Simultaneously impressed at the depth & long-term view of security architecture by the Chrome team, and sobered by the pain necessary to defang Spectre. Highly recommended read. https://twitter.com/fugueish/status/1001605230583136256 …
The latter isn't chance. Yes it's irresponsible to leave users to fend for themselves in a faux-curated extension repository. But users can defend themselves by not installing crap. Users can't defend from drive-by Spectre.
-
-
Malware authors are surprisingly adept at creating "install this extension to continue" pages that abuse alert() and trigger the Chrome extension install dialog to hold you there until you accept it.
-
Click on a sad page URL and you either have a computer science degree, or you're getting malware. (I am still mystified no browser vendors are doing anything meaningful about how alert() behaves.)
-
The only safe way to use Chrome is with extensions disabled, and Google hasn't provided an easy one click option to do that regular users can find. You have to either use something like group policy or modify the target of all your Chrome shortcuts.
End of conversation
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.