WingNews logo WingNews
top | item 33015350

(no title)

invisible | 3 years ago

It's as though nobody realizes extensions can be created or purchased by sketchy actors and that this is a huge security risk when the extensions request "all access to all sites." OK, so when setting up an account's username and password and are provided 2FA codes or recovery codes -- those can all be compromised. How can you know an extension is compromised? It's almost impossible to tell with certainty.

Things like "The Great Suspender" incident get ignored and folks assume no other extensions have the same problems.

discuss

order

RedShift1|3 years ago

And what in MV3 solved all of that? It still allows enough to do a lot of damage.

Regardless of that, at some point you have to trust software. You can't expect everyone to read every line of code and compile all the software by themselves.

invisible|3 years ago

Yes, I trust plenty of software and I'm not suggesting that extensions are bad in theory. Extensions being able to silently inject code and ownership to change at any time is a pretty bad security model. We can agree that there are _bad_ security models, right?

It's the sum of the parts in changes from manifest V2:

- no arbitrary code injection via executeScript, must be a file now

- no more remote code

- no more arbitrarily getting selected text or highlighted text on a tab

- declarativeNetRequest instead of intercepting requests

- explicit listeners on the page to help detect bad actors (vs just arbitrary JS running on the page)

Barrin92|3 years ago

>actors and that this is a huge security risk when the extensions request "all access to all sites."

sure but that's my choice, that's why it's an extension. Paternalism of telling me what to do with my browser is silly merely because something is potentially dangerous. The entire internet is potentially dangerous. Clicking on a link or installing a piece of software is dangerous.

You're an adult, make responsible choices about whose extension to install instead of demanding that Google strangle you with security policies which at the end of the day serves only one purpose which is to extend their control over the user experience.

invisible|3 years ago

These are a bunch of straw man arguments against what I said. There is a difference between clicking a link and an extension being able to read the contents of pages you visit -- like your bank records or credentials.

Some of these "choices" aren't actually _made_ by anyone. Even with trust of an author, if remote code is being used and a domain or server is hijacked, then the remote code could be replaced. It's a lose-lose problem for Google and not addressing this problem means worse security for casual users. The boogeyman that they will remove useful extensions is antithetical to their behavior so far.