions from the Chrome Store, but you should always check first if it is specified to the developer and that it preferably has a Link that leads to GitHub or at least to a trusted developer.


    Ok, if the web is GitHub or Sourceforge

    A no go

    In Android use Apps from F-Drid



  • @purgat0ri said in Vivaldi's biggest security vulnerability: the Chrome store:

    @luetage What is the referent for your 'illusory setup'?

    The idea that any practical review process could eliminate malware. Such a store would be extremely limited in its offerings, present an enormous workload for its maintainers, create virtually insurmountable barriers to the extension authors because of that workload, exhibit significant delays in any updates being published, and still provide no guarantee that malware wouldn't be published.

    @purgat0ri said in Vivaldi's biggest security vulnerability: the Chrome store:

    There are probably still users running around with this extension installed in their Chromium browser

    Doesn't matter. The remote server is gone. What really matters now is that the horrible decisions by the extensions author, and the manner in which the entire thing was handled caused lots of other lasting problems that will affect all users, not just those who installed the extension. The author is suffering greatly from the effect this has had on his reputation. Other extension authors for similar extensions have also suffered some loss of trust from users, as they see just how easy it is for things to go terribly wrong with them. Google's arguments about the necessity of the Manifest v3 changes to ensure user's security and privacy has been bolstered, as has their confidence to move forward with greater restrictions most likely. Which would cripple these critically useful extensions, to the point that at least some of them will be abandoned altogether, and that would be a major loss for users who actually want to protect their security and privacy.

    In the end, if there's one thing users need to learn from this it's that nobody is responsible for your security & privacy but you. Security & privacy require users to extend a level of trust. Regardless of how an extension store is implemented, users still need to do their own due diligence and determine if they're comfortable extending that trust to the authors of any extensions they install. That trust is not a one-time event, and must continually be evaluated for as long as the extension is installed. This wasn't the first time a previously trustworthy extension abused the trust users put in it, and it won't be the last. No practical screening can eliminate that, and any attempt would dramatically reduce the choice and functionality that users want.



  • @BoneTone said in Vivaldi's biggest security vulnerability: the Chrome store:

    nobody is responsible for your security & privacy but you

    That damn Linux system user has such a lot for which to answer!

    🤪

    Nice post; sobering reality-check.

    This is especially saddening:

    Google's arguments about the necessity of the Manifest v3 changes to ensure user's security and privacy has been bolstered, as has their confidence to move forward with greater restrictions most likely

    😭



  • @BoneTone said in Vivaldi's biggest security vulnerability: the Chrome store:

    The idea that any practical review process could eliminate malware. Such a store would be extremely limited in its offerings, present an enormous workload for its maintainers, create virtually insurmountable barriers to the extension authors because of that workload, exhibit significant delays in any updates being published, and still provide no guarantee that malware wouldn't be published.

    Who endorsed that idea? Because it certainly wasn't me. Just because a given measure will only curtail a given undesirable outcome or phenomena, rather than completely eliminating it, does that mean that measure is not worth considering? Sounds like making the perfect the enemy of the good to me.

    I'm actually fine with a more curated store with a limited amount range of extensions if it means that I can be more confident that those extensions will be free of malicious code. I understand if others aren't willing to make that sacrifice, but I personally don't think it would be too great a loss if 90% of the cruft currently occupying the store were to disappear.

    Besides, as @Catweazle has pointed out, there are other distribution channels for extensions. I'm not sure why he thinks Github, for instance, is safer unless someone has taken the time to audit the code (which is what Google themselves should be doing, in my opinion), but it would remain an option nevertheless.

    Chrome seems to have the worst store going in terms of security and privacy (a reflection of the company as a whole, no doubt) practices, so there is clearly more that they could be doing if they cared to.


  • - Ambassador -

    @purgat0ri , I think this, because in general I think that FOSS is more private, because it lacks the commercial interests of large multinationals (Does Google review the extension codes? I doubt it, they put the extension and if users complain they will remove it).
    Although yes, you always have to be careful before installing anything.



  • @purgat0ri Chrome web store will not change its policies because of a post on Vivaldi Forum and Vivaldi isn’t likely to abandon the store either. Even if someone audits the code, you can never be sure they made a good enough job and didn’t overlook something. The only way to make sure an extension is 100% safe is to audit every bit of code yourself – initially and after every update. Don’t know whether you are capable of that. Anyhow, the only realistic option remaining is to forego the use of extensions and being content with the inbuilt tools Vivaldi provides.


Log in to reply
 

Looks like your connection to Vivaldi Forum was lost, please wait while we try to reconnect.