Google pulls trigger, cripples some Chrome add-ons

Also takes one of the last steps to ban old-format extensions

Google this week took more steps in its scheme to aggressively lock down its Chrome browser by disabling most add-ons that weren't installed from its curated app store and banning plug-ins built to a decades-old standard.

Some users called the moves "lame***" and "the single biggest intrusion into not only my browsing convenience, but my computer usage I've ever seen in my entire life."

In a pair of announcements, Google said it is now enforcing rules it had set earlier that force users to obtain add-ons -- the popular gadgets and enhancements that users pile on their browsers -- from the Chrome Web Store. It also made some of the final moves to bar NPAPI plug-ins from Chrome.

Beginning Tuesday, Google began imposing a rule that required extensions, also called add-ons, to originate from the Chrome Web Store for the Windows browser. The change does not affect the OS X or Linux versions of Chrome.

The Chrome Web Store is Google's official distribution channel for Chrome and Chrome OS add-ons, apps and themes.

Google, which has been tightening the screws on third-party add-ons for nearly two years, has claimed that unauthorized and occasionally malicious extensions are a leading complaint from users and a prime cause of problems.

"From now on, to protect Windows users from this kind of attack, extensions can be installed only if they're hosted on the Chrome Web Store," Erik Kay, an Google engineering director, said in a May 27 blog. "With this change, extensions that were previously installed may be automatically disabled and cannot be re-enabled or re-installed until they're hosted in the Chrome Web Store."

By forcing add-on developers to publish their work in the Store, Google moved another step closer to a "walled-garden" market, the kind popularized by Apple's mobile app ecosystem. That allows Google to vet the extensions and yank those that turn out to be malicious or do something without user approval, like access other parts of the PC or mine personal information.

In February, Google extended the deadline for the Chrome Web Store-only requirement to at least May 1, saying developers needed more time to move their add-ons to the market.

Businesses can hide their extensions on the store from the public at large -- or continue to use group policies to offer the add-ons to their workforce from their own servers -- and developers will still be able to initiate "in-line" installs from their website, assuming the add-on is also in the Chrome Web Store.

But users continued to gripe about the new policy. On a Chrome support forum, some who saw add-ons vanish went into rage mode.

"Kaspersky is essential, dip*****. Your lame *** nanny disabling of our extensions has left my computer vulnerable to all forms of malicious content now!" howled someone identified as Teo Purcell on the support forum yesterday. "Fix this **** or I'm done with this mess of a browser."

Another Chrome user was less profane, but just as angry after the browser disabled one of his favorite add-ons. "This is the single biggest intrusion into not only my browsing convenience, but my computer usage I've ever seen in my entire life," said "GODzillaGSPB" on Tuesday. "This is not okay. I will seek ways around it and if I don't find one I will uninstall this browser for good."

Also on Tuesday, Google's Chrome Web Store no longer showed NPAPI-based apps and extensions on the home page, search results, and category pages, essentially making them impossible to find.

NPAPI, for Netscape Plug-in Application Programming Interface, harks back to -- not surprisingly -- Netscape, the 1990s browser that Microsoft buried in its antitrust-triggering battle over the still embryonic browser market. The NPAPI architecture has long been criticized for slack security, with years of plug-in hacking -- particularly of Adobe Flash Player, Adobe Reader and Oracle's Java -- proving the critics right.

NPAPI has long been the most popular plug-in standard, and is still supported by Firefox, Opera and Safari. Microsoft's Internet Explorer has always relied on its own proprietary ActiveX architecture for extensions.

Meanwhile, Google has pursued its own plug-in architecture, dubbed PPAPI (Pepper Plugin API), pronounced "pepper," that runs code inside a "sandbox," an anti-exploit technology that prevents, or at least hinders, hackers from pushing their malware onto the machine.

Opera is the only other browser that currently supports PPAPI, not surprisingly since it's now built atop the same browser engine inside Chrome.

Last year, Google announced it would pull NPAPI support from Chrome by the end of 2014. Since then, it's automatically blocked most NPAPI-based plug-ins -- among the exceptions have been Microsoft's Silverlight and Oracle's Java -- and barred new plug-ins from its Chrome Web Store.

Tuesday, it took the step promised last September when it said it would hide NPAPI plug-ins within the Chrome Web Store. This fall, it will yank all NPAPI plug-ins from the market.

With Chrome 37, which should reach the "Stable" channel in late August or early September, Google will take yet another step by showing a more draconian warning to users who try to run a NPAPI plug-in.

"Support for NPAPI will be completely removed from Chrome in a future release, probably by the end of 2014," stated a developers guide on the death of NPAPI in Chrome.

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, on Google+ or subscribe to Gregg's RSS feed. His email address is

See more by Gregg Keizer on

Read more about internet in Computerworld's Internet Topic Center.

Join the CSO newsletter!

Error: Please check your email address.

Tags applicationsGooglesecuritysoftwareinternet

More about Adobe SystemsAppleAustralian Pharmaceutical IndustriesGoogleKasperskyLinuxMicrosoftOracleTopic

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Gregg Keizer

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts