How/why do you feel safe using a browser with plugins installed?
November 11, 2014 6:27 AM   Subscribe

I just installed Tampermonkey in Chrome, and it alerted me that it can "see and modify" everything I do online. From a technical standpoint, how do people use plugins like this and still feel secure when, say, doing online banking?

I know that most people use browser plugins and extensions and scripts. It's probably a rarity to find someone with no plugins installed. But I'd like to hear from technically oriented people, why it's okay to use browser plugins and then do things online. Isn't every browser plugin you have installed able to see everything you're doing? How do you feel comfortable logging into your bank account or your 401K when all these plugins, many of them written by a hobbyist programmer (as in the case of Tampermonkey), can see everything you're doing? Is there some level of protection going on that a non-tech person wouldn't know about?
posted by jbickers to Computers & Internet (4 answers total) 4 users marked this as a favorite
Extensions can and do make browsing the web unsafe. These are some of the things that an extension with liberal permissions can capture and send to its maker:

1. Your browsing history such as a list of all the websites you visit.

2. Data you input into forms such as login information.

3. Data on all pages you visit.

4. Cookies.

There isn't very much that can be done to avoid the inherent security risks. Google has this to say about Chrome extensions for example (source):

Our defenses against malicious extensions focus on helping the user avoid installing malicious extensions in the first place:

1. We expect most users to install extensions from the gallery, where each extension has a reputation. We expect malicious extensions will have a low reputation and will have difficulty attracting many users. If a malicious extension is discovered in the gallery, we will remove it from the gallery.

2. When installing extensions outside the gallery, the user experience for installing an extension is very similar to the experience for running a native executable. If an attacker can trick the user into installing a malicious extension, the attacker might as well trick the user into running a malicious executable. In this way, the extension system avoids increasing the attack surface.

.. which is b/s for several reasons e.g. some extensions start out benign, get popular and then get bought so they can be adapted to serve malicious purposes.
posted by rada at 6:59 AM on November 11, 2014

Is there some level of protection going on that a non-tech person wouldn't know about?

One thing you can do is run Chrome in Incognito Mode or Firefox in Safe Mode. These usually disable extensions/add-ons, unless you specifically allowed them to run in those modes.
posted by rada at 7:19 AM on November 11, 2014

It is ok to use plug-ins. However, it all goes back to trust: can you verify your plug-ins in some way? Does the plug-in give transparency in some way?

For example, in order for Ad Block Plus to do its job, it has to read the elements of a webpage to determine if they match ABP's database of bad elements. As it is an open source project, you could go and start looking at the code.
Some evil villain might also create an adblocker, that can detect credit card numbers on the side and send them to evil villain hq.
posted by troytroy at 8:38 AM on November 11, 2014

Best answer: Hey, I'm a technical guy. You are right to be suspicious. But that warning is not itself evidence that there's a problem. By design, Tampermonkey has to be able to access and modify all web pages, that's what the extension does.

I make my peace with the risk by evaluating my trust in the extension authors. Something like Tampermonkey is broadly used by technical people, so I have more hope that if it did something shady someone would have noticed. Open source extensions are better. (I'm a little confused about Tampermonkey's being open source, there's a code repo but it looks out of date.) It's also pretty hard to obfuscate an extension's code and activities, even if it's not open source it's open to inspection.

This trust can be misplaced. A few months ago some sleazy company started paying Chrome extension developers to implant ad tracking malware. And because extensions update automatically and silently, no one noticed for quite awhile. HoverZoom is one such extension alleged to include malware; it was quite popular and probably still is. I used to run it. Now I use Imagus although writing this reply now, I'm not sure why I trust it. There's been some shenanigans in the ad blocking world too. I recently switched to ┬ÁBlock, which is open source.

There is no hidden technical protection, Chrome does not have meaningful security restrictions on extensions. Once you approve that list of access permissions, there's not much else it can do. Google did recently restrict extension distribution; it's now pretty hard to install an extension in Chrome unless it comes through Google's curated app store. But I don't trust the moderators of that store to really inspect for malware.

As rada noted above, Incognito Mode does not load extensions (by default). I use this regularly for high value sites like my bank. OTOH I also rely on the LastPass extension to store my passwords, and I have no idea if a rogue extension could infiltrate my password database.

In conclusion: extensions are a security disaster waiting to happen. OTOH they are very convenient. Pick suppliers you trust.
posted by Nelson at 8:42 AM on November 11, 2014 [4 favorites]

« Older Could you give me tips on navigating hostilities...   |   Why is the Latin name for the Eurasian eagle-owl... Newer »
This thread is closed to new comments.