Comodo Dragon 43 - Hidden Extensions will not disable or uninstall

Using the command line switch for CD 42 … --show-component-extension-options

And then going to chrome://extensions/

There are a few ordinarily hidden extensions that I would like to not only disable, but completely bin

Unfortunately they cannot be changed apart from dissallowing them in Incognito

Q1. Why do we need “Google Now” permanently installed ? ( I thought Comodo was supposed to be getting rid of all google ■■■■ we dont need, maybe this would be desireable for some to keep, but we should be able to disable it at least ) - Removed as of Dragon v43

Q2. Easy Flash Download - Does that apply to PPAPI or NPAPI ( if the latter does anyone need it going forward ? ) - And for those of us who will never use flash … Why cant we disable it

Q3. CryptoTokenExtension - I hope this is not something like PrivDog messing with our encrypted communications again - The details state that it can :

A. Read and change all data on websites you visit
B. Access any Gnubby from yubico.com on USB
C. Communicate with cooperating websites
D. Access your universal 2nd factor devices

I dont have a need for any of that, and I certainly do not like the sound of A, C and D … So again would like to be able to bin this hidden plugin completely.

Along with all the rest of the extensions giving this browser more potential footprint to be exploited ( see screenshot 2 ) … I would like to be able to get rid of extensions I do not require, which probably do nothing to improve Privacy and Security of the browser, but could actually make it worse by giving malware programmers more handles to get a grip on.

Edit : Updated the title. Struck through Q1, resolved.

[attachment deleted by admin]

Hi w33d3r,
Q1) I guess it is seen as low risk and actually beneficially for some users, I imagine it is only active if signed into specific applications.

Q2) The Flash download helper guides users to the correct version PPAPI.
With the recent changes a large number of users of Chromium based browsers are still trying to use NPAPI Flash.
Without the helper, I would expect the Forum to be inundated with Flash related issues being posted.

Q3) Once again I expect it to be used on specific sites or applications, but I will let someone else elaborate on this.

Remembering privacy and security are important, but so is usability.

Kind regards.

and so is choice

My questions are asking why we cannot disable and remove them, and now that they have been found will Comodo be doing anything about them so that we can disable and / or remove them in future.

I could have guessed a similar bunch of nice sounding excuses for having such hidden locked plugins myself.

Hi w33d3r,
I agree choice is good.
I also say that every behind the scenes feature be it for security, usability, functionality etc could be regarded as hidden, but not sinister.

I will have asked Staff to take a look for you.

Kind regards.

Thank you

I dont believe there is any sinister intent either, but we could also talk placatingly about features in google chrome not being sinister so why do we need Dragon in the first place

Being advertised as a privacy respecting browser, one of its selling points being that it removes the branding “features” which googles own flavour of Chrome has pretty well hidden too

… Maybe features that were included with the best of intentions from a programmers POV in Dragon …

… And not from a Privacy and Security point of view, which is the whole reason we prefer Dragon.

To me more plugins = less secure

Hidden plugins we cant do anything about that you cannot imagine contribute in any way to the goal of better Privacy and Security are suspicious at best to the crowd Dragon attracts.

( This version of CD also introduced a new EULA, red flag for the privacy crowd, thats why I went looking at what it installs under the hood )

Edit : And I realise I am a PITA sometimes. I really do very much appreciate this browser and the work being done to keep it going. But I believe someone has to point out from a users POV the potential failings which may not be easily recognised as such by the people working on the project.

IMHO so much of this could quite easily be copy pasta from Chromodo ;D

Hi w33d3r,

as the command line that you used indicates, these are the component extensions that users cannot disable. They’re not regular extensions, they need to be considered as part of the browser.

A1. We tried to remove Google Now component extension from build chain, however that leads us to another problems. So we’re still working on removing it from build chain.

A2. Easy Flash Download extension is just a helper extension, that we use it to guide users while downloading PPAPI flash player extension from adobe sites. e.g. https://get.adobe.com/flashplayer/otherversions/.

A3. CryptoTokenExtension is required for google apps to be used.

As I said before, these component extensions should be considered as part of the browser. Simply, you cannot remove them and they do not lead to any vulnerability.

Actually, this is the way we prefer to develop features that can be utilized within the JS context, because it’s much safer.

Regards.

Thanks for the answers Ozan

A1 - Understood, I hope you keep trying

A2 - Seems to be going against a promise Shane made a while ago, you are now providing a helper to install the ■■■■■■ thing, whereas previously removing the “Adobe Flash is required …” nag banner was promised https://forums.comodo.com/news-announcements-feedback-cd/comodo-chromium-secure-361-is-now-available-for-download-t107127.0.html;msg779373#msg779373

Which way are we going here … Helping people who do not want the worlds most prolific spyware installed … Or helping to install the same. Sounds like the latter to me.

A3 - I personally never want to install any Google Apps = Its useless extras I dont need on My Machine

Yes I agreed to the EULA, but I thought I was just installing Comodo Dragon, not all the extra stuff the installer does not warn you about, nor the extra stuff which not only does the installer not warn you about but is additionally HIDDEN without a special switch being employed to reveal them.

Well if you guys think you’re plugins and extensions do not lead to any vulnerability, I presume you have some kind of fuzz testing software which has proven that, to make you so assured of what you say ?.

Hi again,

Please note that all component extensions are part of the browser, they are considered as the features of the browsers. They are all integrated into browser at compile time. They’re nothing like regular extensions. No one can overwrite/override them unless they’re compiling the browser from scratch. So, we do not install any extra piece of software into clients’ computers.

1. This why we cannot simply remove Google Now component extension from default build chain. It’s highly coupled with Google Geoservice. Since we disabled Google Geoservice, it is nothing but an unused/not working component remains in our browsers. We’ll remove it in the next releases, but it has to be done delicately.

2. I’m not aware of what Shane promised to you, but I just added a development task to avoid displaying flash player infobar once and for all if user does not want to see it. I’ll remind it to our Program Managers as well.

3. I bet there are other features of our browser that you’ve never used, but it does not imply that you can remove it. What we can do is to make them configurable so that user can enable or disable it. In this case, it’s your decision not to install Google Apps. As long as you do not install any Google Apps or you do not navigate to Google App URL, this extension will never be invoked.

Well if you guys think you're plugins and extensions do not lead to any vulnerability, I presume you have some kind of fuzz testing software which has proven that, to make you so assured of what you say ?

Of course we do our best to avoid them, and we have penetration tests made by an independent colleagues in Comodo, apart from our own Development and QA Team. May be I had to say “known vulnerability” in my earlier response. It’s always possible that there might be unrevealed/unknown vulnerabilities in any software/system. Because, “to assure or prove that a software/system does not lead to any vulnerability” is an undecidable problem.

Currently, we have 861 general test cases that can be applied to both Dragon & Chromodo. Besides we have 666 Chromodo specific test cases and 221 Dragon specific test cases.

Thanks for the info, Ozan Bora Fikir.

And as w33d3r already mentioned, extra things, especially as “Easy Flash Download” which tamper with the sites overlay/content are definitely should be optional.

While newcomers may enjoy a guidance in the NPAPI/PPAPI switch context, making it an external extension with an option to disable it is clearly a more competent way of doing it.

This is exactly what it is all about - transparency and an option to opt-out. That is the main reason users like us are out for chrome-alternatives in the first place…
So, please take keep it as a rule of thumb to every extra component there is (be it the flash guidelines, or the google bundle, or something we actively wanted). User being able to control the SW - that is what it is all about.

Thank you Smartodo
Its nice to see someone who understands exactly what I am talking about

Your post made a welcome change from the usual being buffered by the moderators, or programmers thinking like robots and not understanding the human beings who come here for a Privacy respecting browser …

… as it is advertised : Best Internet Browser 2022 | Free Secure Web Browser

“How to avoid online privacy leakage?
Comodo Dragon provides privacy enhancements at lightning speed”

Overview
“Comodo Dragon is your must-have online privacy keeper”

“Web Browser that offers you all of Chrome’s features PLUS the unparalleled level of security and privacy you only get from Comodo.”

Features
"What makes Comodo Dragon the Browser for the new decade?

The Comodo companies are innovative and prolific developers of online security and trust assurance solutions. The Comodo Dragon Internet Browser has taken the latest Chromium technology and beefed it up in the one way necessary to make it the optimum Browser to use on today’s malware plagued Internet. – Superior Security and Privacy. Comodo Dragon not only gives you the complete compliment of features offered by Chromium (key features listed above), it also gives you Comodo’s unsurpassed security and privacy features.

Comodo Dragon Web Browser Security:

Has privacy enhancements that surpass those in Chromium’s technology
Has Domain Validation technology that identifies and segregates superior SSL certificates from inferior ones
Stops cookies and other Web spies
Prevents all Browser download tracking to ensure your privacy"

And a few similar claims in the FAQ

When we first started using this browser, typically people who used to use SRWare Iron came here, because we found out under the hood even though SRWare was removing a lot of things Google were doing ( all the following points SRWare Iron - The Browser of the Future ) …
… Iron was found to actually be exploiting users for advertisement purposes

Its that sort of under the hood deceipt that users who wanted a different chrome were trying to get away from

Thats why when PrivDog had a problem undermining our ssl connections alarm bells rang as a major compromise of our privacy. Yes I know it was the other one not the one installed by Dragon, and yes it was fixed afterwards - Unfortunately the damage to reputation was done.

If your installer does not tell people what you are installing on their machines, the people who want a Privacy respecting browser are going to be suspicious of what your intentions are. And especially when they are further hidden without any option ( during install or after install ) to disable them.

That is my whole point. Your software behaviour is going to turn away the people it seemingly wants to attract, because it is not being open and transparent with them, then users will suspect the worst.

Hi w33d3r,
This topic is getting a little silly now IMHO, nothing personal.

I the ‘buffering Moderator’ (In this topic at least, who also happens to be a general user and human) answered your questions to the best of my knowledge and requested for Staff input which was answered adequately.

If your installer does not tell people what you are installing on their machines, the people who want a Privacy respecting browser are going to be suspicious of what your intentions are. And especially when they are further hidden without any option ( during install or after install ) to disable them.

On the subject of hidden features of a Web browser, where do we draw the line of what is shown during installation? Under the hood away from prying eyes this browser consist of many components/features and just like any other browser they are not all listed during installation, a selected few examples of many listed below. 1) Layout/rendering engine. 2) JavaScript engine. 3) Information resource location and retrieval components. 4) Local storage components. 5) Add-on capability to enhance functionality, with some plugins/extensions included/integrated to enhance usability or/and security/privacy. [b]Integrated add-ons are regarded as browser features (No different than examples 1,2,3,4 and 6) and they are not like regular extensions[/b] as already pointed out by Ozan. 6) Network component, which is probably the most vulnerable component due to its capabilities of communicating and transferring data across the World Wide Web via the internet yet it is probably the least talked about. This list could go on and on without adding any actual technical aspects of what occurs under the hood, are they really hidden or just out of plain view from the general user?

Seriously as I said, hidden features or components are not always bad and not really any different than Windows default hidden files/folders, processes, components, devices etc.
To remove non-configurable items from the default view, removes unnecessary clutter for the general user.

Kind regards.

I did not mean, nor name yourself, that was regarding this forum in general

On the subject of hidden features of a Web browser, where do we draw the line of what is shown during installation?

There is no line to be drawn
And there is nothing silly about this imho - Its a serious matter.
If Comodo adds it, they should be open and transparent about what they are adding

Simple as that. See the first post screenshots.

We do not get informed by the installer of any of those components, and when we go looking for what has been installed ON OUR MACHINES without our say so, we find there are further hidden elements which can only be viewed by the user if a special command line switch is used to launch Dragon

Its similar to the tyranny of the defaults software behaviour we would expect from the likes of google / adobe / facebook etc …

But Comodo ?

I did not write the way this browser has been presented to us the public.

My bold - This would be very much appreciated. Thank you

One more thing to add to this topic which has come to everyones attention after this topic was created …

If / When you do get around to giving users the Options to disable such things as plugins / extensions / hidden extensions, please include OK Google ( and any background support service for the same ) as this has been pointed out to affect the current Dragon beta, which presumeably will become the next Dragon stable …

Reference the following topic : https://forums.comodo.com/help-cd/google-chrome-listening-in-to-your-room-t111621.0.html

Updated the title to read Comodo Dragon 43

( was 42 )

Also noted Google Now is no longer a part of the installation with Dragon v43
Thats one very nice step forwards. Thank you.

Hello,
I have a question,
Dragon is coded from Chromium, yes or no ?
If yes, so There’s no any reason, not even just one to have anything from google integrated into Dragon.
Chromium is open source and there’s not a single piece of code from google.
So how comes Dragon includes something from google ? is Dragon open source ? nope. is Chromodo ? nope.
IceDragon ? I don’t know, but I bet not. Firefox is open source. Firefox is the only browser we can trust actually.
The chromium based browsers are not customizable in parts that are a serious problem for security.
Today people will say, oh there’s no real danger but that’s not acceptable because Comodo has a reputation to keep, this group took the first place in almost 7 years with a firewall software that has no contender.
So, I fully agree with w33d3r when he asks about the Dragon piece of code added we can’t disable, so it’s a potential security issue and what about privacy ?
a good browser is an open source browser fully customizable.

greetings,
ailef.