I am too wary of malware extensions to install that many. It is clearly trivial [0] for malware to get into the Chrome store, and Google is not doing enough to make me feel comfortable with it.
Additionally, I know that even as non-malware extensions grow in popularity they are solicited by malware companies to integrate their software in an update. I experienced this first hand with the HoverZoom extension. [1]
I really wish browsers would change their security model for extensions :\
"all or nothing" is ridiculous as the only option - let me revoke access or restrict it to specific sites. I may not care if X has access to site Y, but giving it access to Z means giving it the keys to my life so hell no. I don't even want to use it on Z.
> "all or nothing" is ridiculous as the only option - let me revoke access or restrict it to specific sites.
Thank you. I've been waiting for Firefox to add this feature for almost 2 years. For a privacy focused browser, this should be a must have, top priority.
I think they have already? In the old days, you just click once to install a mouse gesture addon.
Now you have to dig into the settings. And give it permission before it could work. At first I found that annoying. But upon reflection. I guess it's a necessary evil.
I wish there was a way to exclude some websites instead! I want most of the extensions like ad/script/etc blockers to run everywhere, except say GMail.
I only discovered it because I was going to add a similar feature to my Chrome extension, and I was researching to see how others tend to implement it. I was glad to see that Chrome offers the feature natively, and surprised to see that Firefox didn’t.
Agreed. Like with Pocket's Chrome extension permission model[1] that has a "read everything on all websites", when really it only needs brief access to the URL when I want to save something.
I tried changing the "Site access" setting to "On click" -- but then the extension started acting funny or not working in some cases.
Chrome has added a more limited "activeTab" permission[2], but even that might be too much since it grants control to the tab and continues to allow permission on the same origin.
Like the GP said, even if the extension developer isn't trying to exfiltrate data, they should do more to protect users from a compromise of their extension, and browsers should give them the models to do so.
IMO, good security models can be a foundation forward to better overall security compared to desktop apps since it seems that browsers are becoming an OS of their own.
while true, you can say this about anything which doesn't have any permissions system too. why worry about end-user security, they can just fork and modify.
which means, effectively, that it becomes a 0.001% or worse event. arguably the whole point of privacy-focused (or even -aware) software is to increase that beyond "fork and modify"'s ratio, as far as possible, because it doesn't work in practice for the vast majority of the globe.
Yes, this - absolutely. Every extension you install is another potential risk/attack vector. Consider the sources carefully and run the least number of extensions possible. Each one potentially has control of your browser, so choose accordingly.
I signed up for LastPass a couple of weeks ago, and they started sending me spammy emails every single day. I went into account settings and disabled the emails, and they kept coming. I opened a support thread on their forum, linking many other similar threads going back several years, and saying that they have to fix this under GDPR... Silence.
I deleted my account and switched to BitDefender. Still getting the LastPass emails though, whenever I check my spam folder.
Also, LastPass slowed my Android phone a lot. BitDefender doesn't seem to do that.
In short, my recommendation is: stay the hell away from LastPass. They can't even handle an email system, I don't trust them at all to handle my passwords.
Their Windows application was also painfully slow.
I paid them for years but I no longer trust them, it seems to me they are incompetent as an organization even if the people who work there might or might not be smart.
I can't count the time I have heard good things about an extension, went to the chrome store page and ... "asks to read your data on all websites".
Hard pass.
I can't prevent the apps/OSes I use from gathering data about me, but that's at least one vector (although sadly a small one) I can do something about.
Isn't this true, to some degree, with all software distribution channels? Weren't CCleaner and FileZilla hacked to distribute malware alongside the main payload?
Unvalidated auto-update really is an anti-pattern. Giving arbitrary third parties the power to install and run software on your system in perpetuity is a massive attack vector. Most software doesn't represent a large active and ongoing attack surface that auto-updates would be a net positive.
Just yesterday I ran into an invisible layer right here on HN when replying with a comment that opened a new page when I tried to click on something.
I disabled all extensions that I don't commonly use and am watching for now, but I have no idea how to actually tell which one did it (many of them were recently updated due to a Chrome change on August 6th or something).
"all or nothing" is ridiculous as the only option - let me revoke access or restrict it to specific sites. I may not care if X has access to site Y, but giving it access to Z means giving it the keys to my life so hell no. I don't even want to use it on Z.