[ocdtrekkie]

It's worth noting that the Chrome Web Store is currently full of malware and most malware I see on PCs was installed via the Chrome Web Store. By design, HTTPS does not protect your privacy at all if you have extensions that violate it, since they see what you see after TLS termination.

So this is a huge deal, Google is already bad at it, but I can't fault them for heavily restricting extension install: Currently they are way too lax.

[danShumway]

This is still something of a problem of Chrome's own creation though.

The reason Chrome can't be much, much more restrictive about what extensions get placed in the store is because there is no alternative. The less important your store is, the more exclusive (and safer) it can be.

Look at Linux with package managers like AUR. If a package isn't included in the official Arch repos, I generally don't mind. I can go install it if I've vetted it myself. What that means is that Arch can be a lot more restrictive about what they include. They don't really need to provide a bunch of justifications, they can just say they had a bad feeling or haven't gotten around to looking at it.

If the goal is to have safe spaces where users can be certain that they won't ever run into malware, the space maintainers need the freedom to be very restrictive. Google doesn't have that freedom with the Chrome Web Store specifically because getting banned from the Chrome Web Store is a massive deal -- they can't just decide to prioritize safety over everything else.

Small, optional safe spaces that people can opt into will always be better filtered, better moderated, and overall safer than a giant space that's forced to balance between freedom and safety for every single user at the same time. Moderation doesn't scale.

[AgentME]

I don't think their priority is making a specific area where users are free from malware; they're trying to make it hard for malware overall to integrate with Chrome. Adding a supported path for software to integrate with Chrome (allowing extensions not through the store) where they can't block malware would be giving up on that goal.

[danShumway]

> they're trying to make it hard for malware overall to integrate with Chrome

That's a reasonable argument, and you're probably right about their motivations. But I'm not convinced that's a realistic goal, because the definition of malware/spyware changes depending on the context/user.

The big reason moderation doesn't scale is because you're forced to balance everybody's needs at the same time -- you can't optimize for any particular user. If the end-consequence of an exclusive web store is that it's much harder for the Chrome team to ban shifty apps without everyone on Twitter asking for a bullet-pointed list explaining why, then the Chrome team isn't really making the world that much safer.

In general, I would advocate that it's better to try and build safe spaces rather than safe worlds. That's kind of a pragmatic philosophy: I'm having a hard time thinking of an existing safe world that I think runs well. All of the major app stores (including Apple's) have malware problems to at least a certain degree. Most giant social networks are not doing a good job of moderating content. Package managers for languages like Node and Ruby are running into the same issues.

Maybe the web itself? But the web doesn't get its safety from moderation, it gets its safety because of sandboxing.

If I'm thinking purely as a consumer, what I really want is an extension store where I know 100% that everything on it is fine. I don't want to have to think or read reviews or look up the author before I install an extension. I want it to be clear when I'm being safe and when I'm doing something dangerous. I suspect that's what a lot of consumers want, and I just don't see any realistic path for Chrome to provide that with their current strategy.

I get that "somebody might choose to leave the safe space and install malware anyway" feels bad, but if the consequence of avoiding that is, "everybody gets kind of substandard protection all the time", maybe it's worth questioning whether Chrome's malware goals are worth pursuing in the first place.

[woofie11]

You're confusing two things:

  laxness <--> strictness scale

  carefulness/competence <--> carelessness / incompetence scale

Google tries to do this with automated processes and minimum wage drones, which results in both million dollar extensions being bump AND widespread malware being let through.

[thephyber]

> Google tries to do this with automated processes and minimum wage drones

Do you have an alternative suggestion for how they could do it better?

[ncallaway]

Yes, but it involves spending more money.

[x0x0]

Not necessarily?

Eg you could sell developer support at $10k/annum with a 3h SLA for escalation to a senior eng. Serious companies with business that rely on chrome plugins would purchase in a second.

[miohtama]

$1000 yearly subscription for the store membership for human curated content.

[xnyan]

Apple can do it for $99 a year (plus thirty percent of course). Their system is by no means perfect, but there absolutely is less bullshit malware on their market vs google chrome.

[kelnos]

I think the parent meant that the Chrome user would pay $1k/year for human-curated extensions.

[michaelmrose]

This is kind of strange thought isn't it? At that rate even if people were inclined to pay its affordable to what 10% of the US or a fraction of 1% of the world.

Why would it even cost that much? You could literally use the actual chrome store for curation and make a white list of the top 100 extensions that aren't skeevy or run by skeevy people and pull in updates periodically after checking that it hadn't become obvious malware or been sold.

If you imagine that such a list would consume meager resources per person using it a million people paying 1 dollar would probably pay more than it would cost to run it. It would be easier to convince a million people to pay a dollar than it would be to convince anyone to pay a thousand per year for chrome extensions while they are using computers and OS which cost them less combined.

[the_gipsy]

So it's the usual: make it available unrestricted on launch so that idiots build on your platform, look how many apps/extension we have. Once the market is captured, sorry is closed now, for we must protect our users.

[creato]

Even if that's how it ended up, I doubt that was the plan. I think a lot of Google products, especially those from 10+ years ago, start out built for people like themselves: highly tech literate software engineers. As long as that is true enough, extensions are great and useful, and the users are mostly skeptical/aware enough to avoid installing malware. Now the average chrome user is the same person that filled their IE browser window with banzai buddy toolbars.

[the_gipsy]

It never is the plan, I would say. Great products like chrome are made by people that are driven by the idea of making a great product, for the user. But after that is proven, given some time, the shareholders take over and priorities shift.

[ohyeshedid]

It also doesn't help that dodgy folks started buying trusted extensions. One update of a trusted extension and you're just as bad off as installing a dodgy one in the first place.

[ehsankia]

You do realize that the original Pushbullet issue arose from Google trying to be even more strict and reduce the amount of malware, right? And even with all that, as you mention, CWS is still full of malware.

What hope does any other store then have to create a malware free web store if even Google can't? And if they allow installation from anywhere, do you realize that whatever state we are in now, it would be orders of magnitude worse?

If there is some way to get malware into your computer, someone out there will make you do it. That's exactly why installing extensions is so locked down. I don't understand how people think that it will magically all be better if users were given full access to install whatever from wherever. Have you never in your life interacted with an average non-poweruser?

[zmmmmm]

> What hope does any other store then have to create a malware free web store if even Google can't?

I think you're giving Google too much credit here. For years nearly every single extension, no matter how targeted the purpose, has told me "This extension will have access to all your data on all your web pages". It is such a no brainer to do a little better than that but they tolerated it for years.

In a few cases I looked into why developers requested that kind of permissions and the answer was that Chrome permissions weren't designed well enough to allow narrower permissions. So Google has no excuses here. They control the browser and the store.

[ehsankia]

Just because they had a more lax approach in the past doesn't mean they aren't working hard to regain control now. And either way, none of that addresses the issue where expanding control would only make the malware issue worse, not better.