Google has announced on Monday five important changes in Chrome, which gives users more control over certain permissions, enforces security measures, as well as makes the ecosystem more transparent.
Let us take a look at the new changes which has been included in Chrome 70 to make the extensions more secure.
New Host Permissions for Chrome Extensions
When an extension asks for permission to read, write, and change data on all websites there was no option for the users to explicitly blacklist or white list a specific set of websites.
James Wagner, Chrome extensions product manager, says “While host permissions have enabled thousands of powerful and creative extensions use cases, they have also led to a broad range of misuse—both malicious and unintentional—because they allow extensions to automatically read and change data on websites.”
But in Chrome 70 (currently in-beta) which is scheduled to arrive this month end, the users will be able to control the way how Chrome extensions can access site data, allowing them to restrict access for all sites and then grant temporary access to a specific website when required, or enable permissions for a specific set of websites or all sites.
When you right-clicking on-an extension on Chrome 70 a new menu shows up which enables the users to decide if it “can read and change site data.” If so, you have an option to choose between “When you click the extension,” “on the current website” or “On all sites.”
Chrome extension Developers are advised to make these changes to their extension at the earliest.
Google Bans Code Obfuscation for Chrome Extensions
It is known to all that even after taking many security measures malicious Chrome extensions manage to get into the Chrome Web Store.
The main reason for this is obfuscation—a technique primarily aimed at protecting the intellectual property of software developers by making programs harder to understand, detect or analyze.
However, malware authors often use packing or obfuscation techniques which makes it difficult for Google’s automated scanners to review extension and detect or analyze the malicious code.
Around 70% of the malicious and policy violating extensions that are blocked contain obfuscated code. With Chrome 70, the Chrome Web Store will not allow extensions with obfuscated code.
Any new extension submissions to the Chrome Web Store have to be free of obfuscated code and developers have 90 days to clean their Chrome extensions of obfuscated code.
Mandatory 2-Step Verification for Developers
Previous year there were numerous phishing attacks aimed at hijacking popular browser extensions through phishing, and then updating them with malicious code and distribute to their users.
This can be prevented by using Two-Step Verification. Starting with January, Google needs the developers to enable two-step verification on their Chrome Web Store accounts to lower the risk of hackers taking over their extensions.
Wagner says “If your extension becomes popular, it can attract attackers who want to steal it by hijacking your account, and 2-Step Verification adds an extra layer of security by requiring a second authentication step from your phone or a physical security key.”
Strict New Extensions Review Process
With Chrome 70, more in-depth review of extensions that ask for “powerful permissions” will be performed. Google will also start monitoring extensions with a remotely hosted code to spot malicious changes quickly.
New Manifest Version 3 For Chrome Extensions
Google plans to introduce a new version of the extension’s platform manifest, version 3 next year which aims at enabling “stronger security, privacy and performance guarantees.”
The new version will narrow the scope of its APIs, make permission control mechanisms easier for users, and support new web capabilities such as the Service Workers as a new background process.
Chrome Web Store contains more than 180,000 extensions and Google believes that these new changes would make browsing the Web more secure for millions of users.