Hacker News new | ask | show | jobs
by derefr 1257 days ago
They're describing the worst-case thing someone could do with the privilege being granted, because they have no way of saying what the developer will do with the privilege.

The way to make the prompt sound less scary, is to use finer-grained permissions where the worst-case thing someone could do is less scary.

(Or, if there aren't any fine-grained permissions suited to doing your task — then propose some! The browser vendors would love to get real feedback on the kinds of fine-grained hypothetical privileges that extensions authors would actually find useful. Otherwise they're stuck reading the source code of a small sample of extensions, and extrapolating general patterns of privilege-use from there.)
6 comments
daveed 1257 days ago
> They're describing the worst-case thing someone could do with the privilege

I understand that - I wrote just that in my comment above. But it's a lot scarier to see a pop-up saying "This extension in the worst case does this", versus the worst-case scenario and a longer explanation. I see from your profile that you're at a web3 analytics company. I'll just say that I think metamask would be a lot less popular if at install-time, the chrome store alerted that it can "make you lose all your crypto savings". Yes this is possible, but there's more to the situation than just a few words, and you can't express that all in an alert() window.

> if there aren't any fine-grained permissions suited to doing your task — then propose some I think that is easy to say, but being subscribed to and reading updates to the extension feedback threads that I've been on for the last few years, I'm not super confident in Google acting on community feedback.

link
TeMPOraL 1256 days ago
The thing is, from the POV of both Google and the user, there is no reason to assume a typical extension doesn't do the worst-case. The browser is just too juicy a target, and it's way too easy to make money on user surveillance / data exfiltration.

People rightfully point out that if you have access to current URL, you technically have access to browsing history. The right approach is to assume you will use it, hence the warning. Unfortunately, the only way to prevent this is to ensure the extension never, ever gets to make a networking request on its own, or populates any field that could become part of a network request triggered made by the site, or another extension.

It's a trust issue. It's not just fear that you might theoretically sell your extension to some unscrupulous third party. I don't know you personally. I have no reason to assume you are not an unscrupulous party. At this point there is, like, four or five extensions I trust enough to use, and it's mostly because they're OSS and it would be frontpage news on HN if any of them deviated from the expected functionality even slightly.

Having much finer-grained permission system would help a little, at the cost of making it incomprehensible to most users; there's a limit past which it's too complicated to be useful. We need actual innovation in the trust space - by which I don't mean crypto zero-trust shenanigans, but rather a system in which I can trust that, should the browser extension or phone app turn malicious, the vendor will be legally liable, and that it's actually enforced - thus disincentivizing malicious apps/extensions.

link
armchairhacker 1256 days ago
tbh I get your point but a lot of scams work because people don't realize. It's better to present the worst case and get people who don't read the fine print to uninstall your harmless extension, than not and have those same people install malicious extensions because "there's no way it can see my browser history, all it does is add an overlay to the current tab!"

Web3 services like MetaMask are primary examples which should have these big warnings, because crypto is rife with scams where someone does something (e.g. open an AirDrop, save their seed phrase in Google Drive) which gives an attacker access to their account without realizing. I don't doubt MetaMask is legit, but you want people to be diligent and understand that whenever they hook up one of these apps to their wallet they are giving a lot of potential for it to be compromised, so maybe be careful and honestly maybe use less of them.

link
criddell 1256 days ago
The longer explanation might be correct in the short term, but long term I’m going to assume that you will eventually either take advantage of all that you can do to maximize your revenue or sell the extension to somebody who buys it because users have given that permission and they can exploit that trust.

I think what Google is doing is correct.

link
jsmith45 1256 days ago
Alternatively, phrase the permission as what the app is technically trying to do, with a warning about what this could be used for.

"This extension wants be able to inject content in any tab. (Warning: This could potentially be used to track history of sites, and access all browsing data)."

That is actually accurate, while the current message is misleading.

Imagine this sort of scheme extended to "root" permission in ChromeOS. The stating worse case vs accurate with warning about worse case would be as follows:

> [Appname] wants permission to steel all your data and brick your device.

and

> [Appname] wants full control of this device. (Warning: this level of access could be used to steal your data, or brick your device).

The first one is most likely untrue, and borders on libel, while the second is true and accurate.

link
Folcon 1257 days ago
> (Or, if there aren't any fine-grained permissions suited to doing your task — then propose some! The browser vendors would love to get real feedback on the kinds of fine-grained hypothetical privileges that extensions authors would actually find useful. Otherwise they're stuck reading the source code of a small sample of extensions, and extrapolating general patterns of privilege-use from there.)

I'm curious, where are people supposed to do this? Is there actually a space / mechanism for this? Or is this a thing they would "like" to exist that there's not really an avenue for?

link
derefr 1256 days ago
I think the avenue is "writing a blog post, posting it on HN, and having enough people agree with you that it'll stick around on the front page for long enough to expect some Chrome/Safari/Mozilla developer to see it."
link
jaredsohn 1256 days ago
A lot of Chrome development is public; check out https://www.chromium.org
link
ilyt 1256 days ago
> (Or, if there aren't any fine-grained permissions suited to doing your task — then propose some! The browser vendors would love to get real feedback on the kinds of fine-grained hypothetical privileges that extensions authors would actually find useful. Otherwise they're stuck reading the source code of a small sample of extensions, and extrapolating general patterns of privilege-use from there.)

We did, related to adblocking, they ignored it

link
ace_of_spades 1255 days ago
Would be interesting if they did the same thing for their own operation. „We collect all data that we can about you, so that we can become a mega corp that can control most of your life.“ Wonder why they don’t do it?
link
arnejenssen 1252 days ago
This is keeping me from installing extensions.
link