6

As has been discussed in this answer, a flaw with the Chrome Web Store is that an honest-but-naive developer may sell a popular browser extension to someone like Techno SoLotions, assuming that Techno SoLotions wants to continue developing the extension, only to discover later that the new "developer" actually just wanted to turn the extension into adware or malware. The current users of the extension receive an update that helpfully introduces extra ads into every page you visit, while maybe introducing a few security exploits.

In other words, it's not enough that the developer and extension are trustworthy now. For an extension to be "safe", you have to somehow determine if future versions of the extension will also be safe.

The real solution may be for Google to take more responsibility for its "store", but what can a user do? All I can think of is:

  1. Don't install extensions at all - Seems impractical, along the lines of "never install any software"
  2. Don't allow extensions to install updates - would this be a security risk in itself?
  3. Only install updates from developers who (in addition to being trustworthy) have committed to never sell their extension - I have never seen such a commitment myself
  4. Carefully review changes when an extension asks for new permissions - This only works for extensions that can't already "read and change your data on any website you visit" already

Is there a better way to be reasonably sure that my extensions will stay faithful? Or is it time to say goodbye now while we're still friends? I just don't want to get hurt again...

browly
  • 2,100
  • 2
  • 13
  • 21
  • i like to quickly peruse the source of the extension before i install it, but i suppose not everyone's a webdev. – dandavis Jun 16 '17 at 14:55
  • 2
    @dandavis The question is about updates; at install it does what it says on the box. Do you read the new source each time an update is issued before allowing? (a version of number 4 and 2) –  Jun 16 '17 at 15:18
  • 1
    @notstoreboughtdirt: yes, when in doubt I review the updates, which has led me to keep a sparse set. with popular stuff like abp and tampermonkey, no; I trust it + public outcry. By default I keep most extensions disabled until needed, bookmarking `chrome://extensions/` makes that easier. – dandavis Jun 16 '17 at 15:57
  • @dandavis: my experience has been that updates are silently installed, so I do not know to check that the updated extensions are still OK. Is that correct, or am I ignoring some notification? – user108903 Feb 05 '21 at 14:02

1 Answers1

3

Unfortunately, there isn't a good-enough way out of this situation. This logic extends to every piece of software we use on our computers and phones - not just Chrome extensions.

With browser extensions (Chrome & Firefox), I use as less of them as possible, install only those I think I can trust, and keep reviewing this list as often as I can (once a month or so) - whether I can still trust them. Even this has its pitfalls - but I use "my best guess / judgment" to make this decision - knowing full-well that it might not be enough. In effect I use a combination of your options #1 and #4.

But then I can't afford additional due diligence. So that's where it stops.

Sas3
  • 2,648
  • 9
  • 20