Hacker News new | ask | show | jobs
by cesarb 3832 days ago
As Raymond Chen would say, the code is on the same side of the "airtight hatchway". There's nothing Chrome can do to protect itself against processes at the same privilege level, much less against processes at higher privilege levels. Any blacklist check Chrome does can be nothing more than a speed bump.
2 comments
arawde 3832 days ago
That makes sense, thank you for the explanation. That said, I suppose I'm still disappointed that a security vendor would manipulate extension installation to bypass checks on a platform, but I'm not particularly surprised that it's the kind of thing AVG would do.
link
Karunamon 3832 days ago
Also, you probably don't want them to. I've got a huge problem with software that goes out of its way to prevent the user from doing something they explicitly want to do.
link
acdha 3831 days ago
How is code supposed to determine user intent? The AVG developers would no doubt say the user intended to install their software and didn't want to have to learn all of the details, just like every other malware / adware vendor claims; the Chrome developers would say that users want to be secure but if you ask, millions of people will be insecure because they made a mistake or were encouraged to believe something was safer than it actually is.

There simply isn't a simple solution to this problem.

link
ikeboy 3832 days ago
Chrome already blocks extensions not from the webstore on Windows, unless you use a developer branch. See http://chrome.blogspot.com/2014/05/protecting-chrome-users-f...
link
simoncion 3832 days ago
> I've got a huge problem with software that goes out of its way to prevent the user from doing something they explicitly want to do.

I guess you have a huge problem with Windows 7 or later or OS X 10.9 or later, which really go out of their way to prevent you from loading unsigned kernel-space device drivers.

link
Karunamon 3831 days ago
Yes. Yes I do. I wasn't aware that wanting complete control of my devices was somehow a controversial stance around here.
link
x0x0 3832 days ago
it's not evident there's a lot of user intent here; almost certainly the user doesn't intend to break web security.
link