Just the framing of "browser extensions" is extremely problematic in the year 2024.
Most browser extensions by weight are Google Chrome extensions. Google Chrome is unambiguously demonstrating that no API is safe in its quest to juice revenues. Anybody who builds extensions using Chrome's APIs should be very aware that they're quite possibly putting effort into something a juggernaut will stomp away without a second thought.
I don't care to live in strategically lost situations like this, so I think the conversation should be about Firefox extensions. Which also don't have a great track record (the transition to Google Chrome compatibility a few short years ago still annoys me greatly), but are a qualitatively better counter-party to deal with.
Forget all that.
1. They increase the attack surface of the browser 2. They have routinely been transferred to (for money) or taken over by malicious entities 3. Often they subtly break things in ways that are fine for expert users but which result in support reach out by others
The whole extension thing is a mess.
Honestly as much as I love Firefox this is an underrated concern.
Firefox allows their extensions to be far more powerful than Chrome's, but that power means they are also far more dangerous.
If Firefox were to really take off (like it should, imho), are we really ready for a web full of people being attacked by the worst spyware ever?
Chrome, for all its faults, has ruined their extension framework at least in part because they were trying to prevent this threat.
How do we make this work? Endless notification spam from the plug-ins? Expensive certifications for each plug-in release?
I’d be really curious about in a system where browser extensions are limited to ~200 lines of code. No mechanism for distribution beyond typing text in. No concerns about permission. It would be interesting to see what people can do in an ecosystem where extensions can actually do anything but it is expected that people will actually read the code before running it.
My reaction would be simpler: Anything that's identified as risky? Show the user. Extension is making an HTTP request? Show the body in a toast. Extension is reading the keyboard? Same thing. Extension is looking at the page? Little icon in the corner showing the name of the extension and that it looked. Can't be turned off. So extensions can still do all that crazy stuff, but they're noisy about it.
I don’t really see this as simpler:
1) “identified as risky” seems like it could hide some significant complexity (and room for error).
2) An extension might need to read from the keyboard. I don’t want to OK it every time. If I check once and then mark it as OK, I’d be worried that it could do something evil with that permission somehow, in a far-flung bit of the code.
I'm not saying a popover modal, I'm saying a toast notification or a status-bar icon. Non-blocking.
Like, when you're typing and it's being monitored: in the corner of the window it says"Extension TweetSyndicator is reading your keyboard. Click here to manage extension."
If nothing else, basic logs of everything an extension does should be kept so that technically knowledgable users can take a look at the logs periodically (and maybe have them watched automatically by tools) to make sure everything checks out.
I agree. When an app uses GPS on my phone, I'm informed of that: a notification permanently displays in the top bar until it is no longer being used. Same with the camera and mic. If my clipboard is copied, I get a notification as well informing me of that and telling me which app did it.
I'm not sure why a similar system doesn't exist for browser extensions. Furthermore, there are limits to what features you can and cannot disable for Chrome extensions, and as far as I'm aware there are no logs of what actions they took.
I had an extension that randomly redirected me to scam URLs while doing completely innocuous things such as visiting the homepage for Gmail, YouTube, or performing a Google search (after pressing enter for the initial query, before clicking on any URL.) I had 15 extensions, and the redirects were infrequent enough that disabling extensions one by one wouldn't help much: it could potentially take months to track it down, and there's no way of disabling the permission to redirect to different URLs. I searched the minified source code for all of the extensions that I had, but none of them had the URLs I was redirected to. My guess is that they pulled data from a server and then redirected me to whatever malicious URL it pulled at that time. I also checked network traffic in the Chrome Task Manager to see if there was an extension sending data for unknown reasons, but again, nothing, so it likely periodically pulls a URL to redirect me to from some server, redirects me, and then sleeps for a few days. Short of un-minifying all 15 extensions and trying to understand the purpose of every redirect, many of which would be legitimate, I'm not sure what can be done.
In the end, I removed every last extension aside from my password manager and uBlock Origin (which fixed the issue — over one month later I've never been redirected to a scam URL.) Many of the extensions I used were open source, but I don't think any hash system exists to verify the minified code matches the source files for Chrome extensions (maybe I could do that manually, but I don't want to do that every time there's an update for any of the 15 extensions I had.)
It's unfortunate, as many of the extensions I used improved my productivity and helped me focus better and be distracted less. But as it is currently, the browser extension ecosystem simply isn't safe.
From what I've heard, Firefox's review process is better in some ways than Chrome's, but their extensions can have even more control of your browser.
I don't think it's impossible to design an extension system that is secure: extensions just need to have the ability to be granted extremely limited permissions, and any permission beyond what is reasonable should be denied in the review process for putting it on the Chrome or Firefox extension stores. Most of my extensions shouldn't have even needed Internet access (if they can execute JavaScript, they'd still be able to redirect me to a scam URL, but if it couldn't have pulled a URL from an external server, then the URL would need to be in the minified JS, so I'd have been able to catch it.)
Tampermonkey?
And bookmarklets. These are leftover artifacts of the time when computers worked for us.
How to encourage code golfing in real world usages?
We've been there, nobody died. 15+ Years ago, Firefox was significant more powerful, while also having a significant higher marketshare.
[Citation needed]
Yes but that was before cryptocurrency created a new era of crime monetization.
Ultimately, as a society, we have to decide what is more important: the best of us or the worst of us.
"Those who give up freedom for security deserve neither."
The real quote is more nuanced: "Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety". It's a balance, obviously. I'm happy to have guardrails if they improve non-technical users' safety.
Not at the expense of expert freedom.
Safety is paramount for experts. Those who disregard the importance of safety are likely not experts in their field.
If the "console" analogy doesn't resonate, think of Apple as NASCAR. NASCAR has created a private ecosystem. Participating in NASCAR as a team or a driver is a choice, contingent upon meeting their requirements and paying entry fees. NASCAR implements numerous safety measures — SAFER barriers, catch fencing, HANS devices, etc. — to protect everyone involved, whether spectators (users) or drivers and teams (developers and vendors).
NASCAR prioritizes the ecosystem first, then spectators, then teams and drivers — in that order. It doesn’t compromise the ecosystem or spectator safety to accommodate individual teams or drivers. Driver safety is crucial, not just because NASCAR values them, but because incidents involving drivers can negatively impact the ecosystem and spectators.
Those wishing for NASCAR to resemble the Baja 1000 are tilting at windmills. Similarly, people who want iOS to be like Android aren't just wasting their time, but also disregarding the preferences of users who prioritize platform safety.
Most users have no idea the tradeoffs between the two. Or the dominance both have in their respective realms. Or the possibilities of having more viable platform choices.
Framing it like that makes it much more simplistic than reality. While there are some people you can clearly place into "best" or "worst", most people fit somewhere along a spectrum where their placement changes day to day. You ever had a bad day where you forgot to do something you would have done any other day?
Do you want software that allows you to do anything on a good day but is potentially catastrophic on a bad day?
The answer may still be yes, but regardless it's a more complicated a question than best vs worst.
That's fair, I was being more flippant than necessary. :)
Replace browser with operating system or computer and expand extensions to user installable programs and it mostly still rings true. I believe users should be empowered to modify their installed applications as they see fit.
It doesn't ring true for installed software anymore — "virus scanners" have gotten to the point where they just work for most people, desktop software is more difficult develop (for your average hacker wannabe), more difficult to get users to install, and has far less valuable data to go after.
I actually very much like Apple's approach to browser extensions forcing them to be truly installed software and in the purview of tools that protect the rest of the system.
The Chrome browser extension ecosystem is perfectly fine in theory but suffers from reinventing installed software without taking any of the lessons we've learned about OS software. Nice cautionary tale but the web is different.
On a typical PC, installed software has even more permissions than a browser extension, and all any malware author has to do is write their own keylogger or upload the browser cookie database. Sure, it's a little more effort, but I think the only real advantage that malicious browser extensions have over native programs is the discoverability and auto-update Google and Mozilla give them "for free".
Wouldn't AV pick up uploading browser cookies?
I don't know, it would simple enough to catch, but would also flag access by file managers. Probably the only way is to test. Generally I've found writing malware from scratch is enough to get it through AV, but I only tested on what I had installed.
Actually hilarious that we have people here defending removing extensions, as if they didn't live through the days of Internet explorer. Well, maybe they didn't I hope they enjoy the eventual return of popups.
They never left they're just called modals now.
Endless EU Cookie modals that you have to always click through because you clear cookies.
I wouldn’t be surprised if Gen Z didn’t live through it.
Small price to pay for adblock
Forget all that.
1. They increase the attack surface of the operating system 2. They have routinely been transferred to (for money) or taken over by malicious entities 3. Often they subtly break things in ways that are fine for expert users but which result in support reach out by others
The whole web browser thing is a mess.
"I don't care to live in strategically lost situatios like this, so I think the conversation should be about Firefox extensions."
Why would the conversation not be about editing the Firefox source code to add or remove "features" to meet one's personal needs.
What is the point of "open source" if, to use the term from the submission title, the software is effectively un-"hackable".
There is no small amount of "attack surface", and many unneeded "features", that could be removed from Firefox to someone's benefit, maybe it's only one user,^0 but but that will effectively never happen. Why. It is open source so anyone should be able to audit the code and change it to their liking.
0. To be clear, I am not commenting about "most users" or the majority of users or whatever. I am referring to the small class of users who are explicitly dissatisfied.
In 1995, there were numerous non-commercial browsers. Netscape, the source of Mozilla, was one of the few attempting to commercialise.
https://www.w3.org/Clients.html
There is nothing wrong with having "all-in-one" programs. As long as other "not-all-in-one" programs also exist as alternatives.
Arguably, the aim of the "all-in-one" program may be to obviate the existence of other programs, namely smaller, simpler ones.
Those pushing gigantic web browsers might assume and argue, e.g., that it is inconvenient to have different programs for different tasks. This could be true. For some users. However it is also true that small programs can be made to work with each other. UNIX is the example. Over thirty years of continual growth. The companies behind the giant browsers probably could not survive without it. There is choice.
Large "all-in-one" programs and small ones like UNIX utilities can co-exist. The two are not mutually exclusive.
Personally, I prefer not to use a giant browser to make HTTP requests on the open internet. It is overkill and there is a profound lack of user control. (Hence "solutions" like "sandboxing", and an ever-incresing number of Band-Aids that serve only to add more needless complexity. The companies releasing these giant "all-in-one" programs are funded by advertising. Enough said.) For me the "modern" browser is more useful as an image viewer and media player.
It is possible to "browse" the web without advertising, tracking or other annoyances, I do it every day,^1 but not with one of these giant advertising-supported "all-in-one" programs like the "modern" web browser. It is a losing battle to try. No amount of "extensions" can change the balance of power over those giant programs.
Despite that these "browsers" are "open source", dissatisfied users who know how to program are not editing the source code to remove the bad bits. Instead they helplessly complain in forums like HN.
1. I am not a typical user. (Though I might be in 1995.) I prefer text over graphics. I like to read without distraction. Because text is easy for the user to manipulate, it seems to have a defense against advertising that is not available with graphics. For example, if text ads were inserted into response bodies, I can easily filter them out.
Because extensions are way easier to write, less likely to break because they use mostly stable public interfaces, and don't require an amazingly long compile.
I'd very much love to be able to clearly remove features I don't want and use, including a lot of the things about profiles, then use a tool to remove all unused codepaths to make a fast, usable and hopefully easier to understand product. But who has the time to dig into the behemoths of firefox and chrome today? It's just too much code to easily grasp.
Unlike you I don't have a dislike of graphics. I do however see value in small simple software. The Web is a runtime so very complex that it takes huge organizations to create.
Theoretically, you could sacrifice full compatibility by implementing only the APIs used for Google, Facebook, YouTube, Reddit, Amazon etc. and have something much simpler. But that would still be a hard task because you are making a big compatibility hack for certain websites. Like the wine compatibility layer only for websites. Except that the websites could stop working at anytime and then you'll have to pile on more interfaces to keep up with them.
When evaluating software utility we often times forget that websites are software and don't attempt cost them in. Using them is a recurring cost in terms of complexity. They are definitely not free or even low cost.
Oh I agree so much with you.
https://akkartik.name/freewheeling
The impedence to compiling IMHO defeats the point of open source. I use a text-only browser I can compile in less than a minute. I use an HTTP generator that compiles in two seconds. The so-called "modern" browser is a PITA. A nuisance. An unfortunate necessity for accomplishing certain tasks, e.g., commercial transactions such as banking or shopping. But most of the time I am using the web I am not doing those tasks.
How unlike developing for literally any other environment.
I don't know if you're being sarcastic. There's a spectrum between developing for Lua (juggernaut is super friendly), Python (juggernaut is mostly friendly, even if 2->3 caused a lot of casualties), Go (in spite of the corporate backer, quite careful about not stomping) and Chrome.
Yes, there's always a counter-party. My point is it saves a lot of later grief to consider up front the counter-party you're entering into a relationship with. Their incentives and track record.
Which, for plenty of Chrome extensions, is fine.
Google has removed capabilities for certain categories and it's pretty easy to figure out what's going to be risky.
But I use a set of very useful extensions, none of which present any problem to Google, all of which are extremely useful, and all of which I expect to stick around.
Quite right. Google and other commercial platforms may cut features or make breaking changes out of greed, while open source projects do it because they chase shiny things and can't be arsed to do legacy support. The end result is the same.
Most browser extensions seem to be used on Firefox, because Google is so hostile to ones on Chrome. With the decline of Firefox, the extension world has shrunk. I had something called "Ad Limiter" on both Firefox and Chrome for a decade. Identical code, even. Google sent me threatening messages last year, as they tightened the screws on ad blockers, and I dropped it for Chrome.
That's a good point. Perhaps Firefox will benefit from an embrace/extinguish maneuver for once. Become compatible with Chrome extensions, then take over the space as Google retreats. This path too passes through no longer referring to "browser extensions".
Extensions were compatible for years until Google changed the manifest format and parts of the API.
Firefox is not really less hostile now. You can't even install and maintain local add-ons anymore. You can either install them temporary, and they are removed when the app closes. Or you must upload and sign them to their store.
Has Firefox fixed its syncing feature? You used to have to literally move a profile file around. I remember working in IT a long time ago and Firefox was an absolute nightmare to deal with corporately. But then, back then, we couldn't control Chrome extension installations..
Sync was fixed as part of quantum.
I'm only on Firefox because there's nothing better, but its sync at least has been pretty rock solid for me for several years now.
There is a standard for browser extensions. I build also browser extensions before the standard. So you can build now a browser extension that works in Chrome, Firefox, Edge and Safari. But indeed, you can also use some specific api's for only a single browser. That is really bad, like you build a site only for a single browser. But the base should be compatible. And because you always can see the extension source code, you can modify a version for your own that works well in your browser. (And you can share it again off course)