Chromium Blog: Security improvements and registration updates for the Google Chrome Extensions Gallery

Security improvements and registration updates for the Google Chrome Extensions Gallery

Thursday, August 19, 2010

Since we introduced extensions in Google Chrome, we focused on making the platform more robust, by continuously exposing new APIs to developers. This has helped our extensions gallery blossom where more than 6,000 extensions are listed today and more than 10 million extensions are downloaded by Chrome users every month.

We designed security into the extensions system from day 1 but we’re always looking for more ways to protect users. So, today, we are introducing two significant changes in the Google Chrome Extensions Gallery: a developer signup fee and a domain verification system.

The developer signup fee is a one-time payment of $5. It is intended to create better safeguards against fraudulent extensions in the gallery and limit the activity of malicious developer accounts. Starting today, this fee will be required to publish extensions, themes and soon apps in the gallery. We are waiving the fee for developers who already registered with the gallery (specifically before 11am PST today), so that they can continue to update their extensions and publish new items without paying the fee.

Domain verification is another addition that we believe will protect users and developers alike. Developers will be able to associate their extensions (and soon their apps) with domains they own or manage using Google’s Webmaster Tools. This way, they can clearly associate their extension with their brand and website, which in turn will help users identify “official” extensions in the gallery.

We believe that these are important improvements to the security of the gallery. We understand that changes like these can create a lot of questions, so please reach out to us on our developer discussion group for extensions.

Posted by Gregor Hochmuth, Product Manager

36 comments:

Kenny said...: thank you much google; August 19, 2010 1:14 PM
ssokolow said...: I have mixed feelings on this. On the one hand, I see the benefit to a token fee to prevent willy-nilly account creation... but I'm a poor student and $5 is my "Here's a little extra because I really respect/like you" amount.

I guess I've got a second reason to stick to Greasemonkey scripts now. (The first being portability between browsers if coded properly); August 19, 2010 10:48 PM
Tamik said...: sugestion :

if ( number of downloads of one of the user's extension is > than X ) { refund user entry fee }

+ pay user for every Y downloads of his-her extension; August 20, 2010 2:39 AM
aaafwd said...: For those who would not like to pay 5$, there is an extension that allows you to "write" your own extensions, so to say, ala Greasemonkey, but more powerful - Personalized Web (https://chrome.google.com/extensions/detail/plcnnpdmhobdfbponjpedobekiogmbco). This extension will provide you full power of the content scripts API.; August 20, 2010 2:09 PM
Lanel said...: Extensions and Web Apps that are published should also have the Original date that they were (not just when they were last udpated).; August 20, 2010 8:01 PM
ssokolow said...: Having thought about this more, I'm honestly not even sure a token fee to prevent willy-nilly account creation is such a good idea.

If it's possible to install packed extensions without the site, it's possible that it could backfire, leading people to set up their own extensions site in protest. If not, it could lead to more people making the decision I did and sticking to Firefox and Greasemonkey extensions.

I know various coders who are either too young to have a credit card, citizens of countries that are difficult to make online payments from, or simply find it insulting to have to pay for access to a platform, even if just a token fee.

Oh, and aaafwd, relying on your extension would feel like a hack, I prefer writing my extensions in Vim, not a web UI, and I generally don't like relying on one-man operations.; August 20, 2010 9:08 PM
w said...: Google, you're doing very strange and bad thing.

People spend their time to write add-on, test it, publish it. And they will to share it with people for their (people) convenience.

And now you're requesting such people who already put pretty good effort to PAY you?? It's just crazy.

Mozilla has had trojanware in their add-ons but they were in 'experimental' branch, there were no news that in officialy published add-on trojan was spotted. Check code submitted to you better. If Mozilla can - Google can also.

Your managers just did very stupid thing.; August 21, 2010 3:37 AM
v3ss said...: nuff said..
mal-ware developers may only consitude 5% of real extension developers, so that just sucks..

well Let developers publish freely too but if they pay their content are marked as Trustable Content.; August 21, 2010 12:52 PM
Mysidia said...: A fee for extension development? You want us to pay for your security efforts, while we increase the value of Chrome with our work, seriously?
This is an outrage. I am dropping my plans to develop Chrome extensions. I will be sticking to Mozilla and Safari. At least they are friendly to extension developers.; August 21, 2010 2:56 PM
fglacius said...: not a bad idea for moneymaking - but it feels like Apple and the iPhone. At least it is one-time.
Chrome is awesome!; August 21, 2010 3:46 PM
Daniel said...: People should understand the purpose of the fee is not to collect $5 but to allow Google to trace back to the source any malware that is submitted, and to discourage multiple submissions of the same program. Of course, the system isn't foolproof - a credit card might be stolen, etc, but it will likely reduce the amount of malware submitted. I don't think Google has said anything about how much malware is weeded out by the content checks they already do, but I expect is is a large fraction of the submissions.; August 21, 2010 4:41 PM
LjL said...: This seems like a really bad idea. Chrome caters to the free software culture, and people writing extensions are mostly developing it in their FREE time and giving them away for FREE.

$5 might not be much, but I for one would not accept to pay for the privilege of GIVING AWAY something.

And I'm led to wonder, if this is a sign showing that Google is starting to consider entry barriers a more effective security measure than, well, actual security measures like capability-based systems, is this going to spread to other domains, such as the Android market?

I most certainly hope not.; August 21, 2010 4:44 PM
Zac said...: I support the payment.

Those people who cannot afford to pay the token fee of $5 or even borrow $5 should not be writing extensions. Some comments here whining about the $5 are laughable and frankly I'm surprised that those have the capacity to even write an extension.; August 21, 2010 5:04 PM
RainCT said...: And I was so close to deciding me for Chromium as my new favourite browser... :(; August 21, 2010 5:50 PM
jake said...: Just wow... how could you do such a thing? FOSSers have been getting very close with Chrome/Chromium. Way to disappoint us by beginning to monetize things.

Security and "token fee" aside, charging developers to write for your platform isn't good for business. Apple gets away with it due to their shiny elitist image.

Nobody likes Google because they charge for things or because you are the largest advertising and data mining company on the net. We [the techies] like you because you support open source and everybody else likes you because you create nice products at no cost.; August 21, 2010 6:21 PM
MK said...: Not too thrilled about this. Was waiting for Chrome 6 to finalize so I could submit something that uses the context-menu API. I only lucked out of the fee by having fiddled with the submission process once.

(At least, I think I lucked out... won't know until I actually try submitting something all the way.); August 21, 2010 7:00 PM
Pieter said...: indeed, not paying to be "allowed" to add free value to a platform. byebye chrome.; August 21, 2010 7:14 PM
EBK, Ruler of the Earth said...: This is a slap in the face. My condolences to all Chrome, Chromium and Chromium derivatives users for the possibilities this will cost them.; August 22, 2010 2:35 AM
M Henri Day said...: While the sum is admittedly nominal - at least for most of us - the 5USD developer's fee is definitely not a good idea and sends the wrong signal to the developer community. I hope that Mr Hochmuth - and his superiors at Google - will take into consideration that «Hochmut kommt vor dem Fall» and reconsider this unfortunate decision....

Henri; August 22, 2010 4:49 AM
requests for.the.web said...: I think $5 is a fair ammount. Of course, $1 would be even better, but $5 is still ok.

Obviously it would be the best to be able to just link the developer account to the Google Checkout information which basically is aready verifying the identity of the developer.

As I'm already publishing extensions I'd like to know how I could pay anyway in order to get a verified developer tag in order to make the users feel more comfortable.; August 22, 2010 4:55 AM
Nathan said...: I'd rethink this. Firefox is doing pretty well without Mozilla charging anyone anything, I'd say.

Besides, this is free software, it doesn't come with a warranty, does it? These are the risks we're supposedly taking with free software. Emphasis on the supposedly.

Wouldn't it make more sense to force plugins to be open source, so other users can view the code to check for naughtiness?; August 22, 2010 4:59 AM
Mohammed Berdai said...: I don't like this decision at all for many reasons.

How a 5$ fee would create better safeguards against fraudulent extensions is beyond me, like bad guys have no other means to pay!?

Ideally, you could have added a way to identify trusted accounts if their owners chosen to do so.

Although I'm not affected by this decision since I'm already registered and developed a Chrome & FF extension for a web service, I most probably won't neither consider any future chrome ext development nor recommending it, and I'll be happy to stick to FF though I found chrome very clean and attractive :S

If you stick to this decision you will certainly lose a lot of dev interest.; August 22, 2010 9:32 AM
superpollo said...: Time to return to Firefox...
Thanks for the fish.; August 22, 2010 1:17 PM
someone far away said...: I guess I am going back to Opera and Firefox. See ya; August 22, 2010 4:59 PM
MK said...: As others have noted, it's not (just) the dollar amount that's at issue. For instance,

PC Mag writes:
"Aspiring developers have to send their $5 to Google using the company's Google Checkout service ... not only does one have to input details like one's name and address in order to complete the transaction, but additional information can also be gleaned from the credit card one uses to pay for the fee itself."

Yeah, how about no.; August 22, 2010 5:15 PM
Tamura Jones said...: ... but your webmaster tools don't work with my XHTML site!
Perhaps you should upgrade your tools before making them mandatory...; August 23, 2010 1:48 AM
Oliver said...: I really thought, I could make some apps for chrome when the store opens, but I will not get and pay for a credit card AND for my work to make the chrome browser better.

As long as checkout does not provide alternative ways to send and receive money in Germany I'm not interested.

And if I can earn 1000s of dollars by cheating users, it will not be a problem providing wrong payment data. The whole system is stupid.; August 23, 2010 6:36 AM
8s5 said...: first you remove the "http://" in front of URLs, now this. Stop your bullshit.

I'm back to firefox.; August 23, 2010 7:03 AM
dummymael said...: this may not be good for the consumer too... from what i see, if developers start paying $5, chances are this will be passed on to the users. i just don't see extensions going this way... microsoft never let you pay for making apps for windows (and even apple for osx, but im not sure about that though.); August 23, 2010 7:55 PM
Matt said...: I don't see the problem. If you intend to publish your theme or plugin through Google, pay the fee. If you want to publish it independently or through a third party, do so. Nobody is forced to use Google's publishing gateway. Many of the people whining here aren't developers at all, anyways.

Also, calling it a slap in the face of FOSS is just more whining. So you can't get free software for a free price, keep crying.; August 23, 2010 8:23 PM
Jacob Chapel said...: I understand somewhat people not liking this, but really it is a good thing. It will curb any nefarious activities and give Google a way to go after those that do illegal things.

You also have to remember that the extension gallery and app store are voluntary things. You don't have to use them, and users can install extensions and apps without the gallery or store, just like with android.

Go back to Firefox, there are many other developers that are willing to take the step and make stuff for Chrome which has an expanding userbase every day.; August 24, 2010 1:43 AM
Björn L said...: I can very well afford $5 but so can all the scammers, probably without blinking. The thing is that if I don't pay $5 my extension won't get that green verified-symbol which maybe will get some users to think my extension ain't trust worthy. That's kind of the opposite effect you're trying to achieve, right?; August 24, 2010 1:55 AM
ssj4Gogeta said...: An idea:

To stop people from thinking this is a monetizing effort on Google's part, donate all the money you get from the developers to a charity.; August 24, 2010 5:19 PM
remibemol said...: I think it's completly stupid to ask people to pay for offer there free work. You will just get much less extention and people will use another hosting for there free extention.
You should change that quickly.

you just shoot a bullet in your foot.; August 27, 2010 1:33 AM
Svetoslav Marinov said...: I, too, don't think $5 would stop SPAMMERS. It would definitely reduce the motivation of young coders to experiment with the system.

If you compare it with Apple Developer Program ($99/year) it's nothing.

my 2cents; September 13, 2010 2:50 PM
Loganathan said...: This is a bad move by google, which asks aspiring developers to pay for the inability of google to implement the security check on extensions by itself and also making money for that. This will be a set back for google, and a boost for its counterparts such as Firefox.; November 18, 2010 9:38 PM

Search our Blog

Archive

Subscribe

More Blogs from Google

Useful links

Pages

Security improvements and registration updates for the Google Chrome Extensions Gallery

36 comments: