> I'd really prefer it to adopt the resolution of the client machine
We have this implemented, but the problem is that the current version of Xvfb doesn't support randr extension. See https://bugs.freedesktop.org/show_bug.cgi?id=26391 . With the patch attached to that bug CRD should resize desktop automatically.
Extension sync doesn't automatically enable remote access to your machine. User must explicitly enable access on each machine that needs to be accessible (and to do that the user must be administrator).
Also the remoting service needs to be installed separately from chrome - it's not part of the extension. It's not possible to package native binaries with chrome apps/extensions, by design (except for NPAPI plugins, but extensions with NPAPI plugins are not synced and NPAPI support is being removed from Chrome).
On Linux you can disable automatic update both chrome and CRD. Just set repo_reenable_on_distupgrade to false in /etc/default/google-chrome and /etc/default/chrome-remote-desktop
Great to hear back from the team. Do you know if we can expect better stability from this than from hangouts? I'm thinking of: https://code.google.com/p/chromium/issues/detail?id=363358 which I had the displeasure to run into last time I had a conference call scheduled.
Now, I don't fault the hangouts team for encountering a bug -- but it's frustrating (perhaps doubly so for Debian/stable users) when something like hangouts stops working -- and that without there being any obvious reason (eg: new features, important fixes) for why something that used to work, suddenly stop working.
If I could still edit it, I would correct my post to say that a user that has not activated remote desktop does have to enable it manually.
But there is still no way to control Chrome's surface area in the future, and features like this give me the heebie-jeebies. Two things:
1. Users that have already enable Chrome Remote Desktop don't need to authorize the set of computers that can access it remotely. You authorize one endpoint, but not the other. And since Chrome will occasionally install new extensions and apps in its regular updates, there's no notification for a lay user to know why they got "Chrome Remote Desktop". For that matter, anyone with access to a Google account can leverage one Chrome sync feature to gain access to others (mainly: from an extensions into completely owning their machine), allowing them to leverage Google account access into a much greater vulnerability on remote physical machines. Passwords, open tabs, history, form data, credit card information.
Let me walk you through this. Alice is using her computer at work. Eve has obtained Alice's credentials, and sets up a Chrome account on a machine and enables full sync, and installs the Chrome Remote Desktop extension on her computer.
Alice sees a new extension appear on her computer. Why is it there? Alice is never informed, and Google adds new apps and extensions with updates occasionally, so Alice proceeds to install Chrome Remote Desktop. Why not? Chrome seemed to think it was safe to put on her front page or in her app bar. Eve can pin it to her bookmark bar with a title like "Connect from home!", or even install multiple bookmarks to do this:
"Connect from home" "now today" "with Google Chrome" "Remote Desktop!"
Now it's just a matter of time. Eve could also use her access to the account to synchronize new extensions silently and in the background, allowing them to siphon off passwords and credit card numbers, even if Alice disallowed those items from synchronizing. Extensions are simply too powerful and the automatic update feature makes every extension from a third party developer a ticking time bomb.
2. You don't really offer a great way of blocking increases to the attack surface area of Chrome. You offer a way to totally turn off all Google Chrome automatic updates, but woe is the administrator that tries to use your policy tools to lock down Chrome. As Chrome is becoming an operating system unto itself, I find myself at a loss to understand why policies for this new operating system lag behind. Your suggestion doesn't prevent Chrome from automatically updating or synchronizing new extensions, and doesn't provide the average user with protection from a hijacked Chrome account. Disabling Chrome's automatic updates, if anything, makes them less secure.
No, what I want is the ability to lock Chrome's surface area to a particular version, not lock Chrome to the version itself. I want to see ways to limit my liability as an administrator to what I know and understand - and the Chrome team seems to think they know better than I do how to keep lay users safe. I disagree - given the fact that me, the security paranoid user, has already been bit by Chrome's security policies, I have no hope that they will avoid the same fate.
Now it's just a matter of time for what? For Alice to enable remote access on her machine and set the mandatory pin? How does this help Eve?
Moreover, your scenario presupposes that Eve has Alice's Google credentials. At that point, Alice is already owned. Given that most of a user's information is online instead of on a particular device these days, accessing Alice's desktop is not significantly useful. Eve can already pretend to be Alice and send trojans to her friends and then pretend to be Alice's friends and send trojans to her.
We have this implemented, but the problem is that the current version of Xvfb doesn't support randr extension. See https://bugs.freedesktop.org/show_bug.cgi?id=26391 . With the patch attached to that bug CRD should resize desktop automatically.