[petagonoral]

Maybe it's time for the browsers to put more effort into extension network security.

1) Every extension has to declare up front what urls it needs to communicate to.

2) Every extension has to provide schema of any data it intends to send out of browser.

3) Browser locally logs all this comms.

4) Browser blocks anything which doesn't match strict key values & value values and doesn't leave browser in plain text.

[VMG]

> 4) Browser blocks anything which doesn't match strict key values & value values and doesn't leave browser in plain text.

It is not that hard to leak out arbitrary info in strings or even numbers

[nothrabannosir]

Or in the timing pattern of polling a URL. 1 sec pause: 0, 2 sec pause: 1.

This is a losing battle. Don't engage.

[saulrh]

I disagree. So does the TCSEC ("Orange Book"), which argues that covert channels may be effectively impossible to eliminate but that they should still be reduced, then lays out guidelines on how far they should be reduced for secure computing platforms. Specifically:

  In any multilevel computer system there are a number of
  relatively low-bandwidth covert channels whose existence is
  deeply ingrained in the system design. Faced with the large
  potential cost of reducing the bandwidths of such covert
  channels, it is felt that those with maximum bandwidths of
  less than one (1) bit per second are acceptable in most
  application environments. [...] Therefore, a Trusted
  Computing Base should provide, wherever possible, the
  capability to audit the use of covert channel mechanisms
  with bandwidths that may exceed a rate of one (1) bit in ten
  (10) seconds.

I'll admit that this definition is at least a couple decades out of date, but at the same time... the standard for the US's intelligence agencies' secure computing platforms was to not even care about hypothetical covert channels slower than .1 bps. In addition, such channels were required to be auditable, not eliminated; I'm certain that less-secure applications were completely fine shipping with demonstrated covert channels in the bits-per-second range. And that's for systems that deal with things like the IDs of HUMINT assets or technical specifications for weapons systems; here on HN we're talking about browser fingerprints and location data.

All of this is to say: If I could limit covert channels from webpages or mobile phone apps to 10 bps I'd do it in a heartbeat. Perfect is the enemy of good enough.

[domoritz]

Any kind of enforcement would already be a huge benefit over the status quo and make things too annoying for at least half of the attackers.

[antidesitter]

What is a losing battle? Security?

[TeMPOraL]

"Security" through throwing homework-level challenges at extension programmers? Yes.

[admiralEyebrows]

Extensions. I agree with Santosh83, no extensions except ublock.

[zentiggr]

I'd be fine with uMatrix as basic browser feature. Barely use anything else ever.

[monsieurbanana]

I mean...

[petagonoral]

How many extensions need to send unique outbound data? Prior to publishing in store, browser maker can look at schema and query whether it makes sense in context of extension. If the submitted schema is not tight enough, it can be rejected until it's tighter.

[zulln]

A lot needs to modify the DOM, and that would make it possible to include a <img src=x width=0>. Preventing this seems _very_ complex.

[Chazprime]

Last year several coworkers had installed a fake Postman Chrome extension that contained adware. We all reported it to Google, and on inspection others had left reviews to that effect, but Google took over six months to remove it.

[duxup]

Related question, What would you use a Postman Chrome Extension... for?

Rather than say just... use Postman?

I'm not disagreeing with the use, just wondering how they use it compared to Postman itself. I'm a n00b web dev, I just want to know how others work and why.

[czardoz]

> Related question, What would you use a Postman Chrome Extension... for?

Postman started off as a Chrome Extension (ran in a chrome tab), and then became a Chrome App. The standalone apps for desktops came later. A lot of people use the chrome extension because it's convenient.

Source: I worked at Postman until about a year ago.

[jordache]

Native Postman is garbage in that it doesn't even support authenticated corp proxies.

[duxup]

I think I knew that once, but only started playing with Postman after it was a standalone application.

[tytho]

I believe the extension can be used in conjunction with the app to let the app use the cookies in your browser session, but to be honest, I've only seen others do it, and it was back in the day when Postman was just a "Chrome App" and not a detached application. Maybe that functionality exists in the new Postman app without the chrome extension.

[delecti]

I can't speak to Postman specifically, because I barely use it enough for it to make a difference. But in a more general sense, I tend to prefer <thing> in a browser over <thing> but in its own window. It means one fewer program filling my taskbar.

[duxup]

I can see that, but for me it's more:

- Dork with code/ routes in one window and/or dorking around with the front end code.

- Postman (the stand alone program) in another window to check what the return from the server really is or what the API is doing now.

So I've got it on it's on dedicated space (not all the time but often enough).

[delecti]

I very rarely have only a single browser window, and I'm not coding in a browser anyway, so that's not actually a huge factor in the decision. I agree with using windows to easily switch between tweak and test.

[Cub3]

A friend of mine works for a large bank and isn't allowed to install desktop applications but has chrome installed so can 'sneak in' certain apps through browser extensions.

Eg. whatsapp, 1password

[mmmagnum]

The Chrome Extension has the 'interceptor' feature which listens to ALL network requests made in the browser on a particular page and pipes it to the Postman App. This was very neat for me to debug my requests.

However, the standalone app doesn't have that feature (yet). So I will continue to use the Chrome Extension version until they have that feature available in the Standalone app.

[jordache]

For some idiotic reason the native version of Postman does not support authentication against corp proxies. As a result, when using it at work, behind a corp proxy that requires authentication, the native postman doesn't work!

The only version that works is the Chrome App Postman, which simply uses the Chrome network stack, which obviously works behind the proxy.

Boooo to Postman.

[cpv]

"What would you use a Postman Chrome Extension... for"

If I'm not mistaken, it started as a browser extension.

[2sk21]

This is terrifying - Postman is very widely used.

[simion314]

Mozilla and Google should look at the top extensions and implement the popular ones as official extensions(or for some may be worth building them inside the browser), Reader mode is now part of some browsers so you do not need an extensions.

Mozilla could implement ad blocking extensions and give the user the option to use custom block list(so Mozilla is not accused of becoming a gate keeper).

[johnchristopher]

Or maybe not: the Firefox version of the pocket extension is badly baked (you have to wait for the adding animation to disappear otherwise it gets cancelled. The previous version was "click and it's added in the background").

The Chrome version is more usable.

The great firefox redesign at the beginning of the century was about slimming down Mozilla the navigator and let extensions extend the browser. Is that the pendulum going back and forth ?

[Retric]

I think the minimum browser changes over time, but without adding and removing features it's hard to discover what that minimum is.

For example, some form of add or at least popup blocking should be included, but that does not preclude useful addons from customizing the experience.

[simion314]

I was suggestion official extensions, so you could not install or disable them, the reason I mentioned some could be put directly in the browser is if the same functionality can't be done by a pure extension or it would be much efficient directly in the browser.

I completely agree that you should be able to disable/unintall Mozilla extensions and replace them if you want with different ones(maybe you know of a better reader mode or a better ad blocker extension)

In fact this extension may not even be installed , just be part of Mozilla code base so any update will be reviewed

[Semaphor]

Through reading bug reports, I found out that the FF reviewers for the decentraleyes extension have a custom script to check that all copied scripts are actually identical to the CDN versions. I found that step in the review interesting and positive.

[gowld]

Why are Mozilla and Google the only poeple you trust to maintain extensions? Why don't you or I implement the popular extensions in a user-respecting way?

[simion314]

I don't want to offend the extension creators, I want to option to uninstall an official extension and put my own or a community one but IMO there are reasons to trust Mozilla then a stranger or a community. There were cases where popular extensions were bought and updated with malicious code, because of that I make sure I open bank or paypal website in a private window with extensions blocked but will a regular user know to do this ?

[tracker1]

One could always stick to open-source extensions... if Google didn't make developer mode such a painful experience.

[lbriner]

I don't think it is about who you trust but who can resource the amount of work required to keep it going? There are thousands of browser extensions, including all of their updates etc.

[interlocutor]

No, not secure enough. Remember ActiveX? The security policy of ActiveX was, the browser asks the user if he wants to install the ActiveX. If the user says yes, anything that happens afterwards is the users responsibility.

What you're suggesting is not that much better. Do you expect your grandma to be able to review the permission list for the browser extension?

Browser extensions are the modern day ActiveX. Yes, lots of them are very useful. But you could say the same about ActiveX controls too.

[bostik]

> policy of ActiveX was, the browser asks the user

Therein lies the problem. The entire industry has, ever since windows 3.1 (!), done their best to condition users with a single and highly destructive mindset:

"Press OK to make the annoying window go away."

The only way around this, and I'm not saying this lightly, would be to make the pushers and vendors CRIMINALLY AND PERSONALLY liable for the damage they cause to end users. Once we see the third or fourth offender nailed through their genitals, head down, on the town hall wall, the message will start to get through.

[tracker1]

A lot of it happens in countries other than country of origin... and extradition is difficult and often expensive. Though, I wouldn't mind seeing the people that write rogue extensions that harm people get doxed.

[petagonoral]

No, I expect browser staff/interested technical parties to review extension before publication. Why would your grandma review it?

[rovr138]

> 1) Every extension has to declare up front what urls it needs to communicate to.

I believe Firefox has this. The rest are great ideas. Would love to see a way to log these.

[gambler]

The explanation of what each permission really does and why they are necessary are traditionally horrible, so even I, having developed a plugin once, have no clue what is reasonable and what is not.

[tracker1]

Like realizing that the "flashlight app" needs camera permissions because the light is tethered to the camera permission.

[sp332]

Bookmarking extensions need access to all webpages though. Only #3 would potentially show something suspicious.

[icebraining]

A bookmarking extension can use the activeTab permission, which gives them access only when the user clicks on the extension button and only to the current tab: https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/Web...

[sp332]

That's a great feature. Maybe not something people would want on a personal shopper extension though, which is another type of extension that might have done the sraping. It's more convenient to just have a price alert activate when I look at an item on Amazon than having to push a button every time.

[icebraining]

Technically you can do that just with the webNavigation (allows you to see the URLs loaded) and the notifications (to alert the user).

[saagarjha]

This shouldn’t require arbitrary network access, though. You can read the content of pages and have access to browsing history locally.

[sp332]

Right, if someone is using Facebook Messenger in a browser, the message history could be scraped.

[codedokode]

Then every extension will require access to Facebook so that the user can share something there.

[rovr138]

They provide a URL for this - https://www.facebook.com/share.php?u=https://news.ycombinato...

[vezycash]

What I actually need is the ability to deny / revoke access to particular URLs

[dartf]

That's actually coming soon: https://blog.chromium.org/2018/10/trustworthy-chrome-extensi...

[vezycash]

The image on the page doesn't not have the, "Allow on all but block access on this site" functionality.

[diegoperini]

For Android, it is extremely easy to do that via an app called NoRoot Firewall. What it does is it creates a VPN server on localhost and routes all traffic to that. When an app wants to connect to a host, it shows a notification which when clicked, you can see the URL/ip and the app name. Then, you decide whether you accept the connection or not. It supports permanent blacklisting and whitelisting as well.

Since a browser like Opera can integrate a proprietary VPN without messing with OS network settings, doing the same on other browsers should be possible.

[vezycash]

This notification method will get the Vista UAC treatment - approve all or demy all. Because it's annoying.

Have you used ever Kaspersky?

[dmitrygr]

it actually doesn't because you can actually make a rule, and then the application will falollow it from that point on with no more notifications. The rule can include wild cards for parts of the hostname, or the IP address, or the port, or both

[lbriner]

And you honestly think that is a workable solution for most people on the internet?

[dmitrygr]

Nope. Just explaining how it works.

[vkou]

> 2) Every extension has to provide schema of any data it intends to send out of browser.

Just because I supplied a schema does not mean I'm not exfiltrating sensitive data, in a way that would not be obvious from the logs.

[petagonoral]

How many extensions _need_ to send data outbound? Before approving extensions for store/signing, the schema can be checked and if it's not tight enough - rejected.

[skizm]

Can browser extensions block other browser extensions from communicating with an outside URL (or outside URLs in a block list)?

[rapind]

Agreed, but #3 is adding another attack vector, and the implementation matters and could be complicated.

[akerro]

There was a browser addon (client-side) that was encrypting facebook messages but facebook banned it.

[brokenmachine]

No using maths on messages! Just read more ads!