How to not be affected by malicious extensions?
-
My thoughts are:
Delay updates for a few days. Many malicious extensions are caught within a few days, and it is the auto updated that make people caught unawares.
Download from a different store. I have heard the Opera store checks extensions better. I still want auto updates though.
Use multiple stores. Donโt update until it has been approved by the major extension stores.
Check with a third party before updating.But I donโt know how to do any of these.
P.S. I know these are not 100% solutions
-
@code3 100% solution: Don't use extensions.
-
@Ayespy I canโt, Iโm sorry
-
@code3 That's too bad.
-
@Ayespy Well, do you know if I can make extensions safer? Do my ideas sound bad?
-
@code3 I could hardly say. I refuse to have anything to do with extensions, so I decline to study them. Anything/everything I need to do has to be built into the browser.
-
@Ayespy , I use extensions, but I take great care to check the origin, extensions in the store that do not specify a web page (preferably GitHub, GitLab or Sourceforge) or a known author are a no go.
If the extension is FOSS it is in principle already a good reference.
I do not trust the security of the Chrome Store with respect to the control of extensions, nor do I trust the Play Store on Android, with the Fake of Play Protect that Google offers. There the remedy is F-Droid and BitDefender as AV. -
@Ayespy Huh. That's odd. I have...
Onion Browser Button (not reputable but only requires access to proxy api, not webrequest or content script)
Privacy Pass by privacy-pass-support (open source)
Click to Remove by blade.sk (has website)
Random User Agent by dev4ever
Neat URL (reputable)
Stylus (open source)
ScriptSafe (open source)
Bitwarden (open source)
Timezone Spoof (not reputable)
Font Fingerprint Defender (my font fingerprint is definitely unique as I am on Linux) (author has many other extensions)
Productivity Owl (highly annoying but I will not uninstall, I am actually working on a V webpanel for this one, but I am stuck on one thing: JS warnings are not appearing in the panel) (open source)
Privacy Redirect (super good) (open source)
HTTPS Everywhere (not as necessary as it used to be, but there are still lots of http links) (open source)
Speed Dial Thumbnail Generator (Amazing! Only on Github) (open source)
Trace by AbsoluteDouble (source-viewable, reputable)
LocalCDN (trying this out) (open source)Too many, I know. In my defense, I have tried to limit how much these extensions have access to.
-
@Catweazle said in How to not be affected by malicious extensions?:
I do not trust the security of the Chrome Store with respect to the control of extensions, nor do I trust the Play Store on Android, with the Fake of Play Protect that Google offers. There the remedy is F-Droid and BitDefender as AV.
What do you think about Opera Web Store?
-
@code3 said in How to not be affected by malicious extensions?:
@Ayespy Huh. That's odd. I have...
Onion Browser Button
Privacy Pass by privacy-pass-support
Click to Remove by blade.sk
Random User Agent by dev4ever
Neat URL
Stylus
ScriptSafe
Bitwarden
Timezone Spoof
Font Fingerprint Defender (my font fingerprint is definitely unique as I am on Linux)
Productivity Owl (highly annoying but I will not uninstall, I am actually working on a V webpanel for this one, but I am stuck on one thing: JS warnings are not appearing in the panel)
Privacy Redirect (super good)
HTTPS Everywhere (not as necessary as it used to be, but there are still lots of http links)
Speed Dial Thumbnail Generator (Amazing! Only on Github)
Trace by AbsoluteDouble
LocalCDN (trying this out)Too many, I know. In my defense, I have tried to limit how much these extensions have access to.
Wow, that is a LOT. I must start narrowing down.
-
@code3 , I have not even taken it into account, I do not trust them more than Google. I prefer to use GitHub or Sourceforge directly as an alternative.
-
-
@Ayespy I was joking.
-
@Catweazle said in How to not be affected by malicious extensions?:
I have not even taken it into account, I do not trust them more than Google. I prefer to use GitHub or Sourceforge directly as an alternative.
Hmm. I don't want developers to be able to auto-update their extensions from Github. But sometimes I do load unpacked. I do think checking every webstore is a good idea but hard to do. There is crxcavator but I do not see a way to use it actively.
-
@code3 , well, at the moment I am quite happy with the extensions I have and at least in the near future I am not going to install more.
I have the page full of extensions, although most are inactive
I do not necessarily uninstall extensions, if they are valid, I just have them inactive as a reserve, you never know what can happen with FOSS extensions (see uMatrix- RIP), or by using them only occasionally (Webmarker, popupCrypt, PageSize inspector, Buster .... tools like this, that I don't need so often) -
@Ayespy said in How to not be affected by malicious extensions?:
@code3 100% solution: Don't use extensions.
Yep! Or use only those extensions whose developers you trust, e.g. uBO by gorhill.
-
There must be another solution. I can consider uninstalling some, but not all, of the extensions. But I feel that delaying updates could help, how do you cache in Linux?
-
@Stardust There is no such thing as an extension that uses no RAM or processor cycles, and which does not increase the complexity and attack surface of the browser. So, best to simply not use them, in my view. There simply isn't anything an extension does, that I want to do, anyway.
That's me. Stick in the mud.
-
@Ayespy said in How to not be affected by malicious extensions?:
There simply isn't anything an extension does, that I want to do, anyway.
In my example was uBlock Origin - the best extension ever created (imo), many users think it is pretty useful :face_savouring_delicious_food:
-
@guigirl said in How to not be affected by malicious extensions?:
What? Even better than the pink daffodils one, you mean?
Yes, it is really that good!