1. They increase the attack surface of the browser
2. They have routinely been transferred to (for money) or taken over by malicious entities
3. Often they subtly break things in ways that are fine for expert users but which result in support reach out by others
Replace browser with operating system or computer and expand extensions to user installable programs and it mostly still rings true.
I believe users should be empowered to modify their installed applications as they see fit.
It doesn't ring true for installed software anymore — "virus scanners" have gotten to the point where they just work for most people, desktop software is more difficult develop (for your average hacker wannabe), more difficult to get users to install, and has far less valuable data to go after.
I actually very much like Apple's approach to browser extensions forcing them to be truly installed software and in the purview of tools that protect the rest of the system.
The Chrome browser extension ecosystem is perfectly fine in theory but suffers from reinventing installed software without taking any of the lessons we've learned about OS software. Nice cautionary tale but the web is different.
On a typical PC, installed software has even more permissions than a browser extension, and all any malware author has to do is write their own keylogger or upload the browser cookie database. Sure, it's a little more effort, but I think the only real advantage that malicious browser extensions have over native programs is the discoverability and auto-update Google and Mozilla give them "for free".
I don't know, it would simple enough to catch, but would also flag access by file managers. Probably the only way is to test. Generally I've found writing malware from scratch is enough to get it through AV, but I only tested on what I had installed.
> It doesn't ring true for installed software anymore — "virus scanners" have gotten to the point where they just work for most people
... by allowing software from big corporations not matter how user-hostile it is while randomly flagging/deleting harmless software make by individuals/smaller groups who have not paid the protection racket.
The AV industry is a scam.
> desktop software is more difficult develop (for your average hacker wannabe)
Desktop software can be written in the same languages as webshit and more.
> and has far less valuable data to go after
All data available in browsers is also available to native programs running besides.
Actually hilarious that we have people here defending removing extensions, as if they didn't live through the days of Internet explorer. Well, maybe they didn't I hope they enjoy the eventual return of popups.
1. They increase the attack surface of the operating system 2. They have routinely been transferred to (for money) or taken over by malicious entities 3. Often they subtly break things in ways that are fine for expert users but which result in support reach out by others
Framing it like that makes it much more simplistic than reality. While there are some people you can clearly place into "best" or "worst", most people fit somewhere along a spectrum where their placement changes day to day. You ever had a bad day where you forgot to do something you would have done any other day?
Do you want software that allows you to do anything on a good day but is potentially catastrophic on a bad day?
The answer may still be yes, but regardless it's a more complicated a question than best vs worst.
Exactly. We can either put bars on our windows to preven criminals from breaking in or we can go after the criminals directly so that we don't have to worsen our living conditions. Both kinds of societies exist - low trust and high trust ones. I prefer living in the latter.
The real quote is more nuanced: "Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety". It's a balance, obviously. I'm happy to have guardrails if they improve non-technical users' safety.
Safety is paramount for experts. Those who disregard the importance of safety are likely not experts in their field.
If the "console" analogy doesn't resonate, think of Apple as NASCAR. NASCAR has created a private ecosystem. Participating in NASCAR as a team or a driver is a choice, contingent upon meeting their requirements and paying entry fees. NASCAR implements numerous safety measures — SAFER barriers, catch fencing, HANS devices, etc. — to protect everyone involved, whether spectators (users) or drivers and teams (developers and vendors).
NASCAR prioritizes the ecosystem first, then spectators, then teams and drivers — in that order. It doesn’t compromise the ecosystem or spectator safety to accommodate individual teams or drivers. Driver safety is crucial, not just because NASCAR values them, but because incidents involving drivers can negatively impact the ecosystem and spectators.
Those wishing for NASCAR to resemble the Baja 1000 are tilting at windmills. Similarly, people who want iOS to be like Android aren't just wasting their time, but also disregarding the preferences of users who prioritize platform safety.
> Those wishing for NASCAR to resemble the Baja 1000 are tilting at windmills. Similarly, people who want iOS to be like Android aren't just wasting their time, but also disregarding the preferences of users who prioritize platform safety.
How providing ability to sideload and having ability to use custom browser engine compromise the system? How having ability to use terminal disregard platform safety?
All of those are artificial limitations and you know it.
Most users have no idea the tradeoffs between the two. Or the dominance both have in their respective realms. Or the possibilities of having more viable platform choices.
I’d be really curious about in a system where browser extensions are limited to ~200 lines of code. No mechanism for distribution beyond typing text in. No concerns about permission. It would be interesting to see what people can do in an ecosystem where extensions can actually do anything but it is expected that people will actually read the code before running it.
My reaction would be simpler: Anything that's identified as risky? Show the user. Extension is making an HTTP request? Show the body in a toast. Extension is reading the keyboard? Same thing. Extension is looking at the page? Little icon in the corner showing the name of the extension and that it looked. Can't be turned off. So extensions can still do all that crazy stuff, but they're noisy about it.
If nothing else, basic logs of everything an extension does should be kept so that technically knowledgable users can take a look at the logs periodically (and maybe have them watched automatically by tools) to make sure everything checks out.
1) “identified as risky” seems like it could hide some significant complexity (and room for error).
2) An extension might need to read from the keyboard. I don’t want to OK it every time. If I check once and then mark it as OK, I’d be worried that it could do something evil with that permission somehow, in a far-flung bit of the code.
I'm not saying a popover modal, I'm saying a toast notification or a status-bar icon. Non-blocking.
Like, when you're typing and it's being monitored: in the corner of the window it says"Extension TweetSyndicator is reading your keyboard. Click here to manage extension."
I agree. When an app uses GPS on my phone, I'm informed of that: a notification permanently displays in the top bar until it is no longer being used. Same with the camera and mic. If my clipboard is copied, I get a notification as well informing me of that and telling me which app did it.
I'm not sure why a similar system doesn't exist for browser extensions. Furthermore, there are limits to what features you can and cannot disable for Chrome extensions, and as far as I'm aware there are no logs of what actions they took.
I had an extension that randomly redirected me to scam URLs while doing completely innocuous things such as visiting the homepage for Gmail, YouTube, or performing a Google search (after pressing enter for the initial query, before clicking on any URL.) I had 15 extensions, and the redirects were infrequent enough that disabling extensions one by one wouldn't help much: it could potentially take months to track it down, and there's no way of disabling the permission to redirect to different URLs. I searched the minified source code for all of the extensions that I had, but none of them had the URLs I was redirected to. My guess is that they pulled data from a server and then redirected me to whatever malicious URL it pulled at that time. I also checked network traffic in the Chrome Task Manager to see if there was an extension sending data for unknown reasons, but again, nothing, so it likely periodically pulls a URL to redirect me to from some server, redirects me, and then sleeps for a few days. Short of un-minifying all 15 extensions and trying to understand the purpose of every redirect, many of which would be legitimate, I'm not sure what can be done.
In the end, I removed every last extension aside from my password manager and uBlock Origin (which fixed the issue — over one month later I've never been redirected to a scam URL.) Many of the extensions I used were open source, but I don't think any hash system exists to verify the minified code matches the source files for Chrome extensions (maybe I could do that manually, but I don't want to do that every time there's an update for any of the 15 extensions I had.)
It's unfortunate, as many of the extensions I used improved my productivity and helped me focus better and be distracted less. But as it is currently, the browser extension ecosystem simply isn't safe.
From what I've heard, Firefox's review process is better in some ways than Chrome's, but their extensions can have even more control of your browser.
I don't think it's impossible to design an extension system that is secure: extensions just need to have the ability to be granted extremely limited permissions, and any permission beyond what is reasonable should be denied in the review process for putting it on the Chrome or Firefox extension stores. Most of my extensions shouldn't have even needed Internet access (if they can execute JavaScript, they'd still be able to redirect me to a scam URL, but if it couldn't have pulled a URL from an external server, then the URL would need to be in the minified JS, so I'd have been able to catch it.)
1. They increase the attack surface of the browser 2. They have routinely been transferred to (for money) or taken over by malicious entities 3. Often they subtly break things in ways that are fine for expert users but which result in support reach out by others
The whole extension thing is a mess.