RealTime IT News

Google Aims to Secure Chrome Extensions

Google has spent years securing the core of its Chrome browser, and the company is now in the process of taking the additional step of securing the browser extensions. Extensions are third-party software modules that provide additional functionality to the browser. For the first 20 stable releases of Google Chrome, any user could choose to install nearly any extension they wanted to.

Starting with the latest Chrome 21 beta, that situation is about to change. Ending the free-for-all approach in which any site can be a location from which an extension can be installed, Google is locking the process down.

Google is now advising extension developers to host their extension files on the Chrome Web Store, where the code is validated and checked by Google for security. To give developers the flexibility to continue to market their extensions on their own sites, Google also provides developers the ability to host the install button on their own pages even though their extensions are hosted with Google. This is done by means of an inline installation, an option that has been available since the Chrome 15 stable release.

Currently, users who attempt to install an extension (inline installed or otherwise) that is not hosted on the Google Chrome Web Store will get a warning message. That warning will alert users to the potential danger of installing an extension that has not been vetted by Google's Chrome Web Store security procedures.

While Google is now restricting the ability for any site to host and then trigger the install of a non-Google hosted extension, it is still technically possible to do so. Google has posted a description online on how to specify new sources for extension installation.

"Starting in Chrome 21, it is more difficult to install extensions, apps, and user scripts from outside the Chrome Web Store," according to the Google Chromium page. "Previously, users could click on a link to a *.crx file, and Chrome would offer to install the file after a few warnings. After Chrome 21, such files must be downloaded and dragged onto the Chrome settings page."

Read the full story at eSecurityPlanet:
Google Secures Chrome Browser Extensions

Sean Michael Kerner is a senior editor at InternetNews.com, the news service of the IT Business Edge Network, the network for technology professionals Follow him on Twitter @TechJournalist.