[driverdan]

How exactly are ad blocking extensions a security risk?

Blocking at the domain level gives you no control. What if you need to see what a site looks like without ads blocked? I have a few of my own content sites that use ads. By blocking outside of the browser I wouldn't be able to see what they look like to other users.

[3pt14159]

Because they could be updated and now your whole browser is pwnd.

This is how sites like Compete.com get their metrics.

[pyre]

  > Because they could be updated

So, this is a rally against all extensions? Expanding this argument, we basically get to a point where we don't trust any software:

  1. No more browser extensions.
  2. Want ad-blocking in Firefox? Request feature.
  3. Feature request denied.
  4. Fork Firefox.
  5. Add ad-blocking to Firefox fork.

This leaves us with a couple of issues:

1. The bar to adding functionality to a browser has now been raised significantly. With a larger barrier to entry, we will see fewer extensions for trivial things like 'adding collapsible threads to HN', which can make your life easier, but isn't worth a fork of the entire browser to achieve.

2. Trust. You still have to trust the developer of the browser fork that same way that you have to trust the developer of the browser extension.

[coldtea]

>So, this is a rally against all extensions? Expanding this argument, we basically get to a point where we don't trust any software:

Yes. So DON'T expand it. The thing is, third party updatable extensions are far less trustworthy than Firefox.

[pyre]

This is true, but to only trust Firefox means that you only get features that Mozilla adds to Firefox.

[njharman]

> this is a rally against all extensions?

No it is a rally against extensions which have a non-risky (and arguably) superior alternative.

Risk is a gradient and cumulative. The more risky things you do, the more at risk you are.

[gcb0]

Yes. As it always been for any software.

Host files: as secure as you can get. Whole network.

Browser extension: remote code exploit possibility. Probably not available for mobile. Trusting someone who takes money from Google...

[fpgeek]

FYI, on mobile, Adblock Plus and Adblock Edge (among others) are available for mobile Firefox.

[gcb0]

For how many browsers?

And then they have even less community validation, rising the security tradeof even more

[smsm42]

There's nothing different from any other extension, so what you're saying nobody should be using extensions in their browsers. Good luck with convincing people not to do it.

[coldtea]

Well, I for one don't use any extensions with Chrome. And not even from security concerns. Just from lack of any interest to do so. Why should I? For some marginal utility?

I'd take it more average people don't use extensions either -- if they know what they are in the first place.

[smsm42]

Well, Stallman browses the web by sending emails[1], so he still has you beat :)

But you must realize 99.999% of the population would never do that, and for most people extensions are vital and useful. So giving them such security advice is like saying "oh, personal security is simple - just never have any money and anything valuable and never leave home". Not very practical.

[1] http://www.stallman.org/stallman-computing.html

[coldtea]

>Well, Stallman browses the web by sending emails[1], so he still has you beat :)

Well, I browse with Chrome Canary (and when it's in it's weird days, Beta), so I'm not any kind of Luddite.

I just don't see any extensions that are that useful. After all, we managed to get by without extensions in the "not using Firefox" camp for ages, until Safari/Chrome introduced them and we could get a taste.

To me they are more like the BS browser toolbars of yore.

>But you must realize 99.999% of the population would never do that, and for most people extensions are vital and useful.

Most people? If anything I'd say most people don't use extensions. From those that use a browser that doesn't support them, to those that couldn't be bothered or don't even know what they are.

Do you have any numbers that "most people" use extensions?

[HelloMcFly]

While I'd agree that many plugins have marginal utility, some like Firebug or Lastpass I find to be invaluable.

[coldtea]

That's an exception. But I use Chrome, where the "Firebug" kind thing is already installed. If it wasn't, I'd install it as an extension too.

[paranoiacblack]

> For some marginal utility?

Yes, this is the point of extensions. Extensions are help you and others do things with the browser that the vendor shouldn't really spend time on. Approaching them with the idea that they're useless doesn't really help your argument.

For example, I once wrote a browser extension that extracts class calendar info from the school website and automatically syncs it to the calendar application of your choosing. It turned my class scheduling process from an error-prone 2 hour process to a 3-click 10 minute step. You can label that as a useless, marginal utility, but that's being facetious at best.

[drdaeman]

Disable automatic updates and review the code before installing any updates manually.

[danielweber]

I agree with "disable automatic updates," unfortunately.

But "review the code"? You have no chance.

[drdaeman]

Although I don't do this on regular basis, but I happen to read many browser extension sources. They're mostly relatively easy to understand and contain no unconventional clever hacks or obfuscated parts. The only obfuscated code in most extensions are minified third-party libraries (like jQuery).

Won't say ABE's code is compact or easy to read, but it's fairly comprehensible and reviewing it in reasonable time feels possible. It is well possible that some tricky security issue will slip under the radar, but code contains no tricky math or crypto stuff where every single point is crucial for security, and spotting malware/spyware code should be possible.

Maybe I'm wrong about this.