The ideal solution would be similar to when an extension asks for new permissions: disable it with a pop-up that informs you of the change and allows you to re-enable it.
Recently my favorite open source mouse gestures extension SmartUp Gestures was taken over by some shady entity (with github no longer being updated of course).
I opened Chrome ticket that they should ask to re-enable extension when ownership changes. They just closed the ticket replying with this link:
Unfortunately, it's been established for a long time now that users cannot be trusted to perform updates by themselves, no matter how naggy you get about it, even for the most critical of security fixes.
Automatic updates, again unfortunately, are critical to safety.
Problem is every single update claims to be security fixes, like for Android. Now I realise almost any bugfix can be construed as a security fix, but I've never seen an Android update that doesn't claim to include security updates, and I've never seen one that goes into any kind of detail(in the pop up prompt that is) on what any of the updates entail.
Probably some of those were critical, and some of them were completely unlikely to affect real world security. As a user, how do I know when to take it seriously and when not to? All I'm told by the UI is that every single update they push "improves security and performance".
This if the ToS problem. Tell me, of the many services you use and products you own, how many ToS have you read? 3%? 10%? Probably less than 2%. Changelogs and release notes have the same problem. They take time to create, edit and review and no one who matters reads them. Why would they spend their time on it?
I get your point, but changelogs can often be generated semi-automatically from VCS.
And I realise I'm not the typical user, but I actually do read(skim) TOS just to see if there's any centipad like stuff. Most of it is just boilerplate and you get pretty quick at finding the substantive parts with some practice. Of course TOS/EULA are hard to read for most people by design. They don't actually want you to read it. If they did, they'd offer a summarised version without all the legalese boilerplate.
I get the same feeling about changelogs. They probably have one internally if they know what they're doing. It may even be online somewhere if I go looking. I can only surmise that for whatever reason, they don't want me to read it, which doesn't inspire trust.
The trouble is, security fixes (generally) don't get backported to older branches. If older branches are even a thing.
Say you're on Foo 1.4.7, and the jump to Foo 1.5 includes a feature re-org you don't want, and no security fixes. So you hold your version on 1.4.7.
But then a security issue is found, and Foo 1.5.1 is released with a fix. Is the version you have vulnerable? Maybe, depending on where the bug is. Is there a 1.4.8 update to fix it? Maybe not. How would you even get it? Heck, if you've switched off automatic updates, have you even heard about the 1.5.1 release? Are you checking on the release announcements for Foo to find out if there have been any security updates, ever?
OK, maybe you check those things. But do you think J. Random User who saw a post on Reddit that said 1.5 sux0rz and they should stay on 1.4.x is going to? And do you like having botnets? Because that's how you get botnets.
The trouble is, security fixes (generally) don't get backported to older branches.
Even if the security fixes were backported, it would produce a new version of the older branch, and requires an update in order to actually use it. If the security fix is in an older branch or a newer branch doesn't matter: it still qualifies as an update.
This attitude is a large part of what I find so repulsive about tech today. You are a guest on my machine. No matter how much you think you know better than me (even if you're right!), you don't get to make decisions like that. You can ask nicely, and if you can convince me that something needs to be done, I will decide to do it.
That being said, I really like VS Code's approach of having auto-updates enabled by default, but making a switch to turn off the feature available for nerds like us who care.
Practically speaking, we have the choices that one monopoly or another offers us, and only so long as those choices are convenient for them.
I do avoid corporate overreach where it's practical (I have a dumb TV/vehicle/appliances/etc), but there will come a day when it's impossible to participate in society without giving in.
I'm happy enough with my life. But yours seems like a very ... I don't know, defeatist? point of view.
You make it sound like I can either have the stunted over commercialized shovelware thats on offer or I can choose to go live in a hut in the woods. Where's the middleground where we put a little market pressure on our corporate overlords so they make better widgets?
It has also been established that vendors cannot be trusted to refrain from bundling unwanted feature changes (and sometimes straight-up malware) with their security updates, so it's no wonder that users might be reluctant to install such updates.
Yes, this is the reason I do not enable automatic updates (in general, not just browser addons), and that software updates are so frustrating.
If there was a way to specify I only want security updates and bug fixes and I do not want new features, UI redesigns, and so on, I would always update and maybe even turn on automatic updates. Software companies have no excuse--we have sophisticated version control software that allows you to manage multiple branches easily. Every software should have a maintenance branch and a "new shit" branch, and should allow both kinds of updates.
Just FYI, for iOS updates, you can in fact opt into these release channels separately.
Go to Settings > General > Software Update > Automatic Updates. You will see two separate toggles, one for "iOS Updates" and another for "Security Responses & System Files."
Users often don't want to perform updates because the updated version is worse in some way. That it has a security impact is unfortunate, but that's how it is.
I had an extension update itself and partially stop working. There's no way to go back to a previous version unless you happen to back up the old files.
Are outdated Chrome extensions really attack vectors? They're very sandboxed. I'd be way more concerned about the update itself being malicious, especially for simple extensions that shouldn't really need updates.
Pedantically, outdated Chrome extensions make for a poor attack vector in the first place because the majority of users get automatic updates, including being disabled/removed by Google themselves if the dev is gone and a problem is found.
Find a way to do security patches without restarting the application or interrupting user's work, and keep featuers/enshittification updates separate from security patches - and then people will not mind auto-updates. Hell, you could just apply them and not even ask anymore.
And these automatic updates are often abused to remove or change features, or generally "enshitify" things. Which breaks trust and we are back to square one.
> Unfortunately, it's been established for a long time now that users cannot be trusted to perform updates by themselves, no matter how naggy you get about it, even for the most critical of security fixes.
So let them not update. It's not your device, it's theirs. Mind your own business.
Anyone who has had to administer anything user-facing will tell you that some users will ignore any warning. Updates need to be automatic and mandatory. You can give them a grace period, but you have to force the issue after a while, or users will delay the update prompt every 15 minutes for months.
Anyone who has owned a cloud connected device or software will tell you that companies cannot be trusted with remote access, they will abuse it every single time. And they'll have the useless cargo-cult security industry telling users that it's "best practice" and for our own good while their companies are spamming us or spying on us or removing features or outright hacking us or taking away access to our own data while they sell it to third parties and try to lock us into their ecosystem.
It was not my intention to defend large corporations and their sleazy practices. I just wanted to say that the average user cannot be trusted with an easy option to ignore updates, especially when it comes to security.
Users will do things like ignore updates and then trash you on the internet or spam your support because the software no longer works properly with service xyz. We regularly hear about major hacking incidents where internet-facing software hasn't been patched for years. Things like this will give your company a bad reputation.
I think the best compromise is to have automatic updates by default and a slightly hidden option in the menu to turn them off. If the user goes out of his way to turn it off, then it is his own damn fault, but if you make it too easy (like presenting it with every update prompt) you are courting disaster.
Not every computer is a part of managed corporate inventory. And some suppliers will happily ignore any issues their updates are causing. E.g. forced Windows feature updates can just disable a computer by throwing out essential but unsigned drivers.
This is more of a technical problem. If your update either breaks something or leaves gaping security holes, then there is no good solution. I think I would rather inconvenience a customer by turning off functionality than leave a bad vulnerability unpatched, but delay an update if it is not security related.
Nope, annoying forced update stuff goes in my trash. Already said bye bye to Windows for this reason. If your thing is gonna update itself, it can't disrupt me or make itself worse.
There should always be an option to turn off automatic updates (unless we are talking about a corporate network), but the option should be opt-in and require some initiative on the part of the user. If the option is presented together with a prompt to update, users will simply turn it off without knowing what they are doing.
If it is in an options menu, power users can choose to turn it off, but normal users will probably never find the option.
I agree for most software in general. Mac updates are auto by default iirc, and that's good. Just not Chrome extensions. The risk of attacks by the owner seems much higher than the risk of attacks by websites on outdated extensions.
And the problem with Windows is you can't really turn minor updates off, they require reboots, it nags you a ton about major ones, and the updates basically just make it worse.
I don't think manual updates would solve this security problem. The new owner would just have to delay the activation of the malicious parts of the software. No one is going to check the binary of an extension or try to replicate it if it is open source.
It's strange that Windows updates are still such a big problem, and I'm not talking about the ones caused by Microsoft's greed. Even Linux systems, which for a long time were pretty user-unfriendly, have largely managed to make updates seamless. I have automatic updates turned on on my computer, and the only indication is that once in a blue moon I can't turn the system off for a minute while it's running an update.
It wouldn't solve it, but at least an update couldn't get instantly pushed and run by all users. These extensions are JS rather than compiled binaries, so they're not too hard to inspect (and if the code is intentionally obfuscated rather than just minified, you know something is up).
If you want to limit the initial impact of a malicious extension, a mandatory hold or slow rollout would be more appropriate. There is no need to bother normal users if they would never inspect the code anyway. If some users want to inspect it first, they can go into the options and turn off automatic updates. Fixes for serious vulnerabilities that require immediate rollout are much rarer and often small, and could be reviewed by the extension store team.
I mean linux updates are everything but seamless, it highly depends on your exact config and distro, certain hardware configs break every single kernel version, hell even Nvidia would break they drivers super often not even that long ago. Smaller vendors with closed source drivers were even worse. Software just breaks sometimes no matter the amount of testing that you do. It's better just just accept that and deal with it when it comes up.
And in my experience (mostly server linux, client Windows/macOS) the worst updates are still macOS, they take for ever to install. Linux and Windows seem to at least install quickly, like a full upgrade takes less than 20 minutes on both, while a minor release for macOS will make my MacBook try to lift off like a jet engine for 45 minutes.
so when one software company does it to you it's good you say but when a different outfit does it goes in the trash. nice consistency you got there, bud.
Apple doesn't force the updates, Microsoft does. You can turn off automatic Mac updates, and even the automatic ones won't force reboot your machine while you have stuff open. And you aren't greeted with a "please switch to Safari" modal when it boots back up.
What's true about both is the updates require a reboot and take way longer than they should.
I mean macOS will spring the "Your computer will reboot within 60s" with the count down on you, if you don't watch out. And the "Reopen" feature only barely works.
If the software you are using is so bad, or the distributor so untrustworthy, that you would classify it as malware, then I think it is time to switch to an alternative.
For example, it is now quite feasible to use only open source software in everyday life, which usually operates according to better ethical principles and has greater difficulty in enforcing problematic changes.
The concern is that for a lot of software these days, it starts in the "good" bucket (and often open source even), and then once it gets popular, it is bought out and enshittified.
Yes, unfortunately this happens regularly, but with open source software it is at least possible to fork it. We often see forks when there are major disagreements. Not all of them survive, but if the original is bad enough, the chances are pretty good. There are also projects that are developed or supported by a trustworthy foundation/organisation, where you don't have to worry about such bad development.
I believe Firefox at least alerts you when an extension update has changed the permissions it requests (and you need to accept the new permissions). Of course, there are many cases where malicious code doesn't require new permissions.
I'd also prefer more visibility into updates. Enabling auto-updates might be okay, if there's a way to opt out of it, and if the updates were significantly more visible. I want to see a big modal when one of my extensions has updated, and ideally I'd be able to see the diff of its source code. But even without that, just knowing it updated would be enough for me to unpack the CRX and check for myself (like I did when I installed it originally).
Disclaimer: I run exactly two extensions in my main browser: uBlock Origin, and Little Rat (monitors network requests of other extensions). I have a separate Canary browser for web development where I install other extensions I might need.
I don't advise turning this on because I think automatic updates in most cases are preferred to manual updates for most users. However, in Firefox you can in fact disable automatic updates on a per-addon basis. So you can have the addons that you trust automatically update, but for the addons that you're less sure about or that basically already work, you can just turn off updates for them.
Just go to about:addons, click on the addon you want to change, and then swap "Allow automatic updates" to off. You can also change the default behavior to not automatically update except for individual addons that you override (although again, I don't recommend it for most users).
I don't believe you'll get notified about updates (correct me if I'm wrong), which isn't ideal, so you'll have to periodically go and check for updates yourself.
I am shocked, people actually think that automatic updates are very good? Because for me, it is trivial that automatic updates are very bad. One of the greatest security risk of extensions are due to automatic updates, they can't be verified, since they change.
edit : BTW I've submitted a related submission about Guerilla Script, a userscript injecting engine, where userscripts are not even updateable: https://news.ycombinator.com/item?id=39620863 This is the ideal way of safe extensions IMO
I don't think anyone (at least not me) is claiming that auto-updates are very good. However, I will argue 'till the cows come home that they are better than the alternative in many cases.
Installing software in the first place is placing a lot of trust into whoever made that software from the get-go. There are a myriad of ways a bad vendor can abuse a software installation without having to involve auto-updates. Singling that as a specific abuse vector that's orders of magnitude worse than giving filesystem access to an opaque binary just doesn't make much sense to me.
If I don't trust a vendor enough to allow auto-updates, then I don't trust them enough to install the software in the first place (dev dependencies notwithstanding for obvious reasons). Combine this with the well known fact that optional updates just don't get installed, and the cost/benefit calculus of the feature becomes not that hard to motivate.
Fwiw, I also think that a switch to disable the feature should always be present for those of us who care.
