undefined | Better HN

0 pointsdcow3y ago0 comments

What?

The same can happen with any piece of software in the world. Why single out extensions?

0 comments

We sandbox apps to prevent them from reading each others data. It's impossible to sandbox web extensions and have them retain basically any of the functionality needed.

As well as almost all regular software is backed by some large company with legal presence to hold responsible. The same can not be said for most extensions.

dcowOP3y ago

> We sandbox apps to prevent them from reading each others data.

This is also true of web extensions. I suspect you've never developed one. You can't read another extension's data. It's also not true on desktop platforms. The user is still the security domain in desktop computing.

> As well as almost all regular software is backed by some large company with legal presence to hold responsible. The same can not [sic] be said for most extensions.

Is this true? All the browser extensions I use are published by a real legal entity that can be sued if they are negligent. What corner of the web are you on?

anaganisk3y ago

There are at least 100s of extensions that are published by legal corporates, adgaurd extension is pretty sure a legally registered company as an example.

nine_k3y ago

Not really any: popular open-source software, which gets reviewed and rebuilt by many independent people (distro maintainers) has a much lower chance to be hijacked this way.

dcowOP3y ago

Oh yes it can. Project owners have sold out before--sometimes without telling anybody. The threat vector is the same. Something you trust gets sold to someone else and it abuses previously acquired trust. Open source doesn't actually fix this specific trust issue. And BTW your browser extension's source is available to peruse locally on your machine after you install it. Surely you did that, right?

nine_k3y ago

Being a popular open-source project is not a guarantee, it merely lowers the chances and complicates the attack.

Regarding extensions code: indeed, I do read the code of extensions that require some elevated permissions, if these extensions are not otherwise vetted. This is why I avoid installing excessively complicated extensions, unless they ask for minor permissions. Having the list of tabs if no big deal; accessing data in your tabs, even for a particular site, triggers scrutiny.

2 more replies

j / k navigate · click thread line to collapse

0 comments

Gigachad3y ago

We sandbox apps to prevent them from reading each others data. It's impossible to sandbox web extensions and have them retain basically any of the functionality needed.

As well as almost all regular software is backed by some large company with legal presence to hold responsible. The same can not be said for most extensions.

dcowOP3y ago

> We sandbox apps to prevent them from reading each others data.

> As well as almost all regular software is backed by some large company with legal presence to hold responsible. The same can not [sic] be said for most extensions.

Is this true? All the browser extensions I use are published by a real legal entity that can be sued if they are negligent. What corner of the web are you on?

anaganisk3y ago

There are at least 100s of extensions that are published by legal corporates, adgaurd extension is pretty sure a legally registered company as an example.

nine_k3y ago

Not really any: popular open-source software, which gets reviewed and rebuilt by many independent people (distro maintainers) has a much lower chance to be hijacked this way.

dcowOP3y ago

nine_k3y ago

Being a popular open-source project is not a guarantee, it merely lowers the chances and complicates the attack.

2 more replies

j / k navigate · click thread line to collapse