[benatkin]

I don't think this is proper use of Chrome extensions, and it hearkens back to the days of search toolbars, like the Ask and Yahoo toolbars being installed by Java. https://www.pcworld.com/article/2940688/java-installer-ditch...

As a user I want my browser's extension support to be more like Visual Studio Code's than like Atom's. Visual Studio Code has fine grained permissions, and prevents extensions from going through and changing everything. Still, it's nice that Atom exists so if I want more powerful extensions, I can use Atom.

There's two ways to go that I see. One is for someone to release an alternative browser that let you install pretty much any extension, sort of like Atom. The other is for the company that wants to provide the user with an innovative browsing experience to develop their own browser, which is what Brave has done.

My reaction to Pushbullet is, as the author of the top comment on a recent post put it, "Yikes" [0]. They have funding from reputable VCs but they require way too much permission and store way too much user data for what seems to be occasionally useful utilities, and this places them alongside the Ask Toolbar in my mental model of the space.

https://news.ycombinator.com/item?id=23172856

[wpietri]

As a Pushbullet user, I think the two cases are nothing alike. Pushbullet is doing things for me. The toolbar plague was about getting access to do things to you. Should Pushbullet be using the minimum set of permissions for that? Sure. Could there be better permission models, ones that make sure Pushbullet doesn't do anything naughty? Possibly! But neither of those justifies a blanket ban.

[benatkin]

I'd like to know what the number of users that directly used Pushbullet in the last day (or week, or month) over the number of users that have the Android app installed is. If they have it installed, everything they copy to the clipboard on Android is being sent to their servers, is it not? That puts them in the same category as Yahoo! Toolbar for me.

At one time Yahoo! Toolbar was useful for a significant percentage of its users, because it would let them know how many email messages they have, as well as give them convenient access to the news and weather - so I disagree that it did nothing for its users.

Edit: I took a look at https://blog.pushbullet.com/2014/08/20/introducing-universal... - it appears it was doing that at one time, but currently it may only be doing that for premium users, who would conceivably be likely enough to get good use the feature that it would justify the potential security risk.

[pgrote]

I am a premium pushbullet user and have it on my android phone. It is the only reliable solution to handle texting and notification from the Windows or Chromebook desktop I have come across.

I've never thought about the information they capture or keep, but I do know photos sent through text are kept on https://dl3.pushbulletusercontent.com for a certain period of time. I don't know how long.

[renewiltord]

You don’t use messages.android.com?

[pgrote]

I know it as messages.google.com. It doesn't work among multiple desktops concurrently.

[renewiltord]

I see. Yes, that is true.

[hodgesrm]

> They have funding from reputable VCs but they require way too much permission and store way too much user data for what seems to be occasionally useful utilities...

Having funding from VCs does not have much connection with security posture in products. If anything the correlation might be negative. Large funds seek market domination, not implementation of specific features.

[Dayshine]

What are you talking about re VS Code?

I maintain an extension which provides a language server. I don't have to register intentions. I get the whole api and I even run a bundled executable which has full read/write/execute access to all your files...

[benatkin]

I think I must have imagined it while making a basic extension and seeing the contribution API. I thought it would be sandboxed. Maybe with Deno floating the idea of code not having access to the network by default...