Probably a naive question
Why aren't these extensions sandboxed from each other?
Google has billed its Chrome operating system as a security breakthrough that's largely immune to the threats that have plagued traditional computers for decades. With almost nothing stored on its hard drive and no native applications, there's no sensitive data that can pilfered and it can't be commandeered when attackers …
I've not written Chrome or Firefox extensions before, but I assume they're written in javascript and they require access to the global javascript environment for the tab in which they are active.
While you can isolate extensions that have instances in different tabs, I don't see how you can completely isolate two extension instances that are active for the same tab.
Anyone care to enlighten us?
I'm surprised this is a problem, because even if extensions exist in the same environment it is possible to program them in such a way that no other extension can read the data of an other extension.
Just look up Private Members in JavaScript by Crockford, basically you just create your extension data inside of it's own scope.
What? I don’t have that much experience of Java, but do I understand you correctly that this is a problem because the data definitions are coded outside the main method and are therefore appear as global data???? (or something like that)
Is it a Java problem of a Google Chrome problem?
In either case it looks like a fail of epic proportions for both the developers of the extensions and the Sun/Oracle developers of Java for sloppy programming.
The languages may have a similar name and a superficially similar syntax, but that's all they have in common.
On the subject of JavaScript, encapsulating an extension still can't stop it from accessing global objects such as 'window', which is an absolutely essential part of the browser object model. If two extensions are allowed to run concurrently and if extensions are allowed to access anything about a currently viewed web page, then clearly both must by definition be able to access the same DOM tree and modify it, or place event listeners on parts of it.
This is the problem with JavaScript; it's a mess of single threaded, global based design disasters that cause very serious security headaches if you start using it for anything large scale. There's nothing wrong with the language, apart from people failing to understand that it uses prototypical inheritance rather than classical inheritance; but there's a lot wrong with the way that JS works in a browser when it comes to trying to isolate scripts from one another.
A brief look at the Chrome extensions API shows interfaces for browser windows, visit history, cookies... Are you *sure* that extension you just downloaded hasn't been sending all your cookies off to some shady remote server somewhere?
http://code.google.com/chrome/extensions/cookies.html
Note the "getAll" and "getAllCookieStores" methods. Sure, the manifest needs to specify permissions for that, but we know what users do when an OS asks them about it - "<foo> wants to do <bar>, is that OK?" - "yes".
Check out the Tabs interface while you're there. "executeScript" is my favourite - 'Injects JavaScript code into a page'. What could possibly go wrong?!
You could only truly isolate extensions if they operated entirely within their own JavaScript execution context, but that means not being allowed anywhere near shared global objects; most extensions would become impossible by design and extensions in general would be so restricted as to be next to useless. You may as well just write a web application in that case; the idea of an extension is to extend the system, not just be some isolated stand alone thing - an isolated stand alone thing is called an app.
Being unable to write native code clearly reduces the range of attacks possible on the platform, but claiming that security problems are a thing of the past or trying to punt them off as a 'web problem' is nonsense. Well, it's marketing, which is much the same thing ;-)
Personally, I've adopted the "50 foot barge pole" policy with this particular OS.
“Whose problem is this to fix? LastPass did everything correctly. It's the other extension developers that developed an extension with a vulnerability in it.”
Then LastPass's approach doesn't make sense in the current setting and a sane situation is out of reach. If security depends on other developers doing the right thing, you are hosed. The browser needs to be fixed, the approach needs to be fixed or scrapped.
It's like with Social Security. You can't afford it. Cuts or more taxes? You still can't afford it. It doesn't make sense - it's economically out of reach.
This post has been deleted by its author
True, but Chrome has pushed the security of their Chrome OS. If it's only as bad as more orthodox OSes that's not a particularly impressive marketing message: 'Chrome OS: Not Any More Insecure than Mac or Windows.' That doesn't give you a reason to switch to Chrome OS. It has to be _better_ than what you're currently using.
The public misunderstanding as to information security is worsened by the fact that to most people, the OS is everything that runs on the computer. A Mac isn't just the hardware and base software, but all the applications that run on it. So if a third party flaw allows for an exploit in OS X, people take that as an argument against the claim that 'Macs don't get viruses', because a Mac is a computer, and the computer was compromised. Never mind where the intrusion came from.
Sure, if you don't install anything and lock everything down, your computer is very secure. But Chrome OS needs extensions just like Windows, OS X and Linux need local software packages. Claiming the default installation is secure isn't all that impressive.
Chrome OS isn't really more secure. It's just insecure in a different way.
"“Whose problem is this to fix?” Johansen continued. “We don't really have an answer for that. LastPass did everything correctly. It's the other extension developers that developed an extension with a vulnerability in it.”"
Didn't he answer his own question? If LastPass did everything correctly and the other extension developers developed an extension with a vulnerability in it, doesn't that, by default, make it the other developers' problem to fix?
Given that Google are trying to build a new execution environment from (almost) scratch in a very short period of time, it's inevitable that problems are going to be incorporated.
The traditional OSes have been developed over decades and they're still not right yet. What's so special about Google's approach to make it likely that ChromeOS is trouble free in such a short period of time? Personally speaking I won't be touching it with a barge pole.
Google's only motivation for developing ChromeOS is to capture more of the advertising market. They're a commercial, profit driven company just like every other. ChromeOS is a dangerous strategy because it succeeds only if a substantial number of people can be persuaded that it provides a level of service and security above that which is offered by the more conventional platforms (Win/Mac/*nix). It will be difficult to provide such assurances if security researches keep finding massive holes like this. And by going way beyond the scope of other things like Google Docs, gmail, etc. they're taking on a much bigger task and are less likely to succeed.
For security law enforcement must attack the masterminds -- the people freely distributing the hacking tools and techniques to anyone.
Any sophisticated system can be hacked -- it is just a matter of time and expertise.
Security only exists when the time it takes to develop the hack is shorter than the time it takes to imprison the hacker.
Well that is my conclusion. Having spent years playing with Linux flavours, Chrome and the rest, at least with windows it is improving massively yet will never be even 99% secure. So I just accept that despite my best efforts there is always a risk of security breach, and I manage my data accordingly.
By the way, where has the Bill icon gone?!
"Chromebooks raise security protections on computing hardware to new levels", quoth your Google spokesperson.
Right. Ignorant about both security *and* non-PC platforms, then, and apparently confused about the distinction between operating system and hardware. I think we can safely disregard anything from that source.