How secure are extensions in browsers?  

Page 1 of 3 123 LastLast

  1. Posts : 1,656
    Windows 10 Pro x64
       #1

    How secure are extensions in browsers?


    I'm sure we all use a few (I know I do - BitDefender Traffic Light and Windows Defender Browser Protection), but given the recent news about Avast and AVG hoovering up and on-selling user data without permission, I want to start a discussion about whether, in order to make browsers more usable via extensions, we have no choice but to increase our attack surface exposure.

    We know it's good practice to use as few extensions as possible, but even so, a single rogue extension (or a good extension that is hijacked or goes rogue) could make for a bad experience. We are often told to carefully examine the permissions required by extensions in order to use them, but lets be honest, almost every extension (depending on it's purpose) requires your permission to:

    - View your browsing history
    - Read and modify data you copy and paste (password managers for example)
    - Read and change all your data on the websites you visit (adblockers for example)

    Judging whether to install extensions based on the above is quite difficult.

    So, how do we go about better evaluating whether to use a particular browser extension or not? Do you have any tips or tricks you can share about mitigating the risk?

    How can we mitigate against browser AV extensions, that are supposed to provide some security, going rogue?

    Given all the work going into browser development to make them more secure, and the ability to use more secure DNS (e.g. quad9), do we even need them?

    Lets hear it.
    warning   Warning
    NOTE : the purpose of this thread is NOT to discuss or advocate for AdBlocking - this site is funded by adverts, which enables you to participate here for free. Discussions on adblocking is against the terms of use of this forum
    Last edited by Golden; 04 Feb 2020 at 22:33.
      My Computers


  2. Posts : 1,604
    Win 10 home 20H2 19042.1110
       #2

    Good questions Golden!
      My Computers


  3. Posts : 654
    Windows 10 Home
       #3

    Golden said:
    We know it's good practice to use as few extensions as possible, but even so, a single rogue extension (or a good extension that is hijacked or goes rogue) could make for a bad experience.
    Hi Golden. I think that's the best practice of all. In my view, the fewer extensions you install, the safer you are. Most people dont realize that extensions have same rights as the browser and can do everything the browser is allowed to do. It can read your personal files, steal your credentials and phone home your sensitive information and data.

    Installing only extensions that have been around for a long time and extensions that have a lot of users are good tell tale signs that an extension can be trusted. I only install NoScript in Firefox, and personally, I would feel restless if I installed a bunch of extensions as some people do.

    Other things that are important is also where you get the extension. For Firefox and Chromium browser is best to get them from Mozilla and the Chrome store. I think Mozilla extensions are more trustable than the ones in the Chrome store. For some reason it seems is easier to publish a rogue Chrome extensions at the Chrome store than for Mozilla to approve it.

    But regardless of what I just said, it is safer to install extensions that are approved by Mozilla and Google. I would never install any extension that's not approved by Mozilla or Google for their browsers.

    And read comments. Extensions that have lot of users, there is a lot to read about. What other users say is helpful. I never used any Chromium based browser before, until now with new Edge. I think I am going to like it, certainly more than the old one as I never used the old one. I never used old Edge because you couldn't run it sandboxed under Sandboxie and you couldn't use NoScript with it. That killed old Edge for me. With the new Edge you can, so the change is a big win for me. But anyway, for Edge, other than installing NoScript, I have the need for a bookmarks sidebar, and found an extension. It took me a few days before I installed it in my real system, but after following the process I wrote here, I installed it and feel confident that is a good extension.The point here is, that I pondered about whether it was safe or not to install this extension. You have to do some thinking before you install anything (whether is an extension or a program), that's the safe and proper thing to do when you install anything in a computer.

    Bo
      My Computer


  4. Posts : 1,656
    Windows 10 Pro x64
    Thread Starter
       #4

    bo elam said:
    For Firefox and Chromium browser is best to get them from Mozilla and the Chrome store.

    But regardless of what I just said, it is safer to install extensions that are approved by Mozilla and Google. I would never install any extension that's not approved by Mozilla or Google for their browsers.
    I agree completely.

    bo elam said:
    And read comments. Extensions that have lot of users, there is a lot to read about. What other users say is helpful. I never You have to do some thinking before you install anything (whether is an extension or a program), that's the safe and proper thing to do when you install anything in a computer.
    True, but sometimes I wonder if even that is enough.
      My Computers


  5. Posts : 654
    Windows 10 Home
       #5

    Golden said:
    True, but sometimes I wonder if even that is enough.
    The safest thing to do is to basically lock down the computer. Thats what I do. When I get a computer, I know what I want, I know the programs well, install them, and don't switch or add programs, unless you have to. Since the day I got my W10 in July 2017, the only extension or new program I installed was the Bookmarks sidebar extension I mentioned in my previous post. To me is easy to lock down the computer because I dont have the urge to try programs or extensions. But most people can not do that. People like that need a process they should follow before installing anything. What I wrote in my previous post is my process, the one I follow and know it works for me. No one should install extensions just because they sound nice or because their cousin told them it works great, etc, in my opinion, this are not good reasons for assuming that installing an extension is safe.

    In the past, this is not needed much anymore, and I did this to avoid installing the extension in my real system, when I needed to use Flash, I would install the plugin in a sandbox, and use it only during that browsing session. When I finished, I would delete the sandbox. I still do that with a YouTube video downloader. If I want to download a video from YouTube and cant be done using an Online Video downloader, I install the extension sandboxed, and delete the sandbox when is over. It takes seconds and you avoid installing the extensions in your browser.

    Bo
      My Computer


  6. Posts : 1,656
    Windows 10 Pro x64
    Thread Starter
       #6

    bo elam said:
    I dont have the urge to try programs or extensions.
    I use the same approach...I only install stuff if its useful to me, and I feel (within reason) confident that it will achieve for me what I want it to, and not expose me to undue risk.
      My Computers


  7. Posts : 5,373
    Windows 11 Home
       #7

    Golden said:
    I'm sure we all use a few (I know I do - BitDefender Traffic Light and Windows Defender Browser Protection), but given the recent news about Avast and AVG hoovering up and on-selling user data without permission, I want to start a discussion about whether, in order to make browsers more usable via extensions, we have no choice but to increase our attack surface exposure.
    It is also worth to mention, that many of those extensions send data via txt, Emsisoft sends them encrypted.

    Emsisoft Browser Security - Chrome Web Store

    Golden said:
    Do you have any tips or tricks you can share about mitigating the risk?
    Yandex browser has a protected mode to take care of this problem.
    In the protected mode, Yandex Browser disables all extensions other than password managers verified by Yandex. This is to prevent malicious extensions from stealing or tampering with your payment information.
    I am using CleanBrowsingDNS Security (it is pretty efficient), so I do not need AV extensions.
    Attached Thumbnails Attached Thumbnails How secure are extensions in browsers?-capture_02032020_102834.jpg  
      My Computer


  8. Posts : 1,747
    Windows 10 Pro x64 22H2
       #8

    Golden said:
    So, how do we go about better evaluating whether to use a particular browser extension or not? Do you have any tips or tricks you can share about mitigating the risk?
    Unless I'm wrong, browser extensions unlike desktop apps are not digitally signed (ie. do not include certificate),
    the only way we know it's trusted is when installing it from browser store such as google store or MS store.

    But that's it, afterwards, later, there is no such thing as right click your extension and check if't still signed and thus trusted because it's not signed, extension could have been tampered at any point. This can't happen to desktop apps because of obvious reasons and that is the signature will no longer be valid.

    What can we do about this?
    I suppose manually work is needed to implement some checking of extension, but
    the easiest way would probably be to reinstall both browser and extension again.
    If that's not enough, then making a new windows account, should do the trick to regain trust.
    Unless a user works on administrative account, then all bets are off anyway.

    Other parts of your post such as, how many extensions to install and whether to install some extension,
    the answer is obvious, my rules are as follows:
    1. maximum 2-3 extensions
    2. extension *must* be open source

    I want to see what the extension does, and if I need to troubleshoot anything, it should be easier to point a finger
    at some extension if you have only 1 or 2 extensions.

    ATM, I use only ublock origin in Edge-Chromium:
    GitHub - gorhill/uBlock: uBlock Origin - An efficient blocker for Chromium and Firefox. Fast and lean.
    And yes, I regularly delete my Windows account and switch to new account, to eliminate non administrative spyware and
    other malware that could expose my data or privacy.
      My Computer


  9. Posts : 264
    Windows 10
       #9

    As safe as the developers wanted them to be... They could be pretty safe or they could be REALLY bad. It all comes down to the kind of permissions they need and the reputation and intentions of the developer...

    You basically have no control over it.
      My Computer


  10. Posts : 6,230
    22H2 64 Bit Pro
       #10

    Have a read of news this month:
    More than 200 browser extensions ejected from Firefox and Chrome stores

    Firefox ousts almost 200 add-ons while Google detects a significant increase in abuse.

    Source:

    More than 200 browser extensions ejected from Firefox and Chrome stores | Ars Technica

    Then consider:

    How to mitigate the risk.

    Browser Extensions Are a Privacy Nightmare: Stop Using So Many of Them

    Personally I only use extensions that I need and if they are only needed some of the time then they are kept disabled until I actually need them. They are disabled after use.
      My Computer


 

  Related Discussions
Our Sites
Site Links
About Us
Windows 10 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 10" and related materials are trademarks of Microsoft Corp.

Designer Media Ltd
All times are GMT -5. The time now is 02:25.
Find Us




Windows 10 Forums