F-Droid builds all of their apps from the publicly released source code. There's no reason why Google couldn't do the same, at least for apps hosted on well-known coding/review platforms like GitHub.
That's a good point. Is there some kind of time lag between the builds and the repo updates? If there's not time for anyone to check the code then the door is still slightly open for malicious code to enter the store without scrutiny.
Providing some sort of customer service that reacts at least when the press comes knocking? Use their considerable financial and legal firepower to sue whoever pushed the malwarized version of Great Suspender into the ground? Enforce that Chrome extensions be built on Google infrastructure from public source code repositories to prevent silent takeovers, at least for extensions with 10k+ subscriptions?
Alert people that they should rotate their passwords?
The last one is so crucial. Had I not read that LWN post, I would never have noticed that the extension didn't just run adware fraud but also snooped passwords. Seriously, fuck Google and their disgusting zero communication attitude.
The whole idea of extensions is fundamentally broken. You are letting an unknown person who you have no way to trust or hold accountable access all of your web data.
It can't be fixed without crippling the system. You can't sandbox permissions because the most basic and useful tools require full access to every website.
The only way I can think of is having all extension developers required to have their identity verified and from a country that follows some common law so that google can take legal action against malware developers.
I shouldn't be forced to run someone else's code to look at a publication. That's the entire point behind using something as ugly as XML (or it's simplified child, HTML) to begin with: this is supposed to be a document markup language. A method of annotating what an author would _like_ to have happen when rendering the data.
I seriously loath the fetish of creating pixel perfect displays which treat the end user as an actively hostile element; a passive consumer, rather than someone empowered to use the data for their own enlightenment in the manor their preferences prefer. (Font size, screen reader, dark / light mode, etc)
> JavaScript served by the sites; exact same issue.
It's not really the same issue.
If you are visiting a site that uses its own JavaScript, you can probably assume that if it's run by someone trustworthy, the script isn't going to try stealing your passwords or credit card number. There shouldn't be any reason for the web page to have access to anything that you're not providing it with anyway.
A browser extension (like an ad blocker) can access the content on every page you visit. That could be your bank, email account, social media - anything. If you have a malicious browser extension, it can see everything you do.
That was what mozilla did when they had resources to do so... now I think they have a different tactic but if you obfuscate it they require a full unadulterated source code link. google operate(d/s?) on the permissive model where you pay for a small membership and then they let you put it up unrestricted and if it gets too many reports it gets pulled. I think mozilla has the slight edge personally but either way i'd be wary of installing extensions willy nilly.
Yeah it's kinda a big dichotomy though... they only review very few extensions after doing their automated testing on them. my extension is marked as unverified and there doesn't seem to be a way to change that other than getting some unknown critical mass of users where they are interested in doing a manual review. oh well... not a big deal I guess and the extension is more for my own usefulness.
Making it so extensions don't auto-update themselves would be a helpful step in the right direction, it would cut down on the impact of when these things happen. Unfortunately I think we'll sooner see Firefox aping Chrome on this than the other way around.
The real security advice is: keep up to date with security patches. Staying up to date just because is not good advice.
Gentoo has a nice system, "Gentoo Linux Security Advisories", where you can periodically run a program called glsa-check which lets you know if you have packages installed that have security problems, what the problems are, and points to more info (like CVEs). You can even have it upgrade stuff on its own if you don't want to think about it. Something like this would be a nice feature for browser extensions.
Kinda off-topic: with enough eyes all bugs are shallow, but does that really help when Google prefers playing whack-a-mole to doing the right thing?