Tuesday, 10 June 2014

Chrome to remove NPAPI

What is NPAPI?

It's the API used by browser plugins such as Java, among many others, to interact with a web browser. Unfortunately it has also been the method by which many pieces of malicious code have accessed user machines. Its full name is "Netscape Plugin Application Programming Interface" as it was first invented by Netscape before being adopted by other browsers to overcome the limitations of the web technologies at the time, an example of which would be playing videos, which wasn't possible then, or having interactive games.

Why remove it?

It's basically because it's not particularly needed any more, it was invented in the 90s to extend the browsers capabilities to as stated above which wasn't possible with standard web technologies of the time but with new web APIs a lot of this functionality is built into the browser and runs much faster and more securely.

From what I understand the architecture of these plugins caused a lot of browser hang ups & crashes, can't say I understand the technical reasons for this as I've never worked with NPAPI but I'd imagine that due to it not being 'baked' into the browser there was additional overhead with running them, that with limited resources available & possibly inefficient programming led to programs 'hanging' then crashing. Whatever the reason I remember experiencing a fair amount of plugin related browser crashes back when these were more popular.

The security issues of NPAPI

The security issue with NPAPI plugins is that they effectively have full access to your computer through the browser, in the same way that a installing a program in your computer does. The reason this is worse is because of the way it gets installed, the user gets a prompt to install something when the get to a website and out of habit just click the accept button rather than actually reading what they are accepting (can't find the article which had the research data for that at the moment), even if they did read it they may not fully realise what it is. This is opposed to an application which you purposefully download or install from a disc. I'm pretty sure way back in the past the user didn't even need to accept anything to install the plugin! I could be wrong on that though.

I'm not certain if this is still the case but it was possible to customise the message, which gave genuine developers the opportunity to explain to the user what they were installing & why but it also allowed other developers to make messages that impersonated more reputable companies, Adobe Flash Player was a prime source of this. More recently security vulnerabilities in Java have been the main method which attackers have been getting access to users computers, so much so that US Homeland Security has recommended users to disabled it unless they really need to use it. I won't describe these Java vulnerabilities as there have been several and Google will serve you better in getting information about them.

Another downside to NPAPI is that a lot of the extra security enhancements implemented in modern browsers such as sand boxing can't be implemented with NPAPI, or can't be implemented as well, due to its architecture. I cannot explain that much better as I don't understand its inner workings well enough.

Is Adobe flash affected by NPAPI deprecation?

In short no because Google have been working with Adobe for about two years to port Flash player across to Googles new cross-browser (although I don't think any other browser uses it yet) version of NPAPI called Pepper Plugin Application Programming Interface (PPAPI). I'm not familiar with it enough to say what the exact differences are but according to Google it's much more secure than NPAPI which is why they're replacing NPAPI with it.

ActiveX

I should point out that NPAPI is not the same as ActiveX in Internet Explorer, that's a different thing altogether specific to Microsoft. ActiveX goes beyond what NPAPI can do, I won't go into ActiveX here though.

Further reading