[proee]

Regarding web extensions like Adblock or others, this seems to be quite risky I'm using because the developers of the plug-in could get hacked and silenly release a version that captures your password fields.

Are we really ok giving full read/write access to our webpages from companies we know nothing about?

I'm considering removal of all web extensions that have read/write access.

Thoughts?

[jdietrich]

uBlock Origin is GPL licensed. It collects no analytics. The code base is concise and highly legible. The primary maintainer (Raymond Hill) appears to be a principled man. I don't think that it has been independently audited, but I trust it more than most of the software on my computer.

https://github.com/gorhill/uBlock

[proee]

Right, but do you trust that his entire system is locked down. Wouldn't this be the ultimate target by a hacker at the highest level. They might even go so far as to physically breach his location if they knew they could gain access to his machine. Installing keyloggers, etc.

This might allow them to change the plugin at the last minute if he made an update and pushed it out.

[Santosh83]

Yes, but your parent is afraid that an extension's account may be hacked. Now that going forward Mozilla will be doing only minimal manual code review on AMO, this is not an entirely fanciful concern.

We talk about reducing the attack surface of every other program out there, but funnily enough, almost no one mentions reducing the attack surface of the single program that's more exposed than almost any other to exploits: the web browser.

On the contrary we pile it with addon after addon and even the browser makers have long succumbed to feature creep.