I'm going to tell a short story of web security, regarding browser extensions on @googlechrome. It's a story of good guys getting hurt and bad guys getting helped. It's entirely preventable, and yet... it's ongoing. 1/n
Recently Google adopted a human review process for their version updates, which on the surface brings them up to the standards set by @mozilla (except that mozilla also verifies that builds are deterministic). However, there are a couple problems with the new Google process.. 2/n
The Chrome process also removed the ability of developers to incrementally roll-out releases, so now we cannot easily do gradual roll-outs, which have been nice ways of identifying issues early, and features that misbehave at scale.
So combine this, we went from a world where Monday we could roll a new release to 1% of users, and roll it up over a couple days until it was at 100%, and start it all again next week, to a place where each release will randomly hit all our users with no notice.
MEANWHILE, Google _keeps on approving phishers_. The quantity of impostor MetaMasks on the Chrome store has been growing, and apparently they all pass the manual security review. FURTHERMORE they are all allowed to buy premium Google ad space at the top of search results.
This is a combination of:
1. An upgrade removing safety
2. Human review failing dilligence
3. Ads are phisher-friendly

Every day we learn about new people who are getting phished by @Google ads to google-approved phishing wallets, and no reply.
Btw, of course we've reported this. We've sent trademark notices, help requests, bug reports, but no reply. It seriously sometimes seems like they're only optimized to respond to social media outrage.
For end users, the lesson is pretty clear: For sensitive things, don't trust Google results! Google auctions off their top results, & they are designed to look legitimate. Downloading a wallet off Google is like buying insulin from a stranger on a corner. KNOW YOUR SOURCE!!!
Oh, also I should probably be a bit constructive. As a developer of a popular web extension, what would I most like to keep my users safe?:
- Multi-sig rollouts.
- Control over rollout timing & quantity.
- Ability for our TM to auto-block other extensions/ads from using our name.
@DotProto The current extension review process is broken and the normal channels of escalation have been failing us. I’ve seen you escalate things before, trying with a ping now.
Stories like this. So preventable. https://twitter.com/mxyamada/status/1257767658080161803?s=21 https://twitter.com/mxYamada/status/1257767658080161803
You can follow @danfinlay.
Tip: mention @twtextapp on a Twitter thread with the keyword “unroll” to get a link to it.

Latest Threads Unrolled:
There are a lot of misconceptions about the Turkish diaspora in Germany. Since i just finished writing an essay about this topic I thought it's time to give other people
Read more
Las mejores calculadoras online en 2020A thread http://totumat.com/2020/11/26/las-mejores-calculadoras-online-en-2020/ Cuando se estudian asignaturas que requieren de cálculos complicados, nada mejor que contar con una buena calculadora.
Read more
Mitigating #ClimateChange is as much about taking up new techs as about leaving others behindMost studies focus on #coal's global downfall but another #energy tech decline is loomingRead my new
Read more