[HN Gopher] Detect when your installed Chrome extensions have ch...
___________________________________________________________________
Detect when your installed Chrome extensions have changed owners
Author : ben_s
Score : 254 points
Date : 2024-03-06 19:21 UTC (3 hours ago)
(HTM) web link (github.com)
(TXT) w3m dump (github.com)
| maurice2k wrote:
| Question is if this extension detects having changed owners
| itself? Maybe something else, not an extension, would be better
| suited for that kind of check, although of course more complex I
| guess.
| kosolam wrote:
| Yep. Maybe a website that tracks them and sends email or other
| notifications
| mfrisbie wrote:
| Creator here. It does self-detect (chrome.management.getAll()
| returns all installed extensions), but fair point.
| jaredsohn wrote:
| This is how you make an extension that you can resell for big
| bucks. People looking to buy extensions will need to buy
| popular extension checkers first so they can do so undetected.
| /s
| dsp_person wrote:
| Won't the damage be done by the time you detect it? Extensions
| auto-update by default and there are only hacky ways to prevent
| this. This has always bothered me since just because I trust an
| extension now, doesn't mean I'll trust the next update that gets
| automatically applied.
| abhinavk wrote:
| Thankfully Firefox has per-extension toggle for auto-update.
| dsp_person wrote:
| Oh nice, TIL. Another push for me to switch to ff
| re wrote:
| At least I think it's pretty rare for a sold extension to be
| turn malicious in a way that it could do permanent damage, such
| as stealing your passwords. It's usually more along the lines
| of excessively invasive tracking or injecting their own ads;
| while I absolutely wouldn't want that normally, I probably
| wouldn't lose sleep over it if I learned that it had happened
| for 24 hours before I uninstalled the extension. That being
| said I would definitely like a better solution to this problem.
| snerdapp wrote:
| Great work! I hope Google/Mozilla and others will built this
| functionality into the browser itself someday so the user can
| make an informed decision.
| int_19h wrote:
| This should be something built-in for every browser, and updates
| should be automatically disabled as soon as owner changes.
| harkinian wrote:
| Extension updates shouldn't be automatic to begin with imo.
| Chabsff wrote:
| Unfortunately, it's been established for a long time now that
| users cannot be trusted to perform updates by themselves, no
| matter how naggy you get about it, even for the most critical
| of security fixes.
|
| Automatic updates, again unfortunately, are critical to
| safety.
| Blackthorn wrote:
| Users often don't want to perform updates because the
| updated version is worse in some way. That it has a
| security impact is unfortunate, but that's how it is.
| harkinian wrote:
| I had an extension update itself and partially stop
| working. There's no way to go back to a previous version
| unless you happen to back up the old files.
| jasonjayr wrote:
| And these automatic updates are often abused to remove or
| change features, or generally "enshitify" things. Which
| breaks trust and we are back to square one.
| woliveirajr wrote:
| Critical to the user safety? Well, that's not a problem.
|
| Critical to the safety of some site/other users? Then the
| problem is a bit deeper, as my computer/software shouldn't
| be able to affect someone else.
| TeMPOraL wrote:
| Find a way to do security patches without restarting the
| application or interrupting user's work, and keep
| featuers/enshittification updates separate from security
| patches - and then people will not mind auto-updates. Hell,
| you could just apply them and not even ask anymore.
| ifyoubuildit wrote:
| This attitude is a large part of what I find so repulsive
| about tech today. You are a guest on my machine. No matter
| how much you think you know better than me (even if you're
| right!), you don't get to make decisions like that. You can
| ask nicely, and if you can convince me that something needs
| to be done, I will decide to do it.
| ssl-3 wrote:
| Why, sure. And I'll bet you prefer to do your own vehicle
| maintenance, too.
|
| But automatic updates aren't for you or me, or any of the
| other geeks here.
|
| They're for everyone else.
| bakugo wrote:
| My device is mine, not everyone else's. It's not your
| decision to make regardless of whether or not you think
| it's best for the "greater good".
| ssl-3 wrote:
| You're not wrong.
|
| Fortunately, you have choices. You can choose to avoid
| software and operating systems that feature automatic
| updates.
|
| You can even write it yourself, if you wish: You're
| absolutely empowered to be absolutely in control of your
| things.
|
| There's nothing stopping you.
| ifyoubuildit wrote:
| Practically speaking, we have the choices that one
| monopoly or another offers us, and only so long as those
| choices are convenient for them.
|
| I do avoid corporate overreach where it's practical (I
| have a dumb TV/vehicle/appliances/etc), but there will
| come a day when it's impossible to participate in society
| without giving in.
| ssl-3 wrote:
| Life is whatever you want it to be.
|
| There's plenty of ways to get through life that don't
| involve computers or software or television.
|
| You _can_ choose differently than you have.
| Chabsff wrote:
| Yep.
|
| That being said, I really like VS Code's approach of
| having auto-updates enabled by default, but making a
| switch to turn off the feature available for nerds like
| us who care.
|
| That's the model to follow in my book.
| ptx wrote:
| It has also been established that vendors cannot be trusted
| to refrain from bundling unwanted feature changes (and
| sometimes straight-up malware) with their security updates,
| so it's no wonder that users might be reluctant to install
| such updates.
| ryandrake wrote:
| Yes, this is the reason I do not enable automatic updates
| (in general, not just browser addons), and that software
| updates are so frustrating.
|
| If there was a way to specify I _only want_ security
| updates and bug fixes and I _do not want_ new features,
| UI redesigns, and so on, I would always update and maybe
| even turn on automatic updates. Software companies have
| no excuse--we have sophisticated version control software
| that allows you to manage multiple branches easily. Every
| software should have a maintenance branch and a "new
| shit" branch, and should allow both kinds of updates.
| chatmasta wrote:
| > I only want security updates and bug fixes
|
| Just FYI, for iOS updates, you can in fact opt into these
| release channels separately.
|
| Go to Settings > General > Software Update > Automatic
| Updates. You will see two separate toggles, one for "iOS
| Updates" and another for "Security Responses & System
| Files."
| bakugo wrote:
| > Unfortunately, it's been established for a long time now
| that users cannot be trusted to perform updates by
| themselves, no matter how naggy you get about it, even for
| the most critical of security fixes.
|
| So let them not update. It's not your device, it's theirs.
| Mind your own business.
| mtlmtlmtlmtl wrote:
| Problem is every single update claims to be security fixes,
| like for Android. Now I realise almost any bugfix can be
| construed as a security fix, but I've never seen an Android
| update that doesn't claim to include security updates, and
| I've never seen one that goes into any kind of detail(in
| the pop up prompt that is) on what any of the updates
| entail.
|
| Probably some of those were critical, and some of them were
| completely unlikely to affect real world security. As a
| user, how do I know when to take it seriously and when not
| to? All I'm told by the UI is that every single update they
| push "improves security and performance".
| bossyTeacher wrote:
| This if the ToS problem. Tell me, of the many services
| you use and products you own, how many ToS have you read?
| 3%? 10%? Probably less than 2%. Changelogs and release
| notes have the same problem. They take time to create,
| edit and review and no one who matters reads them. Why
| would they spend their time on it?
| mtlmtlmtlmtl wrote:
| I get your point, but changelogs can often be generated
| semi-automatically from VCS.
|
| And I realise I'm not the typical user, but I actually do
| read(skim) TOS just to see if there's any centipad like
| stuff. Most of it is just boilerplate and you get pretty
| quick at finding the substantive parts with some
| practice. Of course TOS/EULA are hard to read for most
| people by design. They don't actually want you to read
| it. If they did, they'd offer a summarised version
| without all the legalese boilerplate.
|
| I get the same feeling about changelogs. They probably
| have one internally if they know what they're doing. It
| may even be online somewhere if I go looking. I can only
| surmise that for whatever reason, they don't want me to
| read it, which doesn't inspire trust.
| harkinian wrote:
| Are outdated Chrome extensions really attack vectors?
| They're very sandboxed. I'd be way more concerned about the
| update itself being malicious, especially for simple
| extensions that shouldn't really need updates.
| Chabsff wrote:
| Pedantically, outdated Chrome extensions make for a poor
| attack vector in the first place because the majority of
| users get automatic updates, including being
| disabled/removed by Google themselves if the dev is gone
| and a problem is found.
| Klaus23 wrote:
| Anyone who has had to administer anything user-facing will
| tell you that some users will ignore any warning. Updates
| need to be automatic and mandatory. You can give them a grace
| period, but you have to force the issue after a while, or
| users will delay the update prompt every 15 minutes for
| months.
| smallmancontrov wrote:
| ...says the 1st party, in a world where 1st party malware
| is a serious problem.
| downWidOutaFite wrote:
| Anyone who has owned a cloud connected device or software
| will tell you that companies cannot be trusted with remote
| access, they will abuse it every single time. And they'll
| have the useless cargo-cult security industry telling users
| that it's "best practice" and for our own good while their
| companies are spamming us or spying on us or removing
| features or outright hacking us or taking away access to
| our own data while they sell it to third parties and try to
| lock us into their ecosystem.
| Klaus23 wrote:
| It was not my intention to defend large corporations and
| their sleazy practices. I just wanted to say that the
| average user cannot be trusted with an easy option to
| ignore updates, especially when it comes to security.
|
| Users will do things like ignore updates and then trash
| you on the internet or spam your support because the
| software no longer works properly with service xyz. We
| regularly hear about major hacking incidents where
| internet-facing software hasn't been patched for years.
| Things like this will give your company a bad reputation.
|
| I think the best compromise is to have automatic updates
| by default and a slightly hidden option in the menu to
| turn them off. If the user goes out of his way to turn it
| off, then it is his own damn fault, but if you make it
| too easy (like presenting it with every update prompt)
| you are courting disaster.
| harkinian wrote:
| Nope, annoying forced update stuff goes in my trash.
| Already said bye bye to Windows for this reason. If your
| thing is gonna update itself, it can't disrupt me or make
| itself worse.
| Klaus23 wrote:
| There should always be an option to turn off automatic
| updates (unless we are talking about a corporate
| network), but the option should be opt-in and require
| some initiative on the part of the user. If the option is
| presented together with a prompt to update, users will
| simply turn it off without knowing what they are doing.
|
| If it is in an options menu, power users can choose to
| turn it off, but normal users will probably never find
| the option.
| harkinian wrote:
| I agree for most software in general. Mac updates are
| auto by default iirc, and that's good. Just not Chrome
| extensions. The risk of attacks by the owner seems much
| higher than the risk of attacks by websites on outdated
| extensions.
|
| And the problem with Windows is you can't really turn
| minor updates off, it nags you a ton about major ones,
| and the updates basically just make it worse.
| blep-arsh wrote:
| Not every computer is a part of managed corporate
| inventory. And some suppliers will happily ignore any
| issues their updates are causing. E.g. forced Windows
| feature updates can just disable a computer by throwing out
| essential but unsigned drivers.
| Klaus23 wrote:
| This is more of a technical problem. If your update
| either breaks something or leaves gaping security holes,
| then there is no good solution. I think I would rather
| inconvenience a customer by turning off functionality
| than leave a bad vulnerability unpatched, but delay an
| update if it is not security related.
| bmacho wrote:
| Why is this downvoted?
|
| I am shocked, people actually think that automatic updates
| are _very good_? Because for me, it is trivial that automatic
| updates are _very bad_. One of the greatest security risk of
| extensions are due to automatic updates, they can 't be
| verified, since they change.
|
| edit : BTW I've submitted a related submission about Guerilla
| Script, a userscript injecting engine, where userscripts are
| not even updateable:
| https://news.ycombinator.com/item?id=39620863 This is the
| ideal way of safe extensions IMO
| Chabsff wrote:
| I don't think anyone (at least not me) is claiming that
| auto-updates are _very good_. However, I will argue 'till
| the cows come home that they are better than the
| alternative in many cases.
|
| Installing software in the first place is placing a _lot_
| of trust into whoever made that software from the get-go.
| There are a myriad of ways a bad vendor can abuse a
| software installation without having to involve auto-
| updates. Singling that as a specific abuse vector that 's
| orders of magnitude worse than giving filesystem access to
| an opaque binary just doesn't make much sense to me.
|
| If I don't trust a vendor enough to allow auto-updates,
| then I don't trust them enough to install the software in
| the first place (dev dependencies notwithstanding for
| obvious reasons). Combine this with the well known fact
| that optional updates just don't get installed, and the
| cost/benefit calculus of the feature becomes not that hard
| to motivate.
|
| Fwiw, I also think that a switch to disable the feature
| should always be present for those of us who care.
| harkinian wrote:
| Well if you complain about downvotes, it'll only bring more
| downvotes ;)
| danShumway wrote:
| I don't advise turning this on because I think automatic
| updates in most cases are preferred to manual updates for
| most users. However, in Firefox you can in fact disable
| automatic updates on a per-addon basis. So you can have the
| addons that you trust automatically update, but for the
| addons that you're less sure about or that basically already
| work, you can just turn off updates for them.
|
| Just go to about:addons, click on the addon you want to
| change, and then swap "Allow automatic updates" to off. You
| can also change the default behavior to not automatically
| update except for individual addons that you override
| (although again, I don't recommend it for most users).
|
| I don't believe you'll get notified about updates (correct me
| if I'm wrong), which isn't ideal, so you'll have to
| periodically go and check for updates yourself.
| chatmasta wrote:
| I believe Firefox at least alerts you when an extension
| update has changed the permissions it requests (and you need
| to accept the new permissions). Of course, there are many
| cases where malicious code doesn't require new permissions.
|
| I'd also prefer more visibility into updates. Enabling auto-
| updates might be okay, if there's a way to opt out of it, and
| if the updates were significantly more visible. I want to see
| a big modal when one of my extensions has updated, and
| ideally I'd be able to see the diff of its source code. But
| even without that, just knowing it updated would be enough
| for me to unpack the CRX and check for myself (like I did
| when I installed it originally).
|
| Disclaimer: I run exactly two extensions in my main browser:
| uBlock Origin, and Little Rat (monitors network requests of
| other extensions). I have a separate Canary browser for web
| development where I install other extensions I might need.
| biggestfan wrote:
| The ideal solution would be similar to when an extension asks
| for new permissions: disable it with a pop-up that informs you
| of the change and allows you to re-enable it.
| thekombustor wrote:
| I believe this is how firefox behaves.
| marwis wrote:
| Recently my favorite open source mouse gestures extension
| SmartUp Gestures was taken over by some shady entity (with
| github no longer being updated of course).
|
| I opened Chrome ticket that they should ask to re-enable
| extension when ownership changes. They just closed the ticket
| replying with this link:
|
| https://chromium.googlesource.com/chromium/src/+/main/extens...
|
| :(
| josefresco wrote:
| To combat this wouldn't malicious extension buyers simply keep
| the developer name the same? Or is developer name strictly
| policed by the Chrome Extension store?
| Sephr wrote:
| This would likely be against the Chrome Web Store terms of
| service.
| chatmasta wrote:
| They could just purchase Extension Author LLC with the
| extension being one of its assets, and there would be no need
| to notify Google of the change in control.
| ytx wrote:
| Also there's not much practical defense to an unscrupulous
| extension author "exiting" with an under-the-table password
| transfer or "oops we got hacked" to a shady buyer.
|
| <tinfoil hat> One could imagine a nefarious state actor
| offering the author of e.g. uBlock $XX million to get access to
| a lot of browsers. Not sure about the economics, but more niche
| extensions could probably be targeted for a lot cheaper.
| usrusr wrote:
| True, but at least it would require the exiting party to not
| have any illusions about what they are doing. I'd be
| surprised to hear that most extension takeover bids are open
| about their plans.
| screamingninja wrote:
| How will I know when this extension changes owners?
| barryrandall wrote:
| With a change detector change detector.
| jaredsohn wrote:
| Could install another extension change detector and hope they
| don't both change owners at the same time.
| odyssey7 wrote:
| How many change detectors to mitigate against 51% attacks?
|
| Realistically, even with this extension functioning as
| advertised, there are still plenty of related risks. E.g., a
| software company could disguise its motives early on and
| convert its product into malware at a later date, or the
| developer could be paid by a 3rd party to add certain
| features.
| p0w3n3d wrote:
| An extension to detect that other extensions have changed their
| owners. What happens when this extension changes its owners?
| michael9423 wrote:
| That will clearly require a new extension that monitors "Under
| new Management".
| bossyTeacher wrote:
| Glad someone noticed that
| bmacho wrote:
| Pro tip: don't use chrome extensions. They are a trivial and huge
| security risk. Similar how random exe was some years ago, only
| much worse. Use tampermonkey scripts instead.
|
| Tampermonkey scripts are - open source and easily
| modifiable - permissions are firmly controlled - you
| can disable auto update
| CobrastanJorji wrote:
| But I want to use extensions! Extensions do so many useful
| things that go beyond what scripts with fewer permissions can
| do. I want a utility that handles screenshotting sections of
| pages. I want a thingy that tracks the price history of
| products on Amazon so I know if something is real on sale or
| fake on sale. I want a thing that makes ssh sessions clickable
| for my weird internal ssh thingy. I want the stupid and
| experimental web mashup extensions that add weird stuff like "a
| chat room for every website you visit so you can chat with
| other people using that website." Well, okay, I don't want that
| last one, but I want it to exist.
| FredPret wrote:
| These things worked well when the internet was a toy.
|
| Now it's no longer a good idea because that same browser is
| also:
|
| - your bank,
|
| - likely your point of contact with the government / tax folk
|
| - the place you do your shopping
|
| - the portal for most of your communications with the rest of
| the world
| bossyTeacher wrote:
| The price for convenience is security. If you are willing to
| hand your digital life to others, you will gain the
| convenience that you seek. You are seeking to become a
| digital king by gaining digital servants that handle every
| aspect of your life. The day one of them betrays you, it will
| be painful for you at the very least
| screamingninja wrote:
| Your point stands in case of any browser, but I am still
| curious: Why use Chrome at all?
| paulryanrogers wrote:
| As the web becomes more of an OS this becomes increasingly
| absurd. Extensions are becoming like apps, and they can be
| synced across machines.
|
| TM still requires trusting their extension and script authors.
| croes wrote:
| Tampermonkey itself is a browser extension and closed source,
| so you have the same problem if the ownership changes.
| Retr0id wrote:
| > permissions are firmly controlled
|
| Not meaningfully. A tampermonkey script has complete access to
| the information in a webpage it runs in. This is necessary for
| its operation and not something I have a problem with, but I'd
| never say its an improvement in terms of security.
| Retr0id wrote:
| Further, there's no requirement that a tampermonkey script be
| open-source. They _usually_ are, but so are the regular
| extensions I choose to install.
|
| I don't know about chrome, but Firefox also allows automatic
| updates to be disabled on a per-extension basis.
|
| I'm a fan of userscripts but lets not pretend they're
| magically better.
| bmacho wrote:
| There is a block and allowlist for which sites can it run.
|
| For example Firefox can't even control on which websites the
| extensions run. This is stupid and bad. Tampermonkey just
| does this thing right too.
|
| Edge at least has an allowlist, if I'm not mistaken.
| Retr0id wrote:
| The permissions to run scripts in the context of a webpage
| (i.e. full access, what tampermonkey does) are gated on a
| per-site level.
|
| E.g. here's the "bypass paywalls" extension requesting
| permission to inject content scripts into particular
| domains sites: https://github.com/iamadamdev/bypass-
| paywalls-chrome/blob/c6...
| bossyTeacher wrote:
| You forgot that Tampermonkey itself is an extension and has the
| same problems that you mentioned
| codedokode wrote:
| I never install extensions because nobody checks them and it is a
| security risk. Also, they might contain telemetry and spyware.
| odyssey7 wrote:
| Is this an issue that's worse for Chrome than for other browsers?
|
| The only browser extension I use is HonorLock, an exam proctoring
| software that I'm required to use. Its extension is for Chrome
| only, so I use Chrome from time to time out of the requirement to
| use HonorLock. If I visit the install link in Safari, it tells me
| to install Chrome: https://app.honorlock.com/install/extension
|
| I'm wondering if there's something unique about Chrome's
| extensions that both supports HonorLock's use case and makes this
| submission's linked resource more helpful.
| ponector wrote:
| Only use honorlock? How can you live without AdBlock?
| codazoda wrote:
| Sounds like Chrome isn't their daily driver. Firefox blocks a
| lot of ads by default in Strict mode. That's what I use, so I
| haven't used AdBlock for a long time.
|
| I also have a Pi-hole on my home network.
| odyssey7 wrote:
| Yep, you got it. I just generally don't use Chrome unless
| I'm taking an exam that requires it.
| harkinian wrote:
| It's just that Chrome is the most popular browser and thus the
| chosen extension attack vector.
| chatmasta wrote:
| The extension ID is derived from a private key that the developer
| uploads with the first upload to the app store, and the ID will
| change if any subsequent uploads include a different key.pem in
| their zip file (but if there is no key.pem then the extension ID
| will remain the same).
|
| Therefore, if the extension ID changes, it's possible the owner
| changed. However, it's also of course possible (and even likely)
| that the original owner might transfer the private key to the new
| owner. And since Google doesn't require each upload include the
| private key, then the new owner could push changes without even
| needing access to that key.
|
| I find the extension ecosystem fascinating and I'm also working
| on some tools for this space ([0]: warning, WIP hobby code). For
| example, I want to create a GitHub repo that targets a specific
| extension, tracks its updates, and pushes each one as a change to
| the repo. And then I can run static analyzers on the code after
| each update, and also some runtime taint analysis I've been
| experimenting with (e.g. tracing user inputs into dangerous sinks
| like eval or postMessage).
|
| [0] https://github.com/milesrichardson/crxmon
| thisislife2 wrote:
| One of my Opera (Presto web engine, European owned) extension
| was featured on the front page and became very popular.
| Somebody wanted to purchase it from me for a good amount.
| During the negotiation, I said I would take down the extension
| and provide all source code to them so they could distribute it
| themselves. They said they expected me to hand over my Opera
| extension account credential too to them. Long story short, I
| backed out.
|
| So yeah, I support your assertion that while something like
| this is somewhat useful, a better thing would be some kind of
| malware scanner for extensions.
| croon wrote:
| While I too would back out from anything requiring giving
| away credentials, is there no other way to transfer
| ownership? A charitable interpretation could be that they
| wanted to also buy the "popularity" of the extension simply
| for discoverability.
|
| But it's equally easy to envision nefarious reasons of
| course.
| ozim wrote:
| My bet is that code on its own with due respect is most
| likely easy to replicate. Couple months of dev work and
| most likely done.
|
| User base and trust doesn't work that way. I cannot hire 10
| devs to replicate years of building trust and brand
| reputation.
|
| My idea is that non-nefariously buyer discounted code part
| and valued trust and user base.
| nemomarx wrote:
| Should you be able to transfer trust and userbases that
| way? It feels like usually acquisitions trying to do this
| create a worse experience for users in some way or
| another.
| geoelectric wrote:
| Unfortunately, it probably even makes sense that they'd want
| that for non-nefarious reasons.
|
| If you shut down your extension and they had to put up their
| own copy, they'd have to re-acquire your installed base. That
| could be a sharp decline in value to them, particularly if
| the extension mostly got popular off a one-time front-page
| feature rather than via gradual discovery with active word of
| mouth.
|
| The chance that people jump through all the hoops to impulse-
| install again twice is low. They'd have to _really_ like your
| extension, even if your version notified them of shutdown of
| yours and availability of the new one. Growing an installed
| base is generally more a factor of not chasing your users
| away than explicitly doing things to retain them. That change
| would chase them away.
|
| In an ideal world, you'd be able to officially transfer the
| single extension to a new owner while keeping all the
| installed users--preferably with a notice dialog enforced by
| the browser popping up to tell the user the ownership changed
| and offering them a chance to uninstall. That would also
| chase some users away, but it's sort of the ethical minimum
| (hence this HN post).
|
| But I doubt many browsers, if any, work like that.
| mellutussa wrote:
| If someone is buying your extension with wicked, dark and
| nefarious intentions, he's gonna want the private key too.
|
| Pretty much everyone is going to agree, with the only
| individual difference on how much you have to pay.
| FredPret wrote:
| I installed adblock many years ago and loved it.
|
| Then I got a new machine and had to reinstall it. For the first
| time I had a look at those permissions. Insanity. It's only
| logical that it should be able to see what I see to block the
| ads, but I never stopped to think about that.
|
| Now I have a pihole and zero extensions.
| ralphist wrote:
| Safari has a special interface for content blockers to work
| without any permissions. They provide blocklists and the
| browser does the blocking itself. [1] Don't know if that's an
| option in Firefox.
|
| https://developer.apple.com/documentation/safariservices/cre...
| Scion9066 wrote:
| Yep, Firefox and Chrome have declarativeNetRequest:
|
| https://developer.mozilla.org/en-US/docs/Mozilla/Add-
| ons/Web...
|
| Ublock Origin Lite uses it for example.
|
| (It's also the thing everyone is angry at Chrome for as their
| 'plan to kill ad blockers' by replacing the current blocking
| APIs with declarativeNetRequest.)
| danShumway wrote:
| This is kind of an important point with Manifest V3: having
| more permission options is a good thing. It's good that
| declarativeNetRequest exists. Active Tab permissions are
| cool, I love being able to scope extensions to specific
| domains. Non-persistent background pages are a nice
| performance/security feature. The only problem with
| Manifest V3 is that Google is shutting down everything else
| and removing other APIs.
|
| Safari's extension model kind of goes in its own direction,
| but it's based on similar principles to Manifest V3 and my
| contention with it is the same -- it's not a problem that
| you can build a permission-less adblocker in Safari, that's
| good. It's a problem that you _have to_ , because getting
| rid of those permissions makes adblockers slightly less
| effective, which may or may not be worth it for every user.
| I can say with relative certainty that there is no
| adblocker on Safari that is as powerful as uBlock Origin on
| Firefox.
|
| People bundle criticism of Chrome under the Manifest V3
| label but aside from some more techy-type complaints around
| how Service Workers are being handled, in my experience at
| least a lot of Manifest V3 is _really good_. What 's not
| good is that Chrome used Manifest V3 as an opportunity to
| get rid of a lot of other important APIs. So you don't see
| the same criticism levied at Mozilla because with Firefox
| you get most of the same benefits of Manifest V3 (and some
| additional benefits, Firefox's event-system is imo a better
| way to handle temporary background pages than Chrome's
| service-worker system) without the downsides of Chrome
| removing blocking web requests for the extensions that need
| them.
|
| I'm using Manifest V3 for private extensions that I
| maintain for myself on Firefox. Manifest V3 is great and I
| enjoy trying to cut down my permissions as much as I can
| even though I'm basically just running the code myself. But
| none of my private extensions would work in Chrome or
| Safari or would be portable to either browser; they lack
| the APIs that I need and don't have any realistic
| equivalents.
| UberFly wrote:
| Which adblock extension are you referencing here? Ublock for
| instance uses local block lists.
| demondemidi wrote:
| What do you do on mobile?
| Scion9066 wrote:
| That's one of the reasons behind the permission changes coming
| in Manifest V3: to reduce what extensions have access to in the
| first place. Some extensions may be open-source and trustworthy
| but there are many that aren't and people seem to have trouble
| vetting them.
| danShumway wrote:
| Note that a Piihole will not be as effective at blocking ads
| and trackers as uBlock Origin will be. But it's good to have
| the option for people who want it, different people have
| different risk profiles and concerns.
| redbell wrote:
| This is really useful, although, as another commenter said, this
| should be a built-in feature.
|
| A question I got regarding this extension, as I didn't take a
| deep dive into the source code yet: Does it automatically notify
| you (not necessary in real-time but at least in startup) of
| ownership change or you need to manually trigger a _check_
| command?
|
| A few months ago, a story on this topic was trending:
| https://news.ycombinator.com/item?id=36233068
|
| From the top comment of the above story:
|
| " _I think it would behoove Firefox and Chrome to change their
| policies around automatic extension upgrades in these scenarios:
| if an extension discloses a change in ownership, then upgrades
| should require user approval. If an extension fails to disclose a
| change in ownership, then users should be able to report it as
| malicious._ "
|
| As a side note, probably the title should be prefixed by "Show
| HN"
| mfrisbie wrote:
| Creator here. A check automatically runs every hour, and if
| there are any changes detected, a badge appears over the
| extension icon. I decided anything more than that was too
| invasive.
| redbell wrote:
| Indeed, periodic checks with a well-thought-out interval do
| make sense. Well done!
| INTPenis wrote:
| Weird thought here but maybe the distributor of chrome extensions
| should not allow one extension to change owner? Doesn't make
| sense to me.
|
| I don't use chrome though. I wonder how Firefox handles it.
| Retr0id wrote:
| It'd be neat if there was a way to install an extension from git,
| including getting notified of updates and an easy way to install
| said updates. The current UX around installing extensions "out-
| of-band" is poor (in both firefox and chrome), I wonder what it'd
| take to improve things.
| bhpm wrote:
| Tracking the ownership of your Chrome extensions sounds
| exhausting, especially if you're someone who just wants to surf
| the damn web and are not some kind of super nerd.
| ptx wrote:
| For Firefox extensions, Mozilla has a "recommended extensions
| program" [0] which involves "rigorous technical review by staff
| security experts" before extensions are included, but it's not
| clear from their support article if every update is reviewed
| before it's published.
|
| If they do review every update, that would this problem at least
| for the more popular extensions, although I wonder how much delay
| it introduces when an extension needs an urgent security update.
|
| [0] https://support.mozilla.org/en-US/kb/recommended-
| extensions-...
| numbsafari wrote:
| It's almost as if you wish there was some kind of onerous
| "marketplace" where participation had rules and there was some
| kind of enforcement taking place, and organizations that break
| the rules could, no matter how popular or well known, be banned
| if they repeatedly violate the rules of the marketplace, or
| work to subvert the marketplace's function.
| thisislife2 wrote:
| Just sounds good in theory:
|
| - _More malicious apps found in Mac App Store that are
| stealing user data_ -
| https://appleinsider.com/articles/18/09/07/more-malicious-
| ap...
|
| - _How 18 Malware Apps Snuck Into Apple 's App Store_ -
| https://www.wired.com/story/apple-app-store-malware-click-
| fr... ...
| jjtheblunt wrote:
| Do the links you provide mean it's partially working not
| only in theory but for real?
| numbsafari wrote:
| The existence of crime isn't a logical reason for
| eliminating law enforcement. Having a choice of
| marketplaces... imagine if Mozilla gave you that!
|
| A corollary... just because one piece of software has fewer
| reported CVEs, doesn't mean it is more secure.
| danShumway wrote:
| > Having a choice of marketplaces... imagine if Mozilla
| gave you that!
|
| It sort of does, it's just not something devs take
| advantage of or that exists in an official way.
|
| If you don't want to be listed in the addon store, you
| can do a signed addon that goes through a much less
| rigorous check and then distribute it however you want.
| Similarly within the addon store Mozilla has a concept of
| "vetted" and "unvetted" addons. You end up with roughly 3
| layers of validation.
|
| There's technically nothing stopping anyone from setting
| up a separate addon store using only the 1st-layer of
| validation (or even adding a wrapper around the 3rd layer
| of validation since it's all still ultimately XPI files).
| Automatic updates would even work, you can specify URLs
| to check updates from. I haven't fiddled around with it
| much though.
|
| And sure, it would be nice to be able to skip even the
| 1st-layer signing when necessary, but what exists is
| still better than what a lot of other app-stores allow
| and in practice I suspect most addons aren't going to
| have trouble getting their stuff signed, so it's
| (likely?) not a huge deal if you wanted to make a 3rd-
| party store to require Mozilla-signed extensions. Maybe
| there's something I'm missing though.
| natch wrote:
| Apple can deal with those as they are uncovered. With
| alternative approaches, they can't. So your point defeats
| itself.
| ptx wrote:
| Almost, yes, but not quite.
|
| Curation and integration by a trusted party is a valuable
| service, and I very much appreciate Mozilla, Debian and
| others doing this work and enforcing their inclusion policy,
| e.g. the Debian Free Software Guidelines and whatever
| Mozilla's technical review involves. Debian's onerous rules
| in particular are great for the user - I can rely on packages
| to be appropriately licensed, to receive security patches
| without breaking my system with incompatible changes, to be
| compatible with the rest of the packages in the distribution,
| etc.
|
| Some important differences from "marketplaces" provided by
| various for-profit companies are 1) the user can choose
| whatever curator they wish, or opt to install whatever they
| want at their own risk; 2) the service doesn't usually
| involve payments, selling, shopping, etc. which would usually
| be associated with a marketplace.
| danShumway wrote:
| Firefox _has_ a marketplace with participation rules and
| enforcement where organizations that break the rules can be
| banned for violating them. That already exists.
|
| They want something stricter. What they're asking for is the
| ability to have multiple marketplaces and validation
| measures, some of which have stricter rules than others. That
| these requests pop up in scenarios where marketplaces already
| exist suggest that singular universal marketplaces that
| attempt to be one-size-fits-all gatekeepers aren't scalable
| or sufficient to meet everyone's needs, and that a multi-
| marketplace setup would allow some of those marketplaces to
| offer stricter quality standards for the people who need
| them.
| abhinavk wrote:
| They do review every update. Even overly popular ones like
| uBlock Origin gets stuck sometimes.
|
| Currently my personal policy is to only allow those curated
| extensions to run on all sites/tabs.
| mska wrote:
| I'm currently working on an extension as well ([0]) and share the
| same concerns many have mentioned about extensions here. I'd like
| to highlight another dimension concerning the Browser APIs ([1]).
|
| Handling the permissions necessary for certain API
| functionalities and the corresponding warning messages can be
| somewhat confusing. For instance, our extension uses
| "chrome.devtools.panels" to open a new window within DevTools.
| This API doesn't require any permissions by itself. Yet, for
| messaging across the popup, content, and DevTools windows, we're
| required to use activeTab and sendMessage APIs. The DevTools
| window operates in its unique context, almost like a tab within
| another tab. For example, updating the URL in the active tab
| doesn't directly update the DevTools window but triggers an
| event.
|
| Messaging across these different contexts requires the
| "https://*/*" host permission, without which Chrome and Firefox
| won't send the messages between these isolated windows.
|
| We made this permission optional, the DevTools Panel is activated
| only upon receiving explicit user consent. However, the
| permission prompt's messaging is something like "This extension
| requires access to all your data," which sounds very alarming. We
| don't access any data nor that we want to, but requiring that
| permission is mandatory since the message APIs won't work without
| them.
|
| This is just one example of the many undocumented complexities
| within Chrome's documentation. Similar pitfalls exist with
| message exchanges between the background service and content
| scripts. Sometimes you don't know why your API call doesn't work
| even though you think you have the required permission and asking
| for more permissions show very alarming messages to users.
|
| I think that a more granular permission approach, made specific
| to API functionalities rather than broad permissions that cover a
| list of APIs, would significantly help user experience. For
| example, requesting permission for the "sendMessage API" with a
| clear explanation would be far more informative for users than
| the general "All host https:///" permissions.
|
| There's also the issue of building for different browser. The
| same browser API calls can have different permissions requirement
| on Chrome and Firefox which makes the development process more
| difficult and more confusing for users since the same extension
| requires different permissions on different browsers.
|
| [0] https://divmagic.com [1]
| https://developer.chrome.com/docs/extensions/reference/api
| xer0x wrote:
| Thank you for creating this! Extensions have maliciously shared
| my credentials, and I appreciate whoever made this.
| mfrisbie wrote:
| Creator here - you bet! It's a big problem.
| advael wrote:
| I think this is illustrative of how the economy gets more scammy
| the faster and more secretly ownership of a product, company, or
| brand can change hands
|
| To me, this cuts at a fundamental logic we take for granted in
| the paradigm of Intellectual Property: That a brand is a fungible
| commodity that can be sold, like any other good or service. We
| treat this as a transfer of ownership of some property, but I
| think it makes more sense to treat this as a form of fraud. A
| name or brand is a signal people and businesses use to indicate
| who made something, and its chief value is the trust that's been
| built by the people running whatever operation carries that
| brand. The fact that it is not only legal but common practice to
| buy a brand explicitly for this trust in the operation is, from
| my perspective, obviously a big part of why everything is so
| scammy
| ryandrake wrote:
| Wait till you see the brand landscape in groceries and consumer
| goods. A few companies owning hundreds[1] of brands of everyday
| items. What company is actually behind Brand X? You pretty much
| need a database/app to remember as you're shopping. This is
| likely done deliberately to obfuscate and confuse. I always
| thought it would be a sensible law to make a company that
| displays a brand on a product _also_ display their company name
| as-or-more prominently next to that brand, so people know who
| is actually making those products.
|
| 1: https://capitaloneshopping.com/blog/11-companies-that-own-
| ev...
| advael wrote:
| Yes, I think consumer brands for things like food are exactly
| the way this trend started, and the aggregation of them has
| been gradual but led to lower quality and more scamminess
| throughout
| lencastre wrote:
| Shrinkflation!
| donmcronald wrote:
| > I always thought it would be a sensible law to make a
| company that displays a brand on a product also display their
| company name as-or-more prominently next to that brand, so
| people know who is actually making those products.
|
| They should have to display the entire chain of companies in
| the corporate structure and, if it's too big to legibly fit
| on the package, you can't sell it.
| jl6 wrote:
| This can also happen without a change of ownership.
|
| 1. Launch good product
|
| 2. Get good reviews
|
| 3. "Optimize" the design to use cheaper, worse components
|
| 4. Sell it under the same name
|
| 5. Coast on those good reviews and enjoy the higher profit
| margin
| tech234a wrote:
| I've also used Extensions Update Notifier [1] in the past, which
| has the option to disable extensions on every update. It hasn't
| been updated since 2016, but recent reviews say it still works.
| It doesn't detect ownership changes though.
|
| [1]: https://chromewebstore.google.com/detail/extensions-
| update-n...
| bossyTeacher wrote:
| No one has said yet? Can't believe this, HN! Ok, I will be the
| one to say it:
|
| A extension watcher is great but what happens when THIS extension
| itself changes owners?
|
| Who watches the watcher?
| xg15 wrote:
| Does it check itself too? I.e. notify you if its own ownership
| has changed?
| whatgoodisaroad wrote:
| Keep in mind, in the really malicious cases where an extension
| has changed hands, they often just sell the credentials to the
| Google developer account, so this won't detect those cases.
| SunlitCat wrote:
| Is selling the whole developer account even allowed?
| Animats wrote:
| When an extension changes owners, that name should be dead for a
| year.
|
| That would be useful for domains, too.
| infogulch wrote:
| I'm quite sympathetic to the stated goal, and the technical
| limitations are understandable, but the fact that it sends a list
| of all your extensions to an extension-oriented ad network is a
| bit sus...
|
| > Why does this need an external server? - Browsers have special
| rules about modifying extension marketplace domains. For example,
| you cannot set declarative_net_request rules for
| chromewebstore.google.com. Therefore, this extension delegates
| the developer info checking to the ExBoost [1] API server.
|
| [1]: https://www.extensionboost.com/
|
| > What Is ExBoost? - ExBoost is a collaborative network of
| browser extensions that want more users and more reviews.
|
| > How does ExBoost work? - Extensions add ExBoost slots inside
| their UI. These slots will show promotions for similar
| extensions, or reminders to review your extension.
| chatmasta wrote:
| It looks like Extboost is also a project by OP. The charitable
| explanation would be that they used its API server because they
| already had the data they needed to scrape an extension's
| metadata (i.e. its owner) given an extension ID.
| infogulch wrote:
| Yes and the fact that you can just scrape the logs for
| extension installation statistics which you can use to sell
| AD space is just an accidental convenient side-effect, I'm
| sure.
___________________________________________________________________
(page generated 2024-03-06 23:00 UTC)