[mozball]

>My understanding is that random extension is able to read and send somewhere almost all my data when I read my email, do online banking, etc.

Depends on the permissions requested by the extension but often yes. The permission "Can read all data on any webpage" means exactly that.

> Is there a way to use browser extensions safely?

Yes. Depending on your paranoia /security standards. Here's what you can do ( ordered by importance.)

1. Use more than one browser (but stay away from proprietary or less popular browsers) and/or use multiple profiles (both firefox and chrome has them)

2. Have separate profiles for banking, personal email, work and general browsing. (Also good for productivity)

3. Banking profile should have no extensions.

4. Use only mozilla-vetted 'recommended' and 'security reviewed' extensions in firefox for less important accounts. Check the permissions carefully and see if they're sane. I don't use extensions in chrome at all since google web store does no vetting at all beyond automated scanning. It's the wild west out there.

5. You can be less careful with general browsing profiles as long as you don't log into important accounts. Use firefox containers (this is more for privacy though than security)

6. If some addon is tempting but not reviewed - i try to review the code (if its small and readable enough). after vetting, i disable auto-updates. A greasemonkey script that does equivalent functionality is often preferable since the code is usually smaller and readable. Disable auto-update there too. Otherwise resist the temptation to install too many addons.

[fragmede]

Chrome has controls to not allow an extension free reign on all sites despite it asking for them. Allow only on specified sites. it's not a default for some reason, but if the extension doesn't have access then it can't do anything, bad or good.

Of course it doesn't help that it's a finance site that disables paste for which I need an extension to reenable, but at least I'm not letting the rest of my extensions get at my banking web session.

[empiricus]

So the current options are 1. don't use extensions - this limits comfort and productivity, and the entire purpose of extensions 2. use extensions but lose security (are you feeling lucky today? what about tomorrow?)

This seems so dumb. Is this the best solution from google/mozilla/etc? I am thinking that an option to disable all extensions on a particular site/tab could solve many issues, maybe even with default on for well known email and bank providers. This would encourage ppl to install more extensions because they don't care what happens when they just read reddit.