Chrome Extensions Get Security, Privacy and Performance Boost

Following the introduction last month of Google Chrome 69’s better password protection, Google has announced that Chrome 70 will bring trustworthy extensions by default.

What Are Extensions?

The Chrome extension system, introduced to the browser nearly a decade ago, has enabled the introduction of 180,000 different extensions which are small, bolt-on software programs that allow Google Chrome users to customize their browsing experience through functionality and behaviour that suits their individual needs or preferences.

Extensions are typically built using HTML, JavaScript, and CSS and are available in the Chrome Web Store. Google says that the dual mission of its extension team is to “help users tailor Chrome’s functionality to their individual needs and interests, and to empower developers to build rich and useful extensions”.

What’s Been The Problem?

One of the main problems with Chrome extensions has been that remotely hosted code in some extensions can be changed, used to manipulate websites, and used for criminal purposes. For example, Chrome extensions have increasingly been used to hide malware, even when they’ve been downloaded from the official Chrome store, and Google has reported a 70% increase in malicious extension installs over the last two and a half years.

For Google, this has created a lack of trust among users, has led to worries about transparency and the scope of their extensions’ capabilities and data access, has generated bad publicity, and has made Google’s own extension review process more complex, costly, and time-consuming.

Improvements

Google says that it has already addressed some of the security, privacy and performance concerns through the launch of out-of-process iframes, the removal of inline installation, and advancements in the detection and blocking of malicious extensions using machine learning.

New code reliability requirements also mean that Chrome Web Store will no longer allow extensions with obfuscated code. This is essentially code that’s difficult to understand and can be used to hide malicious code, and its complexity makes Google’s review process more difficult.

Google has also announced that further improvements will be made to Chrome extensions in Chrome 70 that should go even further in addressing these issues. For example, improvements will include:

  • Better controls for host permissions. This means giving users the choice to restrict extension host access to a custom list of sites, or to configure extensions to require a click to gain access to the current page.
  • Required 2-step verification (in 2019) for Chrome Web Store developer accounts, in order to improve security.
  • The introduction of Manifest v3 to make the writing of a secure and performant extension much easier.

What Does This Mean For Your Business?

Google Chrome is the most widely used browser, favoured by 60% of browser users. Bearing in mind the 70% increase in malicious extension installs over the last two and a half years, some would say that these mainly security-based improvements to extensions are certainly necessary, and are long overdue. Bad extensions have proven to be the weak link in a strong browser and have provided a loophole that has been exploited by cyber-criminals enabling them to link computers to botnets, steal personal details, and enable crypto-currency mining on a large scale.

Businesses using Google Chrome should now get some reassurance that Google is plugging the security holes that some extensions have created, which should mean one less thing to worry about for the time-being in the ongoing battle with evolving and potentially costly cyber threats.