I publish a few extensions [1] [2] [3] and have been contacted multiple times by companies asking to buy them for several thousand dollars. They told me the going rate was 0.20 USD per user. You can imagine what kind of deals are being made when the extension has a million plus users.
When pushed for exactly why they wanted to buy the extensions, which are in no way monetizable, they gave vague answers about "user insights". I can guarantee there will be many other major extensions that have sold out their users.
[1] https://chrome.google.com/webstore/detail/old-reddit-redirec...
[2] https://chrome.google.com/webstore/detail/break-timer/hklkdb...
[3] https://chrome.google.com/webstore/detail/reddit-comment-col...
Luckily enough the source code was still on github, and I managed to fork it and improve that version into "Tab Manager Plus" [1]
Since then I've refurbished around 10 extensions and published a few of my own. It's fun, just annoying that malicious extensions aren't getting taken down fast enough, since I suppose not enough people report them.
How to report malicious extensions is also sometimes unclear. Some people think they have to install them first, that's only true for ratings, not reports. For example to report the extension from this blog post you just have to submit this form [2]
For other malicious extensions simply replace the extension id in that link.
[1] Tab Manager Plus - https://chrome.google.com/webstore/detail/tab-manager-plus-f...
[2] Report extension - https://chrome.google.com/webstore/report/fjnbnpbmkenffdnngj...
I've not received my own updates for weeks a few times because I haven't noticed the warning, and about a third of our users are on ancient versions presumably because of it [1].
I think the real solution to this problem is GDPR: massive fines if you abuse your users' trust (and get caught).
I'm not keen on the literal dark pattern that Firefox uses to dissuade developers from requiring new permissions.
[1] https://addons.mozilla.org/en-US/firefox/addon/tridactyl-vim...
If url, div, cookies and any other info are collected, what are they?
What server connections are made by the extension, IP, Name, contents of info transmitted?
All the GUI, collection system should be in place as part of JS dev/debug tools already. Just customized it a bit so any tech savvy users can check the audit logs and enable more logging for a plugin if needed.
If an user spots something not right, it is also easy to out the "plugin/extension" on a public forum.
> Chrome prompts the user if adding the permissions results in different warning messages than the user has already seen and accepted.[1]
If you want more permissions, then ask for more permissions.
And don't be surprised when people say NO.
Not everyone wants to grant the permissions to your update even if the update fixes bugs in older versions. Not everyone will want your new feature in the first place. Denying permissions is an easy way to eliminate the risk of having to go through and figure out whether or not the new feature is trustworthy.
And if you're not adding a new feature, then why do you need more permissions?
A better approach would be to allow extension upgrades, irrespective of permissions. If a user chooses to deny permissions the extension should still work on the latest version.
The extension has a backend API and web service which is required for the extension to work, not once has a buyer asked about acquiring that. They only want the extension and literally have no understanding of how it works or what it does. Their intent is obvious.
One sneaky way to get back at them is to send a bunch of fake “poison” requests with fake data back at these guys. It probably wont hurt them but if enough people do it, it might make their data worse and make their operation unprofitable.
[1] https://willrobbins.org/a-clever-malware-tactic-and-why-ther...
In my experience anonymization is hit or miss, but ostensibly always in place.
Installed and will be using both. Please don't steal my data!
It's easy enough to update them + audit the code when something breaks. The hardest part is downloading the new code (.crx) without installing it, I had to write javascript I paste into the console. StackOverflow can unzip a crx by striping the first 306 bytes.
I forked Stylish v1.5.2 a year ago before I heared of Stylus, but I've no need to to switch since the original extension was pretty good. https://github.com/Zren/chrome-extension-stylish#fork
Allows to easily audit and download the extension right from the Web Store page.
Used it a couple of times in the past, it is a good one.
tail -c +307 in.crx > out.zip
https://ec.europa.eu/commission/sites/beta-political/files/n...
"Where provided under applicable law (such as within the European Union), you may have the right to ask us to delete Personal Information which you have provided to us [... ] contact our Data Protection Officer at: dpo@userstyles.org."
https://addons.mozilla.org/en-US/firefox/addon/stylish/priva...
Also, the transition period will bind the UK to most EU laws for a few more years.
uBlock origin is a dedicated, quite-good, low-fuss, ad blocker.
uMatrix is a much more general, very powerful, though somewhat fussy, general Web capabilities manager. If you don't mind fiddling with sites periodically, it's very strongly recommended, but for user populations who don't do this or grasp technology poorly, it will require some fairly close managing, _especially_ if the user base doesn't report problems and just accepts "the site is broken".
I'd highlighted my preset recommended set of browser extensions for 2018 a couple of weeks back. The hero image is uMatrix's control interface.
https://plus.google.com/104092656004159577193/posts/WVEM83FY...
Ghostery invites you to submit various data to support it these days, but seems to be transparent about it and to work on an opt-in basis, so quite different to Stylish. Are you aware of other things that Ghostery is doing without the same transparency and consent?
BTW your characterisation of Ghostery's relation to an "ad company" is incorrect. It's an odd enough situation that I'm not using it any longer but they didn't get "bought by an ad company". Unless something new happened to them, in which case, please provide a link.
It's on my flagged list, but remains installed.
It's particularly annoying, because I do have this Stylish extension installed (using css ::after rules to tag HN users)
EDIT: You can submit an abuse report when uninstalling a Chrome extension.
I was put in this tracking program without my consent.
English: https://ocr.space/blog/2016/11/wot-browser-extension-collect...
I'm still looking to update my router (Turris Omnia) to use DNSMasq rather than Knot Resolver, which may offer an edge on DNSSec capabilities (though I believe this has lapsed), but is far less capable of being locally customised along the lines of DNSMasq.
https://myactivity.google.com/myactivity
More seriously: if Stylish concerns you, Chrome should too.
I've got a system where I use a set of standard styles applied broadly against many sites.
E.g.,
Annoyances -- applied globally to all websites by default: https://pastebin.com/raw/GrE9KX6D
Local Gifs: https://pastebin.com/raw/tn7cqGtJ (Exceptions to global gif filtering)
The following break on many sites too much to be applied as default, but can be used fairly generally to selected sites as needed.
Animations blocking: https://pastebin.com/raw/7Gjxj6AT
Headers / Footers: https://pastebin.com/raw/PsXWhUGf
Popups / Overlays blocker: https://pastebin.com/raw/VcgNNwDp
"Unstyled" CSS: what I apply to unstyled / minimally styled pages: https://pastebin.com/raw/rtfev3vj
For development / testing / debug:
Debug CSS: https://pastebin.com/raw/Z3kFrRQy
(Highlights class/id and entities in page.)
1/ New great product is built. People love it.
2/ Once enough people use it, start monetizing in shady ways, annoying users just not too much or they leave.
3/ Very annoyed users switch to another product back to 1/
1/ New great _free_ product is built. People love it.
Image and file hosting services and messengers are the best examples.
I swear it's because the well has been poisoned and it's just impossible to monetize these services in a moral way.
For example, would it be reasonable to enforce that an extension only acts locally, and cannot communicate with any external server? (I guess allowing arbitrary local modifications essentially allows the extension to execute arbitrary javascript code, including communicating with arbitrary remote entities?)
I do see in https://noscript.net/faq
> ... Firefox extensions are written in JavaScript too and NoScript doesn't block scripts living outside web pages (i.e. the browser components, included extensions) ...
'"Stylus" is a fork of the popular Stylish extension which can be used to restyle the web. Not "ish", but "us", as in "us" the actual users. Stylus is a fork of Stylish that is based on the source code of version 1.5.2, which was the most up-to-date version before the original developer stopped working on the project. The objective in creating Stylus was to remove any and all analytics, and return to a more user-friendly UI. We recognize that the ability to transfer your database from Stylish is important, so this is the one and only feature we've implemented from the new version.' [1]
[1] https://add0n.com/stylus.html and https://github.com/openstyles/stylus
Does anyone have information on if the Safari Stylish Addon does the same shady things? It's available in the official App Store and was approved by Apple it seems.
Edit: I should note that it collects analytics, but it can be turned off in the preferences. I don't remember if it's on by default, but I suspect it is.
Tampermonkey is here BTW: https://tampermonkey.net/?browser=safari
I really love that one, it does a great job in Safari. Unfortunately, there is no Safari App Extension yet. Since I'm running Safari Preview and Safari 12 does not accept extensions from unknown sources anymore I'm out for now.
Tried it out, but found a different way to restyle and adjust sites to my tastes (uBlock and custom Greasemonkey) that I found easier. Then forgot about it.
And now it turns out this thing has been slurping my Internet history for months.
No downvotes, nobody calling them on it, just happy oblivious HN users that carelessly install random browser extensions and then recommend them to other people. Urgh.
https://en.wikipedia.org/wiki/Adblock_Plus#Controversy_over_...
It's times like these I wish I could go back and edit/update an old post with new info. I feel like I got stabbed in the back... which happens way too often in tech these days no matter how careful you are.
I also reported it around the same time and gave it a 1/5 star rating but google had no interest in the report it seems.
I guess there should be an addon that notifies users for any ownership changes to browser addons they use. Or is there?
(I'm only a user)
So once they are ready to add malicious code in the future to pass that information somewhere else, no permission changes will be required.
Before downloading any extensions, I usually inspect them quickly with https://chrome.google.com/webstore/detail/chrome-extension-s...
Most important parts are "manifest.json" and then if defined then content scripts that match catch all urls and "https://*/*" / "http://*/*.
Pls redesign the whole internet to be dark themed, so we dont need add ons like this to fix the world. Thanks!
Does anybody have an idea?
Any alternatives for Mac users?
I’m planning to write my own Safari stylesheet extension some time in the coming months, though, because old style Safari extensions are being phased out in favor of Safari app extensions and I don’t know if the dev of the Safari stylish extension plans to make the leap.
If you do write such an addon as you said, please advertise it here in HN!
I'd argue with you about what a "real" browser is all day but really, it boils down to -- I am not interested if the latest standards are implemented. Those latest standards are made by regular humans, and they do dumb crap all the time. So "newest" =/= "best".
I quite like Safari's Reading mode and Reading list (especially having in mind that it can cache offline things you put in the reading list; you can read all of those without internet).
I will concede however that it's definitely very behind in terms of addons. That's a weak point. And Firefox gets better and quicker constantly.
TL;DR: I use both Safari and Firefox heavily and I love both. But Safari is little better in terms of information management.
For example,
> TOS agreements require giving up first born—and users gladly consent
https://arstechnica.com/tech-policy/2016/07/nobody-reads-tos...
Somewhere around 10 years ago I switched strategy:
I don't read them at all. If anyone wants to sue my defense would be that nobody in their right mind (sorry younger me) would read that nonsense.
I assume the rules are basically "don't abuse our content or service",
... and I assume that they will sooner or later sell, abuse, leak, or hand over my data to law enforcement in any country including middle Eastern and African ones.
"This version has been screened and approved for the public. Keep in mind that other reviewers may look into this version in the future and determine that it requires changes or should be taken down. In that case, you will be notified again with details and next steps."
Perhaps this also depends on the number of users...
[1] https://labs.detectify.com/2015/11/19/chrome-extensions-aka-...