I’d be really curious about in a system where browser extensions are limited to ~200 lines of code. No mechanism for distribution beyond typing text in. No concerns about permission. It would be interesting to see what people can do in an ecosystem where extensions can actually do anything but it is expected that people will actually read the code before running it.
My reaction would be simpler: Anything that's identified as risky? Show the user. Extension is making an HTTP request? Show the body in a toast. Extension is reading the keyboard? Same thing. Extension is looking at the page? Little icon in the corner showing the name of the extension and that it looked. Can't be turned off. So extensions can still do all that crazy stuff, but they're noisy about it.
If nothing else, basic logs of everything an extension does should be kept so that technically knowledgable users can take a look at the logs periodically (and maybe have them watched automatically by tools) to make sure everything checks out.
1) “identified as risky” seems like it could hide some significant complexity (and room for error).
2) An extension might need to read from the keyboard. I don’t want to OK it every time. If I check once and then mark it as OK, I’d be worried that it could do something evil with that permission somehow, in a far-flung bit of the code.
I'm not saying a popover modal, I'm saying a toast notification or a status-bar icon. Non-blocking.
Like, when you're typing and it's being monitored: in the corner of the window it says"Extension TweetSyndicator is reading your keyboard. Click here to manage extension."
I agree. When an app uses GPS on my phone, I'm informed of that: a notification permanently displays in the top bar until it is no longer being used. Same with the camera and mic. If my clipboard is copied, I get a notification as well informing me of that and telling me which app did it.
I'm not sure why a similar system doesn't exist for browser extensions. Furthermore, there are limits to what features you can and cannot disable for Chrome extensions, and as far as I'm aware there are no logs of what actions they took.
I had an extension that randomly redirected me to scam URLs while doing completely innocuous things such as visiting the homepage for Gmail, YouTube, or performing a Google search (after pressing enter for the initial query, before clicking on any URL.) I had 15 extensions, and the redirects were infrequent enough that disabling extensions one by one wouldn't help much: it could potentially take months to track it down, and there's no way of disabling the permission to redirect to different URLs. I searched the minified source code for all of the extensions that I had, but none of them had the URLs I was redirected to. My guess is that they pulled data from a server and then redirected me to whatever malicious URL it pulled at that time. I also checked network traffic in the Chrome Task Manager to see if there was an extension sending data for unknown reasons, but again, nothing, so it likely periodically pulls a URL to redirect me to from some server, redirects me, and then sleeps for a few days. Short of un-minifying all 15 extensions and trying to understand the purpose of every redirect, many of which would be legitimate, I'm not sure what can be done.
In the end, I removed every last extension aside from my password manager and uBlock Origin (which fixed the issue — over one month later I've never been redirected to a scam URL.) Many of the extensions I used were open source, but I don't think any hash system exists to verify the minified code matches the source files for Chrome extensions (maybe I could do that manually, but I don't want to do that every time there's an update for any of the 15 extensions I had.)
It's unfortunate, as many of the extensions I used improved my productivity and helped me focus better and be distracted less. But as it is currently, the browser extension ecosystem simply isn't safe.
From what I've heard, Firefox's review process is better in some ways than Chrome's, but their extensions can have even more control of your browser.
I don't think it's impossible to design an extension system that is secure: extensions just need to have the ability to be granted extremely limited permissions, and any permission beyond what is reasonable should be denied in the review process for putting it on the Chrome or Firefox extension stores. Most of my extensions shouldn't have even needed Internet access (if they can execute JavaScript, they'd still be able to redirect me to a scam URL, but if it couldn't have pulled a URL from an external server, then the URL would need to be in the minified JS, so I'd have been able to catch it.)
Firefox allows their extensions to be far more powerful than Chrome's, but that power means they are also far more dangerous.
If Firefox were to really take off (like it should, imho), are we really ready for a web full of people being attacked by the worst spyware ever?
Chrome, for all its faults, has ruined their extension framework at least in part because they were trying to prevent this threat.
How do we make this work? Endless notification spam from the plug-ins? Expensive certifications for each plug-in release?