Comments on: Let’s Talk About CEF (Some More) https:/2018/04/lets-talk-about-cef-some-more/ Developer resources for the X-Plane flight simulator Wed, 25 Apr 2018 14:52:41 +0000 hourly 1 https://wordpress.org/?v=6.6.1 By: Tyler Young https:/2018/04/lets-talk-about-cef-some-more/#comment-29059 Wed, 25 Apr 2018 14:52:41 +0000 http://developer.x-plane.com/?p=8458#comment-29059 In reply to Gene Thomas.

Not that I’m aware of.

]]>
By: Gene Thomas https:/2018/04/lets-talk-about-cef-some-more/#comment-29056 Wed, 25 Apr 2018 14:19:13 +0000 http://developer.x-plane.com/?p=8458#comment-29056 In reply to Tyler Young.

It doesn’t have to be what most consider malware. Does it ever talk to google for/about anything?

]]>
By: Tyler Young https:/2018/04/lets-talk-about-cef-some-more/#comment-28976 Tue, 24 Apr 2018 12:11:18 +0000 http://developer.x-plane.com/?p=8458#comment-28976 In reply to Gene Thomas.

Chromium itself is 100% open source… if there were some nefarious Google back door, it’s out there in the open waiting to be found.

I agree Google’s behavior is problematic at times, but implying that they’ve embedded malware in an open source project is totally unsubstantiated. Even a company wanted to be evil, that’s not the way to do it… it’s just too easy to get caught!

]]>
By: Gene Thomas https:/2018/04/lets-talk-about-cef-some-more/#comment-28937 Tue, 24 Apr 2018 02:16:00 +0000 http://developer.x-plane.com/?p=8458#comment-28937 Tyler said: Since you mentioned the Flight Sim Labs debacle, it’s worth noting that CEF running in an app is 100% separate from any installation of Chromium or Chrome on your PC. That means no access to shared passwords, cookies, history, etc.

My question: since google does Nothing out of the goodness of their heart, what access Do they have?

FYI: I use none of the applications on your list

]]>
By: Tyler Young https:/2018/04/lets-talk-about-cef-some-more/#comment-28592 Thu, 19 Apr 2018 19:57:51 +0000 http://developer.x-plane.com/?p=8458#comment-28592 In reply to DNeely.

Since you mentioned the Flight Sim Labs debacle, it’s worth noting that CEF running in an app is 100% separate from any installation of Chromium or Chrome on your PC. That means no access to shared passwords, cookies, history, etc.

]]>
By: DNeely https:/2018/04/lets-talk-about-cef-some-more/#comment-28578 Thu, 19 Apr 2018 16:34:52 +0000 http://developer.x-plane.com/?p=8458#comment-28578 My two concerns with this are simple, CEF needs to be ” everyone in the pool” or ” no one in the pool” If having a CEF on one add on prevents others from being able to use it, it’s not a good thing and needs to be sorted out first. Putting end users in that position, is not a good thing.
The second is the monster in the closet, security. Admittedly a LARGE percentage of it needs to be on the user, but at the same time LR and by extension, plug in makers are going to have to seriously consider this. I think a kill switch is a must, an default off switch ( indepenant of the first) is a must. and from add on makers, explanations of WHY it needs to be on, are a must ” just because” is not going to fly anymore after the FSL incident. As long as those are hammered out prior to release I think its fine.

Now obligatory where is my __________ barb (seasons!)

]]>
By: Tyler Young https:/2018/04/lets-talk-about-cef-some-more/#comment-28517 Wed, 18 Apr 2018 12:38:08 +0000 http://developer.x-plane.com/?p=8458#comment-28517 In reply to TC.

Ahhh! I understand now. What you’re talking about was Austin’s support for untowered operations. I’m not sure what the state of that is right now, but we discovered a handful of show-stopping issues that required the entire project to be put on the back burner. Austin was… a few orders of magnitude too optimistic in suggesting it would be “no problem” to get it into 11.10.

]]>
By: Tyler Young https:/2018/04/lets-talk-about-cef-some-more/#comment-28516 Wed, 18 Apr 2018 12:34:45 +0000 http://developer.x-plane.com/?p=8458#comment-28516 In reply to Chryseus.

Hehe. In an attempt to not belabor the point, I actually left off from that list the fact that both Unity and Unreal (the two most widely used game engines) support CEF out of the box.

So, no, it is factually inaccurate to say that games don’t use webviews.

]]>
By: Marc Westhofen https:/2018/04/lets-talk-about-cef-some-more/#comment-28505 Wed, 18 Apr 2018 09:31:58 +0000 http://developer.x-plane.com/?p=8458#comment-28505 Thank you Tyler for the clarification. I understand what you are looking for.

Also I’m glad that you are fully aware of the security risk which is not a question of personal interest or taste but a real problem that no one should ever underestimate!

What ever will be your counter measure against the the persistent threat of malicious online activity – a “master switch” for the user to enable or disable online connectivity of CEF should be implemented.

If there is online traffic caused by CEF, the user
a) should be aware of it and
b) needs to be the final authority to approve or disapprove it.

The default setup of such a “master switch” should be “off”.

3rd party devs then need to be encouraged to explain why they use CEF and why it is required to switch it to on or what feature will be hampered or non-functional if the switch is turned to “off”.

I do not know if “off” could also disable already implemented CEF versions used by other developers. I wish it was possible.

Also it should be tested if security software is reliably compatible to X-Plane’s CEF implementation. I know that this will be very very difficult because there is a bunch of different security software available – for Windows, Mac and Linux! You should consider that security software also could flag X-Plane itself as malware when using CEF:
==========================
>>One worry is that if too many instances of CEF are being used for malicious purposes, it might lead to the framework being blacklisted by endpoint security products. “Given the large number of companies currently using libcef for legitimate purposes I think it’s unlikely that we’ll end up on any anti-virus black lists,” Greenblatt said. “Companies are also encouraged to sign all of their binaries, including CEF binaries, before distribution.”<<
==========================
source: https://www.darkreading.com/risk-management/malware-developers-hijack-chromium-framework/d/d-id/1109259

"I think it's unlikely that we'll end up on any anti-virus black lists […]" – this is an opinion and some degree of hope but no guarantee!

Chromium requires patches – just like any other browser, embedded as a frame work or stand alone. Also Steam is updating and patching there portal software. But X-Plane cannot update/patch it for add-on compatibility reasons – this makes me a little nervous.

Again: I got your point but opening "Pandora's Box" also is a question of responsibility. I assume that it will be the user who'll have to take all risks but if so, the user really – as a minumum – requires active control about if/how CEF talks to the (dirty) internet.

If VR users then like to benefit from CEF – even for browsing cat videos – why not? But it needs to happen by user's intention and not because of any unknown activity "under the hood".

You may think now that I am suffering from paranoia, but security risks are growing dramatically. I understand that CEF is already being used by some add-ons – but this is no excuse to accept additional security issues being implemented by X-Plane.

Regards,
Marc

]]>
By: Jamie https:/2018/04/lets-talk-about-cef-some-more/#comment-28502 Wed, 18 Apr 2018 08:43:05 +0000 http://developer.x-plane.com/?p=8458#comment-28502 I think the problem is the idea that CEF is merely a browser in the sim. It can be, but I’ve seen it used in other sims and projects where it’s used as a mechanism to expose native code to javascript. The browser side of things occasionally gets left to doing some UI related stuff or nothing at all.

I get people are concerned about the security of it, but this is where as a user you manage the risk, you may feel comfortable reading the news, watching videos or using web based flight planning, just don’t do your banking in any CEF based application. If you think the scope of CEF is limited to a fancy EFB on payware aircraft, that’s a very narrow snapshot of the potential, look further.

The possibilities for devs with even read/write on datarefs exposed through a javascript API is huge. Think about the requirements for people extending X-Plane right now, they need a background in cross-platform dev (C/C++, other compatible binary) or Lua most commonly, not a problem for some people. If you just add the people with web development skills to that group, you’re in a good place.

The positive thing here is the scope of what CEF exposes to JS is under control of LR, they can limit you to a single dataref or go, “you know what, that UI was so 2017 let’s use CEF for everything”. I’m confident LR wont cripple the implementation to the point we will never see a return on investment from the overhead, that’s a good place to be.

]]>