Donnerstag, 12. Juni 2014

Google - Officially evil since 12.02.2014

6) Do the right thing; don't be evil.
  • Honesty and integrity in all we do
  • Our business practices are beyond reproach
  • We make money by doing good things
- Google Code of Conduct, Core Values

Google has gone away from this core value. Why? Well, let's look at what they did to chrome and its extensions.

The problem that is a problem

On October 2013 they announced that they were seeing a high amount of systems compromised so badly, that the settings of chrome could be manipulated. [link] Let's review this statement in detail:
Online criminals have been increasing their use of malicious software that can silently hijack your browser settings. This has become a top issue in the Chrome help forums; we're listening and are here to help.

Bad guys trick you into installing and running this kind of software by bundling it with something you might want, like a free screensaver, a video plugin or—ironically—a supposed security update. These malicious programs disguise themselves so you won’t know they’re there and they may change your homepage or inject ads into the sites you browse. Worse, they block your ability to change your settings back and make themselves hard to uninstall, keeping you trapped in an undesired state.
The author is very carefully avoiding specifically telling you what kind of "software" he is referring to. The examples given are however quite telling: "a free screensaver, a video plugin [...]a supposed security update" All of these have one thing in common: They have nothing to do with extensions because they all are run of the mill windows-software.
This means the scope of the attacker, the most important factor in any security consideration, is very broad. A normal windows program can change so many things that are stored on disk, that it is very hard to protect against. The threat described in this post is a very real one.

While it is quite real, it also is quite easy to counter. Files stored on the filesystem can be compromised, but other things, like memory, can't (ok, technically it can, but there's a much, much higher level of protection to overcome there...) so a key to protecting the user lies in the proper usage of those uncompromised places. You need a secret.
There are many potential methods, I will provide two of them.

The solution that is a solution

  1. Checksums -
    It's not hard to tell whether a file has been manipulated. Even a simple md5 checksum will suffice (yes, md5 is "broken", but luckily it's not broken in a way that endangers its use here). The checksum of course has to be stored away from where a local attacker could change it. The latter part being a task one of the largest cloud storage providers worldwide should feel comfortable handling.
  2. Cryptographic signatures -
    Create a password protected private key, sign the settings with it, store the signed settings in a file. Any attacker without the password or access to chromes memory has no option to generate a correct signature for his manipulations.

    Quite ironically google itself is currently working on a pure Javascript solution for this problem. [link] Even implementing this in extension space would be safe, since no attacker with "only" access to the filesystem can even dream of accessing the protected extension memory inside the protected chrome memory...
So we now have a path to improving the security of all chrome users significantly. Keep in mind, that the settings of a browser contain highly critical avenues of attack. The proxy settings are maybe the most prominent feature. If an attacker changes the proxy he gains access to everything. From cookies to plaintext passwords. So if google is really monitoring a high amount of those manipulations the house is almost literally aflame. Doing the right thing never was easier. At least you would think that.

The problem that isn't the problem

Google went public with what would become the source of the current outrage one month later. In another blogpost they presented what they claim is the solution to the security issues presented before. [link]
Extensions are a great way to enhance the browsing experience; whether users want to quickly post to social networks or to stay up to date with their favorite sports teams. Many services bundle useful companion extensions, which causes Chrome to ask whether you want to install them (or not). However, bad actors have abused this mechanism, bypassing the prompt to silently install malicious extensions that override browser settings and alter the user experience in undesired ways, such as replacing the New Tab Page without approval. In fact, this is a leading cause of complaints from our Windows users.
This post starts with a total non sequitur. Discussing extensions in this context is as misleading as it gets. The problem (as I showed before) is not in the extension system, it is in the operating system and the way google chrome stores unsecured settings where thirdpartys can access and manipulate them. Blaming any part of this on extensions is almost literally blaming the smoke for all your problems in the aforementioned aflame house.

Just to stress this point: The "malicious extension" is not the problem, it is merely the symptom of a system that was infected by malicious software. The "leading cause of complaints" is basically that users with infected systems notice that their systems are infected by the fact, that they can't remove certain extensions.

The solution that isn't a solution

If they had stopped at this spectacularily bad piece of security analysis no one would have to face any repercussions over this. Sadly the blogpost went on like this:
Since these malicious extensions are not hosted on the Chrome Web Store, it’s difficult to limit the damage they can cause to our users. As part of our continuing security efforts, we’re announcing a stronger measure to protect Windows users: starting in January on the Windows stable and beta channels, we’ll require all extensions to be hosted in the Chrome Web Store. We’ll continue to support local extension installs during development as well as installs via Enterprise policy, and Chrome Apps will also continue to be supported normally.
This is the worst part of this whole clusterfuck, boiled down to a paragraph. It is plain bullshit from start to end. Those "malicious extensions" are not the problem, them not being in the webstore is not a problem. The problem is an attacker with filesystem access. Forcing all extensions to be hosted in the webstore will not mitigate the cause of the problem, quite the opposite. Disabling such extensions does not mean the system won't be infected anymore, it means the user won't notice the infection anymore. I might be a bit old fashioned, but last time I checked it was considered generally better to have your users in a state of awareness towards security issues on their system.

Don't do evil?

Not only does the action google took fail completely at the task it was officially supposed to do, under closer scrutiny it shows its true damoclean nature. There are two ways of installing extensions that are to be left unimpeded: Local development install and enterprise policy.

Local development install

This is an absolutely necessary feature. Take it away and developing new extensions becomes an almost impossible task. The location of those extensions as well as the development state flag is saved in the browser settings. The same browser settings whose very compromisation opens up the issue in the first place. The very idea of leaving this one open is such an unequivocal sign of incompetence it hurts physically.

Enterprise Policy

This is a not absolutely necessary feature. Take it away and deploying extensions over company networks becomes a hassle. Enforce the same security restriction on extensions installed that way and you'll not only seriously impede professional use of chrome the way this change just did, you will basically make it impossible. There have already been reports of smaller companies moving away from chrome over this issue, and rightfully so. Also keep in mind: A software that is being installed on windows normally requests administrative privileges. With those it can set the necessary entries in the registry to make chrome install any extension without the critisized third party ban.

Honesty and integrity

Either a whole bunch of people fucked up at google in the most spectacular way ever, or there's a whole lot of stuff going on beneath the surface. Honesty is certainly not a driving force in this issue anymore. Integrity is also about as gone as it can be, an honest mistake is one thing. Sticking to such an obvious bogus policy after being called on it repeatedly is not a sign of a party with an intact integrity. Apple, Microsoft and co now have a true competitor in all fields, big corporate bullshit included. They have however one advantage in my personal opinion: At least neither Apple nor Microsoft claim to not do this kind of stuff. Yes, they may occasionally (or all of the time) milk you for all you're worth, but they will openly say that they're doing so.

Practice beyond reproach

There's not a lot about this move that is not a very valid target for criticism. In fact there's not a single point in this whole piece of garbage that shouldn't be inspected very carefully and critisized in the strongest possible tones. Disabling third party extensions with a claim of improved security while leaving gaping holes open for attackers and completely missing the critical point of attack is probably the most stupid thing ever to leave a google office.

Making money

There's a piece of additional ice cream for those of you reading this far. If you were to take the path google just forced you upon it won't be damaging to google. There's a new app on their store, a new bunch of people installing it from there, thus being targeted by advertising in said store and last but not least registering as a developer will set you back 5$. That last isn't much, but on the other hand it's not money google would make without this dick move.


Google is being dishonest with it's customers, it is actively endangering them by attenuating symptoms of an infected system without actually going for the root cause, and last but not least, Google is making profit from this. I have long defended google for a few policies critisized by others as going to far, and I believe I was right in doing so. However, from this day on google has officially (but still temporarily) lost its trusted company status in my book.

Effective February the 12th 2014 Google is a candidate for an evil corporation.

My personal consequences: I will watch this development for a few weeks. If nothing changes in the high handed and dishonest ways of google there is no other choice but to move all my business away from chrome to firefox, ban chrome whereever I have the ability to do so, and last but not least, phase out all other google products. I strongly urge everyone else to do the same.

Keine Kommentare:

Kommentar veröffentlichen