63 replies
1d1h
This should be something built-in for every browser, and updates should be automatically disabled as soon as owner changes.
48 replies
19h37m
A few months ago I made a free open source extension to speedup youtube ads that I shared here & hit the front page. Within a week a guy (who commented on my show hn thread) copied it and promoted his version on reddit which went viral and has 300k+ Users [1]
But why copy a free open source extension instead of just contributing a pr? Well... a few weeks later he was trying to sell it on multiple sites for 5 figures. Maybe they still own it but I couldn't help but notice that the registered developer for his extension on the chrome store has also changed since it was originally published.
[1] https://github.com/rkk3/ad-accelerator/blob/main/lessons_pos...
12 replies
18h45m
Sorry to hear. That really sucks.
Is there a license that prevents direct resale but keeps it open source?
11 replies
16h48m
No such license can exist, if it did it wouldn't be open source.
Open Source, as defined by the Free Software Foundation or Open Source Initiative, requires the right to create a modified version of a piece of software and sell it. It doesn't matter if the modification is nothing.
A trademark on the name will require a reseller to rename it to avoid trademark infringement.
A patent on some part of it is a scummy way to do it, but that violates the spirit of open source.
9 replies
14h41m
“Open source” is when sources are open, i.e. available to anyone. That’s literally in the name. FSF/OSI traditionally reassign the meaning in their own scope and have a process of approval, probably for a good reason. Also some people will resist and blame you for being “misleading” with your “open source”. But you definitely can have an open source non-free non-modifyable project. There’s no law of physics which could stop you, nor legal laws which prohibit combining words into meaningful sentences. Just make a proprietary app with all legal remarks and open the sources by publishing them somewhere.
8 replies
13h41m
FSF/OSI traditionally reassign the meaning in their own scope and have a process of approval, probably for a good reason. Also some people will resist and blame you for being “misleading” with your “open source”. But you definitely can have an open source non-free non-modifyable project.
They did not "reassign the meaning". They created the term, it did not exist before their usage. They created it to mean the thing you're now saying it doesn't mean.
4 replies
11h33m
It’s not possible to reserve terms which are made up from generic words. That’s neither true in trademark law (for good reason), nor anywhere else. Saying “free software” or “open-source software” doesn’t require any upfront definition, both phrases can be understood perfectly intuitively: “free” as in “free of charge” and “open-source” as in “the source code is openly available”.
OSI/FSF decided to use generic words as label to promote their specific ideas. The ambiguity of that unspecific wording choice is on them, not on the rest of the world.
3 replies
11h21m
The definition of short phrases is not some intuitive prescriptive "the components mean this", but rather it is what we have collectively agreed on the meaning to be. Open Source and Free Software are widely collectively agreed upon terms of art, so they're not ambiguous.
Just because "gravy boat" has the word boat in it does not mean it is actually a real boat. "Whisky on the rocks" has ice in it, not actual rocks.
Free Software and Open Source Software have widely agreed upon meanings, and just because you think intuitively it would make more sense for "whisky on the rocks" to be served over actual rocks doesn't mean you're better at understanding english words than the rest of us.
2 replies
11h16m
but rather it is what we have collectively agreed on the meaning to be.
Who is “we”?
My point is that I don’t think that your premise of “collective agreement” is true for “open source” or “free software”. I don’t agree with it, and I know a bunch of other people that don’t do either.
1 replies
8h17m
Who is “we”?
Language is cultural and context-specific. Not everyone has to agree, but if you talk to software people about "open source" and don't mean what everybody else means, you're just going to confuse and annoy people instead of communicating.
0 replies
7h23m
Language is cultural and context-specific.
Language is not set in stone either, and the perception of what terms mean may change over time, even within one and the same cultural context. That’s why we are having debates and discussions. The world of computer people is no exception of this phenomenon – the etymology of the word “computer” is a literal example for that.
2 replies
11h40m
There’s more to the story, afaik. But my main point is that it’s unreasonable to take two existing words and claim it’s impossible to combine them directly. Not gonna argue or flamebait though, please just tell the correct term for projects with open source but non-free-software license and I’ll be happy to use it from now on.
1 replies
8h30m
But my main point is that it’s unreasonable to take two existing words and claim it’s impossible to combine them directly.
There's terms that if you attempt to use the literal meaning of the component words, you'll confuse people. This is one. It's like a trademark or an idiom, it has extra meaning beyond the literal due to cultural association.
Not gonna argue or flamebait though, please just tell the correct term for projects with open source but non-free-software license and I’ll be happy to use it from now on.
I've seen "source available" used and that always seemed fine to me.
0 replies
7h47m
Looks fine to me, thanks!
0 replies
16h21m
You could have a license that's open source in all respects but this one.
However, someone could make a change, redistribute under the same term, and then someone else could undo the change, and redistribute, essentially redistributing the original without modification.
9 replies
16h25m
To give some nuance, here is the other side of that story https://news.ycombinator.com/item?id=38463233
Can’t say I understand all the background but really… the extension is 50 lines of trivial js. Claiming someone stole it is quite bold. And as we all know, ideas are worth nothing, can’t really claim this idea is that novel either. Assuming the other party even took inspiration, the timeline of who did what first is not entirely clear.
7 replies
16h18m
I said he copied, not stole.
In terms of timeline...
here is him commenting on my the shown HN post I made https://news.ycombinator.com/context?id=38328305
here is his days later https://news.ycombinator.com/context?id=38398571
3 replies
15h8m
I totally can see that he copied your idea, and why you're frustrated.
But at the end of the day it's a simple idea and script. Can't really see what you can get from it, if they even wrote the actual code themselves.
Considering your previous post was already months ago and was flagged [1], I'd say let it go.
1 replies
11h1m
I don't know what's worse, acting in such an immoral way or justifying and legitimizing this kind of behavior..
0 replies
9h1m
There are many software that have the very same goal/usage. How is it immoral to build something similar of your own?
Are you saying microsoft should have never been allowed to release Microsoft Word because Wordstar (and possibly other similar software) already existed?
Are wheel manufacturers all immoral for making wheels while we should still use the original wheel made of stone or wood[1] from the original author?
[1] I honestly don't know which came first but I would say carved stone
0 replies
58m
I thought it was relevant to share in this discussion, since they likely sold the extension to someone who turned it into bloat/ad/spy/mal ware.
https://chromewebstore.google.com/detail/ad-speedup-skip-vid...
2 replies
15h42m
If it's any consolation to you, I have a very oddly specific memory about this. I didn't follow any drama or didn't know that there was drama. But I do remember your original post and then seeing the second post a few days later thinking, “wait, why is this being so highly upvoted when we all front-paged this a few days ago?”
1 replies
15h35m
haha thanks. And I documented it all in the blog post I wrote way back when [1] there really isn't any question about timeline or if it was inspired.
At the end of the day, it was a silly project I built and I got 20k users! It didn't feel great to be copied and have them get 15x more traction. Whatever the thoughts are around that... the reason I posted today was the relevancy to the parent extension because within weeks they tried to (or did) sell the extension's user base (presumably to bad actors). I had no idea how shady the extension world was before this, and I'm much more conservative about which ones I'll install now.
[1] https://github.com/rkk3/ad-accelerator/blob/main/lessons_pos...
0 replies
15h1m
I also think the right conclusion to take from this is that the validation you've seen in just this one side project of yours should encourage you to be more open and sharing of those ideas. Now you at least know what the next steps are from there, and how aggressively you should pursue those steps.
Ive been ripped off in the past. While it doesn't feel great, it should fuel the irrational confidence part of you.
0 replies
4h44m
Also you are completely missing the point that it was likely sold and transferred ownership.
https://chromewebstore.google.com/detail/ad-speedup-skip-vid...
in addition to that, actually had random people start reaching out to me that it is now bloat ware ...
6 replies
18h41m
Curious why you are careful to never mention the handle of the HN user in text, only in images. What is the perceived threat model of stating clearly (in this comment, or in your blog post) the name of the HN user who copied you etc?
2 replies
8h4m
There he is: https://news.ycombinator.com/user?id=corn-dog
Let's tar and feather the scoundrel.
1 replies
4h23m
Brigading users is probably a bad idea.
Reading their comment history does yield some interesting rebuttals though, would recommend.
0 replies
3h56m
Not probably. brigading is a bad idea.
My whole point was "hey thats not cool" that you copied me especially since you run a thousand+ person dev community. His rebuttal about wether or not it was legal, or violating the license etc. sort of misses the substance of the argument. To me it was a moral issue not a legal issue [1].
[1] https://github.com/rkk3/ad-accelerator/blob/main/lessons_pos...
0 replies
15h52m
Maybe he's afraid of getting sued.
0 replies
17h16m
100%. Is someone is going to be shitty they deserve to be called out front and centre. If they just copied the program and shipped it as their own that speaks volume as to being a bad person and I would not want to collaborate with a person like that. If they took the open source program and truly made some great additions to it and improved it then that would be a different matter. Pretty sad to not give credit to the creator of the program. Call this guy out in my opinion as well.
0 replies
16h28m
sometimes the beef ain't worth it, man
3 replies
18h32m
Are there FOSS licenses which can mandate some kind of "non-commercial" open source use or ethical-use clauses of some type? Seem to recall this being something that some folks were either trying to make happen after the Palantir / ICE boycots.
(cue someone getting upset about "politicizing" licensing or cancel culture or whatever, as if the entire concept of intellectual property isnt political at its core)
1 replies
17h35m
Contrary the sibling comment, the answer is no, and it isn't pedantry at all. The people who established the free software and open source movements care deeply about the standards embodied in the licenses those movements use. It disrespects their work and vision to conflate other licenses with FOSS licenses, and it pollutes the commons. We use words to communicate things, and having a clear definition of what is and isn't open source is important.
There are certainly licenses which meet those goals, and in my opinion at least, there's nothing wrong with using them. I'm not opposed to proprietary software, or source-available licenses which come with certain restrictions. But by definition, it isn't open source or free software.
0 replies
16h19m
The people who established the free software and open source movements care deeply about the standards embodied in the licenses those movements use. It disrespects their work and vision to conflate other licenses with FOSS licenses, and it pollutes the commons.
You know that the term 'open source' was coined because someone disagreed with the vision of the 'free software' people? It's fine to have a different vision. Thought you might want to come up with a different term, of course.
0 replies
17h53m
The pedantic answer you'll probably get here is that there's no such thing because that wouldn't be trve FOSS, but that would be missing the point of the question, so:
There's the Business Source License[1] used by MariaDB, which allows for any "non-production" usage and automatically converts to fully open source 4 years after publication.
There's also the Commons Clause[2] which is supposed to be appended to any other open source license to add a restriction against the "right to Sell the Software".
And there's also Creative Commons NonCommercial license[3], but that one's not specifically meant for software.
All of these are interesting licenses, but honestly I haven't fully read them yet and I don't know if they have any issues or ambiguities or loopholes.
[1] https://mariadb.com/bsl11/
2 replies
19h0m
And this is how you end up with the IP laws we have today.
This sucks man, at least this only cost you potential earnings (that it sounds like you weren’t pursuing) vs any actual money.
I wonder if in theory, should you want to, there’d be any legal recourse.
1 replies
18h35m
He copied OP's idea, not their code AFAIK.
0 replies
18h19m
Even if they copied OP's code, depending on the FOSS license it might not be illegal.
As someone who grew up in India, this practice is actually quite common and not exactly frowned up. When you have multiple products that perform similar functions, whoever can sell them the best will gain market dominance.
OP did not pursue the monetization path chosen by his competitor and lost out only on potential income, this might be a good lesson in entrepreneurship and IP management.
1 replies
17h47m
Next time I’ll be more aggressive with promotion.
Why not this time? If you are interested to promote your extension, you can do it now. Your extension is still there.
Another question is for how long YouTube and Chrome will allow it to work. (They may also feel disappointed).
0 replies
16h33m
Why not this time?
The drama killed my enthusiasm and at the end of the day it was a silly side project. Have more important things to do if it is not fun.
Another question is for how long YouTube and Chrome will allow it to work. (They may also feel disappointed).
It'd probably have to get orders of magnitudes more users for YouTube to do something. But not every streaming site is as laissez faire; Hulu detects it if you set it to the max speed (16x) and Twitch is more obfuscated.
1 replies
18h58m
But I thought his was FOSS too (according to him)
0 replies
18h38m
the buyer is buying the users, not the software.
1 replies
7h4m
Not to mention, the other app has open webpages and other scummy, unsolicited behaviour. Whereas yours just does what it's supposed to.
0 replies
4h25m
Yep then it likely changed ownership to exploit the user base, which their recent reviews seem to point to
https://chromewebstore.google.com/detail/ad-speedup-skip-vid...
1 replies
18h30m
Doesn't certain licenses (like MIT) prevent exactly that?
0 replies
18h7m
MIT only requires attribution. A fork can still monetize the original work with minimal changes. A trademark could help at least protect the name.
Or if they stripped all attribution then a legal case could be made.
0 replies
18h26m
I believe that is called getting "zuckered".
0 replies
18h1m
Truly sorry for your experience. Hopefully it ends well, but if not you may find use of the philosophy of Jeff Tweedy:
…And if the whole world's singing your songs
And all of your paintings have been hung
Just remember what was yours is everyone's from now on
And that's not wrong or right
But you can struggle with it all you like
You'll only get uptight…”
- “What Light” by Wilco0 replies
19h31m
that must feel crappy, sorry to hear that happened
30 replies
1d1h
The extension ID is derived from a private key that the developer uploads with the first upload to the app store, and the ID will change if any subsequent uploads include a different key.pem in their zip file (but if there is no key.pem then the extension ID will remain the same).
Therefore, if the extension ID changes, it's possible the owner changed. However, it's also of course possible (and even likely) that the original owner might transfer the private key to the new owner. And since Google doesn't require each upload include the private key, then the new owner could push changes without even needing access to that key.
I find the extension ecosystem fascinating and I'm also working on some tools for this space ([0]: warning, WIP hobby code). For example, I want to create a GitHub repo that targets a specific extension, tracks its updates, and pushes each one as a change to the repo. And then I can run static analyzers on the code after each update, and also some runtime taint analysis I've been experimenting with (e.g. tracing user inputs into dangerous sinks like eval or postMessage).
20 replies
1d
One of my Opera (Presto web engine, European owned) extension was featured on the front page and became very popular. Somebody wanted to purchase it from me for a good amount. During the negotiation, I said I would take down the extension and provide all source code to them so they could distribute it themselves. They said they expected me to hand over my Opera extension account credential too to them. Long story short, I backed out.
So yeah, I support your assertion that while something like this is somewhat useful, a better thing would be some kind of malware scanner for extensions.
7 replies
22h22m
Isn't Opera chinese owned these days?
I interviewed at their office and at the time their business was to use the high user count the browser had on mobiles in africa to push microcredit.
5 replies
16h27m
Isn't Opera chinese owned these days?
Opera is a public company. Almost all public companies have shareholders from all over the world, including China.
https://en.wikipedia.org/wiki/Opera_(company) has some details.
EDIT: that Wikipedia article says Opera is indeed a public company, but it's only indirectly publicly traded via a chain of parent companies.
3 replies
9h49m
The CEO and Co-CEO appear to have Chinese names, same with the parent company listed in your wiki link.
1 replies
5h45m
The CEO and Co-CEO appear to have Chinese names
So what? The CFO is Norwegian.
Since the CEO of Wikipedia is Egyptian born, would you define Wikipedia as Egyptian owned? Note that Egypt is a US backed dictatorship.
0 replies
5h41m
Did Zhou Yahui buy a bunch of shares in Opera? Otherwise, I don't know why he would be CEO of that company (as a billionare). Ok, from his wiki page:
The next month, a consortium of investors including Beijing Kunlun acquired Opera Software with Beijing Kunlun acquiring 48%, effectively granting ownership to the company (and Zhou Yahui) by majority.[12] Zhou has served as chairman and CEO of Opera since 2016.[4]
0 replies
7h51m
You might want to stress that Opera is Chinese-controlled then; which is different from Chinese-owned.
(Eg Google is controlled by its founders, who still have the majority of share voting rights and are in power as executives. But it's not majority owned by them anymore.)
0 replies
9h9m
Almost all public companies have shareholders from all over the world, including China.
While Opera might not be a Chinese company in the strictest definition, over 50% of Opera's shares are owned by their Chinese parent company, and by all accounts around 80% of the shares still seem to be in control of the Chinese conglomerate that owned Opera before it went public.
0 replies
3h39m
Yes, Opera was sold to the Chinese. I am talking about the days when Opera was owned by the Europeans, and didn't use Chromium / Blink engine.
6 replies
23h56m
Unfortunately, it probably even makes sense that they'd want that for non-nefarious reasons.
If you shut down your extension and they had to put up their own copy, they'd have to re-acquire your installed base. That could be a sharp decline in value to them, particularly if the extension mostly got popular off a one-time front-page feature rather than via gradual discovery with active word of mouth.
The chance that people jump through all the hoops to impulse-install again twice is low. They'd have to really like your extension, even if your version notified them of shutdown of yours and availability of the new one. Growing an installed base is generally more a factor of not chasing your users away than explicitly doing things to retain them. That change would chase them away.
In an ideal world, you'd be able to officially transfer the single extension to a new owner while keeping all the installed users--preferably with a notice dialog enforced by the browser popping up to tell the user the ownership changed and offering them a chance to uninstall. That would also chase some users away, but it's sort of the ethical minimum (hence this HN post).
But I doubt many browsers, if any, work like that.
3 replies
6h41m
a notice dialog enforced by the browser popping up to tell the user the ownership changed and offering them a chance to uninstall
Couldn't the extension do that itself? Why does it need to be a browser feature?
Edit: Quoted portion of comment I was responding to.
1 replies
5h54m
To my knowledge no browser supports transferring an extension's user base from one extension to another. If you want your users to switch, the only think you can do is show them a link of where to get the new extension they should install.
0 replies
5h43m
The GGP suggested "officially transfer the single extension to a new owner" which you can obviously already do (by giving the new owner your account, if nothing else), and "tell the user the ownership changed and offering them a chance to uninstall" can already be done by any extension that has any sort of UI. You don't need to "[transfer] an extension's user base from one extension to another".
0 replies
5h1m
The extension could do that itself, but it's possible that the new owner of the extension has hijacked the extension or otherwise has nefarious intent. Forcing the browser to announce this change alerts the user of this possibility.
0 replies
3h41m
True, I understood that the userbase was more important to them as my extension code was already released under GPL open source license. I was concerned about the following:
1. It was a grey area if the Terms of Service allowed such transfers of Opera account.
2. I had many other extensions that were being distributed through the same Opera account.
3. My suggestion to them was that I would release a new version of the extension from my account that explicitly informs the user of the change of ownership, and also inform them to install the extension from the new owners Opera account. They weren't interested in that.
0 replies
5h56m
Both CWS (Chrome) and AMO (Firefox) supports this. It's part of Chrome's One Stop Support[1] form and Forefox's developer hub UI.
At the moment I don't believe any browser has features that notify end users of ownership changes.
[1]: https://support.google.com/chrome_webstore/contact/one_stop_... [2]: https://extensionworkshop.com/documentation/publish/add-on-o....
4 replies
1d
While I too would back out from anything requiring giving away credentials, is there no other way to transfer ownership? A charitable interpretation could be that they wanted to also buy the "popularity" of the extension simply for discoverability.
But it's equally easy to envision nefarious reasons of course.
3 replies
23h10m
My bet is that code on its own with due respect is most likely easy to replicate. Couple months of dev work and most likely done.
User base and trust doesn’t work that way. I cannot hire 10 devs to replicate years of building trust and brand reputation.
My idea is that non-nefariously buyer discounted code part and valued trust and user base.
2 replies
22h59m
Should you be able to transfer trust and userbases that way? It feels like usually acquisitions trying to do this create a worse experience for users in some way or another.
1 replies
22h30m
This is a good point, and transferring of trust is a very interesting concept. But while I agree that these things shouldn’t necessarily be silently transferable, I also think there should be an easy way to onboard users to the new owner/extension (if they wish to) without having them need to think about it and manually go figure it out. It shouldn’t be silent, but it also shouldn’t be a pain. Acquisitions do often make things much worse eventually for users, but negating this by complicating the process of retaining them (especially if they want to be retained) isn’t great, either.
0 replies
21h48m
Even if you try to keep it known, it’s easy enough to have an LLC own the extension and keys, and then sell that LLC.
And if you tie it to individuals, then an extension is transferred every time a new employee replaces an old.
2 replies
16h53m
The extension ID is derived from a private key that the developer uploads with the first upload to the app store, and the ID will change if any subsequent uploads include a different key.pem in their zip file (but if there is no key.pem then the extension ID will remain the same).
the original owner might transfer the private key to the new owner. And since Google doesn't require each upload include the private key, then the new owner could push changes without even needing access to that key.
This isn't how PKI works. Is this really an accurate description of the way private keys are used for Chrome extensions? That you're supposed to provide the private key in a PEM file when you upload the extension?
The developer should be signing the extension/manifest with the private key and sharing the public key/including the public key in the upload. Updates should continue to be signed with the private key, and as long as the key doesn't change, the original public key from the original upload can be used to verify that the same private key was used to sign -- if the public key is included or not on subsequent uploads is immaterial. Yes, the developer could sell/share the private key with someone else, thereby allowing someone else to provide a legit, signed update, but that's the risk (to the user of the extension/message recipient) of the signer not keeping their private key private. Sharing the private key with Google, or anyone, undermines provenance of the extension. Sharing the private key with someone else wouldn't be detectable, because use of the private key to sign is the method by which the identity of the source is established.
0 replies
16h10m
IIRC Google does the build, so they need the private key to sign the resulting binaries?
Edit: I'm probably thinking of Android and they'd probably sign with their own key.
0 replies
6h57m
The problem is that this isn't just a code signing system. In a code signing system, the public key would be tied to a developer, and they could rotate their private key to sign their app. But in this case, the extension ID itself is tied to a (private) key, so it's not even possible for the developer to rotate their key without changing their extension ID, which breaks existing installations and breaks interoperability for code that expects the extension pages at chrome-extension://{extensionID}
2 replies
22h27m
But if the extension ID changes, you'd need to explicitly install the new version. It wouldn't just auto-update.
Then again, you say:
And since Google doesn't require each upload include the private key, then the new owner could push changes without even needing access to that key.
How is this even possible that Google allows this? Is this really true?
I mean, Google is such a PITA with their Webstore for the smallest possible things, but that is something they don't care about?
I have three extensions which I have only released for testers, where I am the sole tester of the extensions, so that I can easily install them on my different machines without having to rsync/robocopy them and enable developer mode.
This weekend Chrome decided to disable all these extensions on just one machine, because "This extension is not listed in the Chrome Web Store and possibly has been added without your knowledge". I can't override and force-enable it, when I go to the web store it says it's "inactive" and gives me the option to "activate now", but "activate now" only removes the banner and re-shows it after a reload. That Chrome profile is signed in with the whitelisted account.
This happens with just one browser, my main one on my main machine, signed in with the tester account.
The badge on the CWS page claims that the developer (me) has a positive balance without any strikes. I mean, I wouldn't be able to see the page if I weren't logged in with the my whitelisted email.
They "care so much" but then they allow updates without the key?
1 replies
22h7m
How is this even possible that Google allows this? Is this really true?
Yes, you only need to upload the key (meaning, include a `key.pem` in your packed zip file) on first upload. [0]
However, I'm not sure if Google will allow you to upload with a _different_ key. Since that would cause the extension ID to change, I'm not sure what would happen, both to the webstore page (does the previous one 301 to the new one?) and to existing installations (do they stop auto-updating?).
Incidentally, I expect this is also the reason Google allows subsequent uploads without the key. They don't want someone to lose their extension when they lose their private key.
This weekend Chrome decided to disable all these extensions on just one machine
There is a trick for this, if you are loading an unpacked extension. Simply edit `manifest.json` in the unpacked extension directory, to add a `"key": "<base64 encoded public key>"`, where that public key matches the public key associated with the extension from the store. You can do this with any extension from the store, since you can extract the public key from a .crx file [1]. When you load an extension this way, the ID will be the same as the "real" extension.
[0] https://groups.google.com/a/chromium.org/g/chromium-extensio... (note the "You don't need to repeat this procedure ever again")
[1] https://github.com/milesrichardson/crxmon/blob/4dae445b05b76...
0 replies
15h59m
Incidentally, I expect this is also the reason Google allows subsequent uploads without the key. They don't want someone to lose their extension when they lose their private key.
They don't want someone to "lose their extension" if the private key is lost? That makes no sense and completely undermines using PKI in the first place. This isn't how "code signing" is supposed to work _at all_.
1 replies
22h54m
If someone is buying your extension with wicked, dark and nefarious intentions, he's gonna want the private key too.
Pretty much everyone is going to agree, with the only individual difference on how much you have to pay.
0 replies
22h20m
Why does nobody ever propose these deals to me? :(
0 replies
6h1m
The extension ID is derived from a private key that the developer uploads with the first upload to the app store
While what you described is possible, this process isn't required or the typical way an extension ID is generated. Typically developers just upload a ZIP file on their first submission, then CWS will generate and store a private key to sign the extension for public distribution.
and the ID will change if any subsequent uploads include a different key.pem in their zip file
CWS should never change an existing extension's ID. The ID is what I uniquely identifies an extension. If the ID changed, Chrome clients wouldn't be able to request an updated version of that extension. CWS & Chrome do not support migrating users from one extension to another.
To the best of my knowledge CWS will reject an extension if the zip after the first submission contains a key.pem file.
Therefore, if the extension ID changes, it's possible the owner changed.
If the extension ID changes, it's not the same extension.
then the new owner could push changes without even needing access to that key.
This is mostly true, but there is one case where developers CANNOT update an extension without the PEM: if the dev signed the extension they submitted to CWS. To be honest I'm not even sure this is possible to do any more; as I recall this feature was a huge foot-gun and often ended up causing developers to lose their install base because they lost their private keys that they used to sign their own uploads.
15 replies
1d1h
Pro tip: don't use chrome extensions. They are a trivial and huge security risk. Similar how random exe was some years ago, only much worse. Use tampermonkey scripts instead.
Tampermonkey scripts are
- open source and easily modifiable
- permissions are firmly controlled
- you can disable auto update4 replies
1d1h
But I want to use extensions! Extensions do so many useful things that go beyond what scripts with fewer permissions can do. I want a utility that handles screenshotting sections of pages. I want a thingy that tracks the price history of products on Amazon so I know if something is real on sale or fake on sale. I want a thing that makes ssh sessions clickable for my weird internal ssh thingy. I want the stupid and experimental web mashup extensions that add weird stuff like "a chat room for every website you visit so you can chat with other people using that website." Well, okay, I don't want that last one, but I want it to exist.
2 replies
23h50m
The price for convenience is security. If you are willing to hand your digital life to others, you will gain the convenience that you seek. You are seeking to become a digital king by gaining digital servants that handle every aspect of your life. The day one of them betrays you, it will be painful for you at the very least
0 replies
11h53m
Fuck that. Pardon my language but that's a falsehood I am so sick of hearing repeated, and the only reason anyone believes it's an inevitable tradeoff is that this belief has been imposed on us by proprietary software ecosystems that have obtained the monopoly status needed to unilaterally reject competing models
The price for convenience and security being compatible is for these extensions to be auditable and for updates to be opt-in. Sure, someone could still install malicious updates under this model, but the value proposition of doing so scales with the number of people who care about the thing, and auditability allows experts who care about the thing to warn people if it does something suspicious, which also scales with the number of people who care about the thing
0 replies
21h10m
Sure, but to continue the metaphor, the price for not relying on others is having to do everything yourself. And no king can succeed alone.
0 replies
1d1h
These things worked well when the internet was a toy.
Now it's no longer a good idea because that same browser is also:
- your bank,
- likely your point of contact with the government / tax folk
- the place you do your shopping
- the portal for most of your communications with the rest of the world
3 replies
1d
permissions are firmly controlled
Not meaningfully. A tampermonkey script has complete access to the information in a webpage it runs in. This is necessary for its operation and not something I have a problem with, but I'd never say its an improvement in terms of security.
1 replies
23h52m
There is a block and allowlist for which sites can it run.
For example Firefox can't even control on which websites the extensions run. This is stupid and bad. Tampermonkey just does this thing right too.
Edge at least has an allowlist, if I'm not mistaken.
0 replies
23h47m
The permissions to run scripts in the context of a webpage (i.e. full access, what tampermonkey does) are gated on a per-site level.
E.g. here's the "bypass paywalls" extension requesting permission to inject content scripts into particular domains sites: https://github.com/iamadamdev/bypass-paywalls-chrome/blob/c6...
0 replies
1d
Further, there's no requirement that a tampermonkey script be open-source. They usually are, but so are the regular extensions I choose to install.
I don't know about chrome, but Firefox also allows automatic updates to be disabled on a per-extension basis.
I'm a fan of userscripts but lets not pretend they're magically better.
0 replies
1d1h
Your point stands in case of any browser, but I am still curious: Why use Chrome at all?
0 replies
1d1h
As the web becomes more of an OS this becomes increasingly absurd. Extensions are becoming like apps, and they can be synced across machines.
TM still requires trusting their extension and script authors.
0 replies
4h16m
Would be nice to have extension manager that operates like tampermonkey, be able to customize code and manage revisions.
0 replies
1d
Tampermonkey itself is a browser extension and closed source, so you have the same problem if the ownership changes.
0 replies
23h49m
You forgot that Tampermonkey itself is an extension and has the same problems that you mentioned
0 replies
21h48m
a closed source extensions plus a bunch of random scripts ("unpackaged extensions" essentially, by even less well known authors with no review anywhere) is not the win over extensions that you think.
10 replies
1d
For Firefox extensions, Mozilla has a "recommended extensions program" [0] which involves "rigorous technical review by staff security experts" before extensions are included, but it's not clear from their support article if every update is reviewed before it's published.
If they do review every update, that would this problem at least for the more popular extensions, although I wonder how much delay it introduces when an extension needs an urgent security update.
[0] https://support.mozilla.org/en-US/kb/recommended-extensions-...
8 replies
1d
It's almost as if you wish there was some kind of onerous "marketplace" where participation had rules and there was some kind of enforcement taking place, and organizations that break the rules could, no matter how popular or well known, be banned if they repeatedly violate the rules of the marketplace, or work to subvert the marketplace's function.
4 replies
1d
Just sounds good in theory:
- More malicious apps found in Mac App Store that are stealing user data - https://appleinsider.com/articles/18/09/07/more-malicious-ap...
- How 18 Malware Apps Snuck Into Apple's App Store - https://www.wired.com/story/apple-app-store-malware-click-fr... ...
1 replies
1d
The existence of crime isn’t a logical reason for eliminating law enforcement. Having a choice of marketplaces… imagine if Mozilla gave you that!
A corollary… just because one piece of software has fewer reported CVEs, doesn’t mean it is more secure.
0 replies
23h4m
Having a choice of marketplaces… imagine if Mozilla gave you that!
It sort of does, it's just not something devs take advantage of or that exists in an official way.
If you don't want to be listed in the addon store, you can do a signed addon that goes through a much less rigorous check and then distribute it however you want. Similarly within the addon store Mozilla has a concept of "vetted" and "unvetted" addons. You end up with roughly 3 layers of validation.
There's technically nothing stopping anyone from setting up a separate addon store using only the 1st-layer of validation (or even adding a wrapper around the 3rd layer of validation since it's all still ultimately XPI files). Automatic updates would even work, you can specify URLs to check updates from. I haven't fiddled around with it much though.
And sure, it would be nice to be able to skip even the 1st-layer signing when necessary, but what exists is still better than what a lot of other app-stores allow and in practice I suspect most addons aren't going to have trouble getting their stuff signed, so it's (likely?) not a huge deal if you wanted to make a 3rd-party store to require Mozilla-signed extensions. Maybe there's something I'm missing though.
0 replies
22h50m
Apple can deal with those as they are uncovered. With alternative approaches, they can’t. So your point defeats itself.
0 replies
1d
Do the links you provide mean it’s partially working not only in theory but for real?
0 replies
22h21m
I get that you're jabbing at the Apple situation, but nobody has a problem with what you're suggesting. The problem arises when that is the only avenue to get onto a platform. Apple actively blocks sideloading and there's no way for a user to trust something that Apple has branded as "untrusted." Curation can coexist with untrusted code just fine, and in fact that's what Mozilla already does with their system mentioned in this thread!
0 replies
23h48m
Almost, yes, but not quite.
Curation and integration by a trusted party is a valuable service, and I very much appreciate Mozilla, Debian and others doing this work and enforcing their inclusion policy, e.g. the Debian Free Software Guidelines and whatever Mozilla's technical review involves. Debian's onerous rules in particular are great for the user – I can rely on packages to be appropriately licensed, to receive security patches without breaking my system with incompatible changes, to be compatible with the rest of the packages in the distribution, etc.
Some important differences from "marketplaces" provided by various for-profit companies are 1) the user can choose whatever curator they wish, or opt to install whatever they want at their own risk; 2) the service doesn't usually involve payments, selling, shopping, etc. which would usually be associated with a marketplace.
0 replies
23h34m
Firefox has a marketplace with participation rules and enforcement where organizations that break the rules can be banned for violating them. That already exists.
They want something stricter. What they're asking for is the ability to have multiple marketplaces and validation measures, some of which have stricter rules than others. That these requests pop up in scenarios where marketplaces already exist suggest that singular universal marketplaces that attempt to be one-size-fits-all gatekeepers aren't scalable or sufficient to meet everyone's needs, and that a multi-marketplace setup would allow some of those marketplaces to offer stricter quality standards for the people who need them.
0 replies
23h59m
They do review every update. Even overly popular ones like uBlock Origin gets stuck sometimes.
Currently my personal policy is to only allow those curated extensions to run on all sites/tabs.
10 replies
23h1m
I'm quite sympathetic to the stated goal, and the technical limitations are understandable, but the fact that it sends a list of all your extensions to an extension-oriented ad network is a bit sus...
Why does this need an external server? - Browsers have special rules about modifying extension marketplace domains. For example, you cannot set declarative_net_request rules for chromewebstore.google.com. Therefore, this extension delegates the developer info checking to the ExBoost [1] API server.
[1]: https://www.extensionboost.com/
What Is ExBoost? - ExBoost is a collaborative network of browser extensions that want more users and more reviews.
How does ExBoost work? - Extensions add ExBoost slots inside their UI. These slots will show promotions for similar extensions, or reminders to review your extension.
2 replies
22h58m
It looks like Extboost is also a project by OP. The charitable explanation would be that they used its API server because they already had the data they needed to scrape an extension's metadata (i.e. its owner) given an extension ID.
0 replies
22h31m
For the record, this is bang on.
0 replies
22h52m
Yes and the fact that you can just scrape the logs for extension installation statistics which you can use to sell AD space is just an accidental convenient side-effect, I'm sure.
1 replies
8h10m
Good find! I've dug a bit and the extension, at least for now, does not send any metadata associated to your browser[1], only a comma separated list of extension IDs. Of course the IP could be easily used.
Looking at the result from the API of one extension I had installed[2], it lists metadata associated to the developer. I've tried to use the `chrome.management.get(id)` Chrome API and it does not return this information, and there does not seem to be a way to get the content of the manifest.json programatically. Therefore, to do the job of the extension as it is, it does need an external source.
[1]: https://github.com/classvsoftware/under-new-management/blob/...
[2]: https://api.extensionboost.com/v1/developer?extension_ids=gh...
0 replies
6h6m
I tried very hard to find a way around using an external server, as I knew HN would harp on the related privacy issues. No luck.
1 replies
18h5m
I've developed some small extensions for fun. A couple of weeks ago I got an email from ExBoost with the subject "Collaboration To Grow Our Extensions." They wanted me to include their code in my extensions. I quote: "You show mine, I show yours. Zero cost, all win."
I thought it was suspicious and junked the email. It didn't seem any different from the other spam emails I got from scammers.
0 replies
17h29m
I'll admit, the launch messaging could have been better.
1 replies
17h22m
Why does it need to contact an external service? I thought the extension ID changed when the owner changed, so you'd just need to locally track extension IDs and flag any new ones that appear. Or do I misunderstand something?
0 replies
13h0m
Extension IDs do not change, in my experience. (I could be wrong in some cases, but I know for a fact that at least one extension I've used has been bought up without the ID changing.) It seems to me that if they did change, it would defeat the purpose of buying up extensions in the first place, because automatic updates would stop working and they'd lose the installed user base.
0 replies
11h19m
That is not a connection I expected in this kind of project. Blimey
10 replies
1d1h
I installed adblock many years ago and loved it.
Then I got a new machine and had to reinstall it. For the first time I had a look at those permissions. Insanity. It's only logical that it should be able to see what I see to block the ads, but I never stopped to think about that.
Now I have a pihole and zero extensions.
2 replies
1d
Safari has a special interface for content blockers to work without any permissions. They provide blocklists and the browser does the blocking itself. [1] Don't know if that's an option in Firefox.
https://developer.apple.com/documentation/safariservices/cre...
1 replies
23h31m
Yep, Firefox and Chrome have declarativeNetRequest:
https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/Web...
Ublock Origin Lite uses it for example.
(It's also the thing everyone is angry at Chrome for as their 'plan to kill ad blockers' by replacing the current blocking APIs with declarativeNetRequest.)
0 replies
23h19m
This is kind of an important point with Manifest V3: having more permission options is a good thing. It's good that declarativeNetRequest exists. Active Tab permissions are cool, I love being able to scope extensions to specific domains. Non-persistent background pages are a nice performance/security feature. The only problem with Manifest V3 is that Google is shutting down everything else and removing other APIs.
Safari's extension model kind of goes in its own direction, but it's based on similar principles to Manifest V3 and my contention with it is the same -- it's not a problem that you can build a permission-less adblocker in Safari, that's good. It's a problem that you have to, because getting rid of those permissions makes adblockers slightly less effective, which may or may not be worth it for every user. I can say with relative certainty that there is no adblocker on Safari that is as powerful as uBlock Origin on Firefox.
People bundle criticism of Chrome under the Manifest V3 label but aside from some more techy-type complaints around how Service Workers are being handled, in my experience at least a lot of Manifest V3 is really good. What's not good is that Chrome used Manifest V3 as an opportunity to get rid of a lot of other important APIs. So you don't see the same criticism levied at Mozilla because with Firefox you get most of the same benefits of Manifest V3 (and some additional benefits, Firefox's event-system is imo a better way to handle temporary background pages than Chrome's service-worker system) without the downsides of Chrome removing blocking web requests for the extensions that need them.
I'm using Manifest V3 for private extensions that I maintain for myself on Firefox. Manifest V3 is great and I enjoy trying to cut down my permissions as much as I can even though I'm basically just running the code myself. But none of my private extensions would work in Chrome or Safari or would be portable to either browser; they lack the APIs that I need and don't have any realistic equivalents.
2 replies
1d
What do you do on mobile?
1 replies
6h31m
Three options:
- make it the DNS for your wifi if your router can do that
- set Pihole to be the DNS for individual devices in their wifi settings if it can't
- create a personal VPN that uses Pihole as the DNS
0 replies
2h40m
So even on 5G you vpn back to your pihole? What’s the latency like?
1 replies
23h18m
Note that a Piihole will not be as effective at blocking ads and trackers as uBlock Origin will be. But it's good to have the option for people who want it, different people have different risk profiles and concerns.
0 replies
20h24m
As long as there's software/devices we can't run uBlock on, there's a reason to run both.
0 replies
1d
Which adblock extension are you referencing here? Ublock for instance uses local block lists.
0 replies
23h42m
That's one of the reasons behind the permission changes coming in Manifest V3: to reduce what extensions have access to in the first place. Some extensions may be open-source and trustworthy but there are many that aren't and people seem to have trouble vetting them.
7 replies
1d1h
To combat this wouldn't malicious extension buyers simply keep the developer name the same? Or is developer name strictly policed by the Chrome Extension store?
4 replies
1d1h
Also there's not much practical defense to an unscrupulous extension author "exiting" with an under-the-table password transfer or "oops we got hacked" to a shady buyer.
<tinfoil hat> One could imagine a nefarious state actor offering the author of e.g. uBlock $XX million to get access to a lot of browsers. Not sure about the economics, but more niche extensions could probably be targeted for a lot cheaper.
2 replies
1d
True, but at least it would require the exiting party to not have any illusions about what they are doing. I'd be surprised to hear that most extension takeover bids are open about their plans.
1 replies
22h21m
My guess is that most extension takeovers happen because the developer was making no money from the extension, not a lot of money at their dayjob, maintaining the extension was sucking up all their free time and maybe they also got an unexpected bill or were hurting for cash.
Not that those are good reasons to sell out your users, but they’re the kinds of circumstances that you can easily imagine happening.
0 replies
21h15m
Nothing of that changes their desire to avoid selling to the worst abuser. What circumstances can do is making them sell despite that despite.
That's why it's so important to have a clean handover way that does not involve handing over credentials: it allows circumstantial sellers to pick a least bad buyer, if it exists. The more visible the existence of a clean path (as in "advertised in the UI vs getting someone at Google on the phone") is the more difficult it becomes to pretend that the shady path is clean. There might even be some "conscience arbitrage", perhaps unintended: buyers who buy through regular handover mechanism, with a believable story of confidence in being able to make clean money (which they may or may not believe themselves), but who then sell dirty. Less money for the original dev, true, but at least there's one handover on record, eroding trust.
0 replies
21h9m
uBlock countered that they wanted minimum $XXX and we pulled out.
1 replies
1d1h
This would likely be against the Chrome Web Store terms of service.
0 replies
1d1h
They could just purchase Extension Author LLC with the extension being one of its assets, and there would be no need to notify Google of the change in control.
6 replies
23h16m
Keep in mind, in the really malicious cases where an extension has changed hands, they often just sell the credentials to the Google developer account, so this won't detect those cases.
5 replies
22h48m
Is selling the whole developer account even allowed?
3 replies
22h30m
Many things are sold that are not allowed to be sold, hasn't stopped criminals yet.
2 replies
22h19m
But are these developers initially criminals? I doubt so. And putting at risk associated accounts (same phone number for registration, recovery email address) isn't a comfortable game to play for most normal developers.
1 replies
22h4m
well, selling your installed base to someone you know to be evil may not be criminal, but it's certainly sleazy.
0 replies
21h2m
Being sleazy is rewarded in capitalism.
0 replies
19h18m
All you need is to send your password, and a quick session to set up 2FA with the buyer's methods, update recovery settings, etc.
As long as you don't use that account for anything else, it's seamless.
Legalese isn't going to stop that.
6 replies
1d
I think this is illustrative of how the economy gets more scammy the faster and more secretly ownership of a product, company, or brand can change hands
To me, this cuts at a fundamental logic we take for granted in the paradigm of Intellectual Property: That a brand is a fungible commodity that can be sold, like any other good or service. We treat this as a transfer of ownership of some property, but I think it makes more sense to treat this as a form of fraud. A name or brand is a signal people and businesses use to indicate who made something, and its chief value is the trust that's been built by the people running whatever operation carries that brand. The fact that it is not only legal but common practice to buy a brand explicitly for this trust in the operation is, from my perspective, obviously a big part of why everything is so scammy
3 replies
23h51m
Wait till you see the brand landscape in groceries and consumer goods. A few companies owning hundreds[1] of brands of everyday items. What company is actually behind Brand X? You pretty much need a database/app to remember as you're shopping. This is likely done deliberately to obfuscate and confuse. I always thought it would be a sensible law to make a company that displays a brand on a product also display their company name as-or-more prominently next to that brand, so people know who is actually making those products.
1: https://capitaloneshopping.com/blog/11-companies-that-own-ev...
1 replies
23h46m
Yes, I think consumer brands for things like food are exactly the way this trend started, and the aggregation of them has been gradual but led to lower quality and more scamminess throughout
0 replies
23h43m
Shrinkflation!
0 replies
23h40m
I always thought it would be a sensible law to make a company that displays a brand on a product also display their company name as-or-more prominently next to that brand, so people know who is actually making those products.
They should have to display the entire chain of companies in the corporate structure and, if it's too big to legibly fit on the package, you can't sell it.
1 replies
23h32m
This can also happen without a change of ownership.
1. Launch good product
2. Get good reviews
3. "Optimize" the design to use cheaper, worse components
4. Sell it under the same name
5. Coast on those good reviews and enjoy the higher profit margin
0 replies
19h15m
Yes, it absolutely can. However, these decisions are more the rule than the exception in an acquisition or change of management, whereas people who set out to make things that get the good reviews in the first place will often value the effort they've put into the thing they've made, the reputation they've earned with it, their relationship with their customers, or even just take pride in making something well
Of course, perhaps it would be even rarer in a world whose incentives resisted "optimization" of this kind rather than actively encouraging it
5 replies
1d
This is really useful, although, as another commenter said, this should be a built-in feature.
A question I got regarding this extension, as I didn't take a deep dive into the source code yet: Does it automatically notify you (not necessary in real-time but at least in startup) of ownership change or you need to manually trigger a check command?
A few months ago, a story on this topic was trending: https://news.ycombinator.com/item?id=36233068
From the top comment of the above story:
"I think it would behoove Firefox and Chrome to change their policies around automatic extension upgrades in these scenarios: if an extension discloses a change in ownership, then upgrades should require user approval. If an extension fails to disclose a change in ownership, then users should be able to report it as malicious."
As a side note, probably the title should be prefixed by "Show HN"
2 replies
1d
Creator here. A check automatically runs every hour, and if there are any changes detected, a badge appears over the extension icon. I decided anything more than that was too invasive.
0 replies
1d
Indeed, periodic checks with a well-thought-out interval do make sense. Well done!
0 replies
16h25m
It would be much better to at least have the option to automatically disable an extension with changed ownership instead.
The majority of owner changes are going to be malicious, so the action taken should account for that.
1 replies
22h26m
Adding such a speed bump where the user must explicitly approve the upgrade because of a change of ownership of the company that provides it, would leak a fair percentage of the users. This would decrease the value of the product/company when sold. User friendly, but creator (who has bills to pay) unfriendly.
0 replies
6h20m
It seems fair for the browser to charge a fee (in the form of losing a percentage of users) in exchange for money earned by stealing data from users.
Creators do not get offered large sums of money by entities motivated by the desire to better serve the creator's users.
So yes, I agree that it would decrease the value of selling out. I see that as a good thing. It fights against what is currently killing the extensions ecosystem for everyone.
4 replies
1d1h
Is this an issue that's worse for Chrome than for other browsers?
The only browser extension I use is HonorLock, an exam proctoring software that I'm required to use. Its extension is for Chrome only, so I use Chrome from time to time out of the requirement to use HonorLock. If I visit the install link in Safari, it tells me to install Chrome: https://app.honorlock.com/install/extension
I'm wondering if there's something unique about Chrome's extensions that both supports HonorLock's use case and makes this submission's linked resource more helpful.
2 replies
1d1h
Only use honorlock? How can you live without AdBlock?
1 replies
1d1h
Sounds like Chrome isn't their daily driver. Firefox blocks a lot of ads by default in Strict mode. That's what I use, so I haven't used AdBlock for a long time.
I also have a Pi-hole on my home network.
0 replies
1d1h
Yep, you got it. I just generally don't use Chrome unless I'm taking an exam that requires it.
0 replies
23h45m
It's just that Chrome is the most popular browser and thus the chosen extension attack vector.
3 replies
1d1h
How will I know when this extension changes owners?
1 replies
1d1h
Could install another extension change detector and hope they don't both change owners at the same time.
0 replies
1d
How many change detectors to mitigate against 51% attacks?
Realistically, even with this extension functioning as advertised, there are still plenty of related risks. E.g., a software company could disguise its motives early on and convert its product into malware at a later date, or the developer could be paid by a 3rd party to add certain features.
0 replies
1d1h
With a change detector change detector.
3 replies
1d1h
An extension to detect that other extensions have changed their owners. What happens when this extension changes its owners?
1 replies
23h47m
Glad someone noticed that
0 replies
12h31m
Tbh one can always install it locally (as a local extension)
0 replies
1d1h
That will clearly require a new extension that monitors "Under new Management".
3 replies
1d1h
Question is if this extension detects having changed owners itself? Maybe something else, not an extension, would be better suited for that kind of check, although of course more complex I guess.
0 replies
1d1h
Creator here. It does self-detect (chrome.management.getAll() returns all installed extensions), but fair point.
0 replies
1d1h
Yep. Maybe a website that tracks them and sends email or other notifications
0 replies
1d1h
This is how you make an extension that you can resell for big bucks. People looking to buy extensions will need to buy popular extension checkers first so they can do so undetected. /s
3 replies
1d1h
Won't the damage be done by the time you detect it? Extensions auto-update by default and there are only hacky ways to prevent this. This has always bothered me since just because I trust an extension now, doesn't mean I'll trust the next update that gets automatically applied.
1 replies
1d1h
Thankfully Firefox has per-extension toggle for auto-update.
0 replies
1d
Oh nice, TIL. Another push for me to switch to ff
0 replies
1d
At least I think it's pretty rare for a sold extension to be turn malicious in a way that it could do permanent damage, such as stealing your passwords. It's usually more along the lines of excessively invasive tracking or injecting their own ads; while I absolutely wouldn't want that normally, I probably wouldn't lose sleep over it if I learned that it had happened for 24 hours before I uninstalled the extension. That being said I would definitely like a better solution to this problem.
1 replies
23h59m
Does it check itself too? I.e. notify you if its own ownership has changed?
0 replies
17h27m
It looks like the current code does. But this provides little assurance as the new owner could update the code to behave differently. Since the checks run after the update is installed, you can't rely on it.
1 replies
1d
Thank you for creating this! Extensions have maliciously shared my credentials, and I appreciate whoever made this.
0 replies
1d
Creator here - you bet! It's a big problem.
1 replies
18h29m
This should just be a feature in Chrome. They should be disabled when owners change if you have this option enabled, which should probably be the default, and you get prompted to ask if you want to enable it. Ideally ownership change should require an accompanying statement explaining the change which is then presented to users in this process.
0 replies
17h52m
Could be hard to vet. Maybe it could be based on email address change?
Or changing email requires paying the dev fee again, and if the financial info differs then prompt end users?
1 replies
19h20m
This is no joke.
I've owned a quite popular open source Chrome extension for years. The amount of total donations wouldn't pay for a month of coffee.
But oh boy, the number of times and insane numbers I was offered to sell the extension for obviously nefarious purposes (some of them outright explicit).
I rejected them all but nobody in their sane mind would really expect the moral virtue of the original developer to be the only security and privacy framework for this scenario.
0 replies
19h15m
Also: the really nefarious ones wouldn't be detected by the tool from the post, as they demand that the developer account is also transferred with the purchase, not just extension ownership (including the user base) and the code.
1 replies
1d
It'd be neat if there was a way to install an extension from git, including getting notified of updates and an easy way to install said updates. The current UX around installing extensions "out-of-band" is poor (in both firefox and chrome), I wonder what it'd take to improve things.
0 replies
5h10m
The current UX around installing extensions "out-of-band" is poor (in both firefox and chrome), I wonder what it'd take to improve things.
The problem is that that experience isn't poor because of neglect, it's poor because you're intentionally not supposed to do that kind of thing unless you're developing and testing an add-on yourself.
(I don't know how Chrome arrived at that state, with Firefox the justification was that if the user can do that sort of thing [install random unsigned add-ons] easily, then so can ad-ware [browser toolbars and other spyware stuff].)
1 replies
1d
Weird thought here but maybe the distributor of chrome extensions should not allow one extension to change owner? Doesn't make sense to me.
I don't use chrome though. I wonder how Firefox handles it.
0 replies
21h28m
Would be hilarious if taken to the extreme - you’d get a notification on every share sold of Google ;)
0 replies
15h39m
Could a variation of this be used so that it is possible for a popular chrome extension like Metamask to be hacked so that a compromised update could be installed automatically and then everyone's crypto gets stolen?
0 replies
9h19m
If you don't trust the owner, you shouldn't install an extension in the first place. And if every owner is at risk, the store should have a way of protecting against that.
This extension sounds like a good temporary measure; still, the overwhelming majority of Chrome users won't install it. The actual fix should happen elsewhere.
0 replies
1d
I've also used Extensions Update Notifier [1] in the past, which has the option to disable extensions on every update. It hasn't been updated since 2016, but recent reviews say it still works. It doesn't detect ownership changes though.
[1]: https://chromewebstore.google.com/detail/extensions-update-n...
0 replies
1d1h
Great work! I hope Google/Mozilla and others will built this functionality into the browser itself someday so the user can make an informed decision.
0 replies
9h10m
I am not a chrome extension user but I am gobsmacked that it wouldn't be the default behavior of Chrome in the first place.
What happens in Mozillaland, can the owner/developer account of an extension change?
0 replies
6h15m
Great idea! We need a lot more visibility into what extensions are doing. I made little-rat [1] last year, to detect network calls coming from other extensions. Love to see more tools like yours!
0 replies
1d
I'm currently working on an extension as well ([0]) and share the same concerns many have mentioned about extensions here. I'd like to highlight another dimension concerning the Browser APIs ([1]).
Handling the permissions necessary for certain API functionalities and the corresponding warning messages can be somewhat confusing. For instance, our extension uses "chrome.devtools.panels" to open a new window within DevTools. This API doesn't require any permissions by itself. Yet, for messaging across the popup, content, and DevTools windows, we're required to use activeTab and sendMessage APIs. The DevTools window operates in its unique context, almost like a tab within another tab. For example, updating the URL in the active tab doesn't directly update the DevTools window but triggers an event.
Messaging across these different contexts requires the "https://*/*" host permission, without which Chrome and Firefox won't send the messages between these isolated windows.
We made this permission optional, the DevTools Panel is activated only upon receiving explicit user consent. However, the permission prompt's messaging is something like "This extension requires access to all your data," which sounds very alarming. We don't access any data nor that we want to, but requiring that permission is mandatory since the message APIs won't work without them.
This is just one example of the many undocumented complexities within Chrome's documentation. Similar pitfalls exist with message exchanges between the background service and content scripts. Sometimes you don't know why your API call doesn't work even though you think you have the required permission and asking for more permissions show very alarming messages to users.
I think that a more granular permission approach, made specific to API functionalities rather than broad permissions that cover a list of APIs, would significantly help user experience. For example, requesting permission for the "sendMessage API" with a clear explanation would be far more informative for users than the general "All host https:///" permissions.
There's also the issue of building for different browser. The same browser API calls can have different permissions requirement on Chrome and Firefox which makes the development process more difficult and more confusing for users since the same extension requires different permissions on different browsers.
[0] https://divmagic.com [1] https://developer.chrome.com/docs/extensions/reference/api
0 replies
21h54m
I don’t even understand why Google allows an extension to have its owner changed while remaining installed and active on users’ machines.
Changing the owner should automatically disable the extension worldwide and require manual user re-approval, at the very least.
0 replies
20h20m
A lot of extensions are only used occasionally, so it would be nice to have them off by default, but be able to launch a session with just that extension for when needed, which may/may not be incognito.
0 replies
4h18m
Is there any way that this extension could look backwards in time, before [this] extension is installed?
0 replies
1d1h
I never install extensions because nobody checks them and it is a security risk. Also, they might contain telemetry and spyware.
0 replies
1d
No one has said yet? Can't believe this, HN! Ok, I will be the one to say it:
A extension watcher is great but what happens when THIS extension itself changes owners?
Who watches the watcher?
0 replies
1d
Tracking the ownership of your Chrome extensions sounds exhausting, especially if you're someone who just wants to surf the damn web and are not some kind of super nerd.
0 replies
13h14m
This is a cool idea!
However, I have a couple of reservations:
1. Firstly, the JavaScript code in the release version of the extension is 12MiB. This is a lot of code, with much of it in a bundled form, making it very difficult (if not almost impossible) to verify them against the originals in the case of React, lodash, etc.
2. It seems like the code uses an external API[0] to find the current owners of the installed extensions. While I appreciate that this may be one of the only ways to do it (since I imagine Google themselves would not appreciate an extension programmatically accessing the Chrome Web Store to find the current owners) - and as far as I can see from the published code, it doesn't send any identifying data beyond what a normal Web request does, hence why I'm not identifying the site by name here - I would still urge caution as it might still cause alarm to someone examining their Web traffic and seeing a suspicious domain name, as the sort of person who would be interested in this extension is more likely to also the sort of person who would watch their Web traffic closely. (I know I do.)
In general, though, I love this idea and I hope it raises awareness of new owners looking to monetise existing extensions, and does something to reduce the likelihood of it occurring.
[edit: Actually, on further investigation, it looks like the developer of this extension is also the developer behind ExtensionBoost[1] (the site that's hosting the API mentioned above), so there's no need to hide the name any more. Note that this may also indicate that the developer is using this to gather lists of installed extensions, to allow them to indicate 'related' extensions by popularity in ExBoost - but it's important to note that this is just speculation on my part!]
[0] https://github.com/classvsoftware/under-new-management/blob/...
0 replies
23h12m
When an extension changes owners, that name should be dead for a year.
That would be useful for domains, too.
0 replies
5h37m
Great seeing my thoughts turned into real software!
Extension updates shouldn't be automatic to begin with imo.
Unfortunately, it's been established for a long time now that users cannot be trusted to perform updates by themselves, no matter how naggy you get about it, even for the most critical of security fixes.
Automatic updates, again unfortunately, are critical to safety.
This attitude is a large part of what I find so repulsive about tech today. You are a guest on my machine. No matter how much you think you know better than me (even if you're right!), you don't get to make decisions like that. You can ask nicely, and if you can convince me that something needs to be done, I will decide to do it.
Why, sure. And I'll bet you prefer to do your own vehicle maintenance, too.
But automatic updates aren't for you or me, or any of the other geeks here.
They're for everyone else.
My device is mine, not everyone else's. It's not your decision to make regardless of whether or not you think it's best for the "greater good".
You're not wrong.
Fortunately, you have choices. You can choose to avoid software and operating systems that feature automatic updates.
You can even write it yourself, if you wish: You're absolutely empowered to be absolutely in control of your things.
There's nothing stopping you.
Practically speaking, we have the choices that one monopoly or another offers us, and only so long as those choices are convenient for them.
I do avoid corporate overreach where it's practical (I have a dumb TV/vehicle/appliances/etc), but there will come a day when it's impossible to participate in society without giving in.
Life is whatever you want it to be.
There's plenty of ways to get through life that don't involve computers or software or television.
You can choose differently than you have.
I'm happy enough with my life. But yours seems like a very ... I don't know, defeatist? point of view.
You make it sound like I can either have the stunted over commercialized shovelware thats on offer or I can choose to go live in a hut in the woods. Where's the middleground where we put a little market pressure on our corporate overlords so they make better widgets?
You can choose to do anything at all. It's your life.
You want software that doesn't update itself on your computer? Nobody is going to stop you. Simply make it so.
(And if you're happy with your life, then what are you here bellyaching about?)
I don't see what this has to do with the discussion at hand at all.
Yep.
That being said, I really like VS Code's approach of having auto-updates enabled by default, but making a switch to turn off the feature available for nerds like us who care.
That's the model to follow in my book.
Problem is every single update claims to be security fixes, like for Android. Now I realise almost any bugfix can be construed as a security fix, but I've never seen an Android update that doesn't claim to include security updates, and I've never seen one that goes into any kind of detail(in the pop up prompt that is) on what any of the updates entail.
Probably some of those were critical, and some of them were completely unlikely to affect real world security. As a user, how do I know when to take it seriously and when not to? All I'm told by the UI is that every single update they push "improves security and performance".
The trouble is, security fixes (generally) don't get backported to older branches. If older branches are even a thing.
Say you're on Foo 1.4.7, and the jump to Foo 1.5 includes a feature re-org you don't want, and no security fixes. So you hold your version on 1.4.7.
But then a security issue is found, and Foo 1.5.1 is released with a fix. Is the version you have vulnerable? Maybe, depending on where the bug is. Is there a 1.4.8 update to fix it? Maybe not. How would you even get it? Heck, if you've switched off automatic updates, have you even heard about the 1.5.1 release? Are you checking on the release announcements for Foo to find out if there have been any security updates, ever?
OK, maybe you check those things. But do you think J. Random User who saw a post on Reddit that said 1.5 sux0rz and they should stay on 1.4.x is going to? And do you like having botnets? Because that's how you get botnets.
The trouble is, security fixes (generally) don't get backported to older branches.
Even if the security fixes were backported, it would produce a new version of the older branch, and requires an update in order to actually use it. If the security fix is in an older branch or a newer branch doesn't matter: it still qualifies as an update.
I thought I covered that in the part about needing to check for updates/release announcements yourself if you've turned automatic updates off?
This if the ToS problem. Tell me, of the many services you use and products you own, how many ToS have you read? 3%? 10%? Probably less than 2%. Changelogs and release notes have the same problem. They take time to create, edit and review and no one who matters reads them. Why would they spend their time on it?
I get your point, but changelogs can often be generated semi-automatically from VCS.
And I realise I'm not the typical user, but I actually do read(skim) TOS just to see if there's any centipad like stuff. Most of it is just boilerplate and you get pretty quick at finding the substantive parts with some practice. Of course TOS/EULA are hard to read for most people by design. They don't actually want you to read it. If they did, they'd offer a summarised version without all the legalese boilerplate.
I get the same feeling about changelogs. They probably have one internally if they know what they're doing. It may even be online somewhere if I go looking. I can only surmise that for whatever reason, they don't want me to read it, which doesn't inspire trust.
It has also been established that vendors cannot be trusted to refrain from bundling unwanted feature changes (and sometimes straight-up malware) with their security updates, so it's no wonder that users might be reluctant to install such updates.
Yes, this is the reason I do not enable automatic updates (in general, not just browser addons), and that software updates are so frustrating.
If there was a way to specify I only want security updates and bug fixes and I do not want new features, UI redesigns, and so on, I would always update and maybe even turn on automatic updates. Software companies have no excuse--we have sophisticated version control software that allows you to manage multiple branches easily. Every software should have a maintenance branch and a "new shit" branch, and should allow both kinds of updates.
Just FYI, for iOS updates, you can in fact opt into these release channels separately.
Go to Settings > General > Software Update > Automatic Updates. You will see two separate toggles, one for "iOS Updates" and another for "Security Responses & System Files."
Yeah, it's nice. Also, old major iOS versions still get security updates, so a very old iPhone is still practically usable.
Are outdated Chrome extensions really attack vectors? They're very sandboxed. I'd be way more concerned about the update itself being malicious, especially for simple extensions that shouldn't really need updates.
Pedantically, outdated Chrome extensions make for a poor attack vector in the first place because the majority of users get automatic updates, including being disabled/removed by Google themselves if the dev is gone and a problem is found.
Yeah, I meant if they weren't automatic. Or to make things less theoretical, how often do extension devs currently find and patch security flaws?
Users often don't want to perform updates because the updated version is worse in some way. That it has a security impact is unfortunate, but that's how it is.
I had an extension update itself and partially stop working. There's no way to go back to a previous version unless you happen to back up the old files.
Critical to the user safety? Well, that's not a problem.
Critical to the safety of some site/other users? Then the problem is a bit deeper, as my computer/software shouldn't be able to affect someone else.
And these automatic updates are often abused to remove or change features, or generally "enshitify" things. Which breaks trust and we are back to square one.
So let them not update. It's not your device, it's theirs. Mind your own business.
Find a way to do security patches without restarting the application or interrupting user's work, and keep featuers/enshittification updates separate from security patches - and then people will not mind auto-updates. Hell, you could just apply them and not even ask anymore.
Anyone who has had to administer anything user-facing will tell you that some users will ignore any warning. Updates need to be automatic and mandatory. You can give them a grace period, but you have to force the issue after a while, or users will delay the update prompt every 15 minutes for months.
Nope, annoying forced update stuff goes in my trash. Already said bye bye to Windows for this reason. If your thing is gonna update itself, it can't disrupt me or make itself worse.
There should always be an option to turn off automatic updates (unless we are talking about a corporate network), but the option should be opt-in and require some initiative on the part of the user. If the option is presented together with a prompt to update, users will simply turn it off without knowing what they are doing.
If it is in an options menu, power users can choose to turn it off, but normal users will probably never find the option.
I agree for most software in general. Mac updates are auto by default iirc, and that's good. Just not Chrome extensions. The risk of attacks by the owner seems much higher than the risk of attacks by websites on outdated extensions.
And the problem with Windows is you can't really turn minor updates off, they require reboots, it nags you a ton about major ones, and the updates basically just make it worse.
I don't think manual updates would solve this security problem. The new owner would just have to delay the activation of the malicious parts of the software. No one is going to check the binary of an extension or try to replicate it if it is open source.
It's strange that Windows updates are still such a big problem, and I'm not talking about the ones caused by Microsoft's greed. Even Linux systems, which for a long time were pretty user-unfriendly, have largely managed to make updates seamless. I have automatic updates turned on on my computer, and the only indication is that once in a blue moon I can't turn the system off for a minute while it's running an update.
It wouldn't solve it, but at least an update couldn't get instantly pushed and run by all users. These extensions are JS rather than compiled binaries, so they're not too hard to inspect (and if the code is intentionally obfuscated rather than just minified, you know something is up).
If you want to limit the initial impact of a malicious extension, a mandatory hold or slow rollout would be more appropriate. There is no need to bother normal users if they would never inspect the code anyway. If some users want to inspect it first, they can go into the options and turn off automatic updates. Fixes for serious vulnerabilities that require immediate rollout are much rarer and often small, and could be reviewed by the extension store team.
I mean linux updates are everything but seamless, it highly depends on your exact config and distro, certain hardware configs break every single kernel version, hell even Nvidia would break they drivers super often not even that long ago. Smaller vendors with closed source drivers were even worse. Software just breaks sometimes no matter the amount of testing that you do. It's better just just accept that and deal with it when it comes up.
And in my experience (mostly server linux, client Windows/macOS) the worst updates are still macOS, they take for ever to install. Linux and Windows seem to at least install quickly, like a full upgrade takes less than 20 minutes on both, while a minor release for macOS will make my MacBook try to lift off like a jet engine for 45 minutes.
Mac updates take the longest for sure. I feel like they used to be shorter too.
so when one software company does it to you it's good you say but when a different outfit does it goes in the trash. nice consistency you got there, bud.
Apple doesn't force the updates, Microsoft does. You can turn off automatic Mac updates, and even the automatic ones won't force reboot your machine while you have stuff open. And you aren't greeted with a "please switch to Safari" modal when it boots back up.
What's true about both is the updates require a reboot and take way longer than they should.
I mean macOS will spring the "Your computer will reboot within 60s" with the count down on you, if you don't watch out. And the "Reopen" feature only barely works.
But if anything is open that asks if you want to quit, it'll prevent shutdown. Unlike Windows which just kills everything.
...says the 1st party, in a world where 1st party malware is a serious problem.
If the software you are using is so bad, or the distributor so untrustworthy, that you would classify it as malware, then I think it is time to switch to an alternative.
For example, it is now quite feasible to use only open source software in everyday life, which usually operates according to better ethical principles and has greater difficulty in enforcing problematic changes.
The concern is that for a lot of software these days, it starts in the "good" bucket (and often open source even), and then once it gets popular, it is bought out and enshittified.
Yes, unfortunately this happens regularly, but with open source software it is at least possible to fork it. We often see forks when there are major disagreements. Not all of them survive, but if the original is bad enough, the chances are pretty good. There are also projects that are developed or supported by a trustworthy foundation/organisation, where you don't have to worry about such bad development.
Anyone who has owned a cloud connected device or software will tell you that companies cannot be trusted with remote access, they will abuse it every single time. And they'll have the useless cargo-cult security industry telling users that it's "best practice" and for our own good while their companies are spamming us or spying on us or removing features or outright hacking us or taking away access to our own data while they sell it to third parties and try to lock us into their ecosystem.
It was not my intention to defend large corporations and their sleazy practices. I just wanted to say that the average user cannot be trusted with an easy option to ignore updates, especially when it comes to security.
Users will do things like ignore updates and then trash you on the internet or spam your support because the software no longer works properly with service xyz. We regularly hear about major hacking incidents where internet-facing software hasn't been patched for years. Things like this will give your company a bad reputation.
I think the best compromise is to have automatic updates by default and a slightly hidden option in the menu to turn them off. If the user goes out of his way to turn it off, then it is his own damn fault, but if you make it too easy (like presenting it with every update prompt) you are courting disaster.
Not every computer is a part of managed corporate inventory. And some suppliers will happily ignore any issues their updates are causing. E.g. forced Windows feature updates can just disable a computer by throwing out essential but unsigned drivers.
This is more of a technical problem. If your update either breaks something or leaves gaping security holes, then there is no good solution. I think I would rather inconvenience a customer by turning off functionality than leave a bad vulnerability unpatched, but delay an update if it is not security related.
But I don't want windows 11.
Why is this downvoted?
I am shocked, people actually think that automatic updates are very good? Because for me, it is trivial that automatic updates are very bad. One of the greatest security risk of extensions are due to automatic updates, they can't be verified, since they change.
edit : BTW I've submitted a related submission about Guerilla Script, a userscript injecting engine, where userscripts are not even updateable: https://news.ycombinator.com/item?id=39620863 This is the ideal way of safe extensions IMO
Well if you complain about downvotes, it'll only bring more downvotes ;)
I don't think anyone (at least not me) is claiming that auto-updates are very good. However, I will argue 'till the cows come home that they are better than the alternative in many cases.
Installing software in the first place is placing a lot of trust into whoever made that software from the get-go. There are a myriad of ways a bad vendor can abuse a software installation without having to involve auto-updates. Singling that as a specific abuse vector that's orders of magnitude worse than giving filesystem access to an opaque binary just doesn't make much sense to me.
If I don't trust a vendor enough to allow auto-updates, then I don't trust them enough to install the software in the first place (dev dependencies notwithstanding for obvious reasons). Combine this with the well known fact that optional updates just don't get installed, and the cost/benefit calculus of the feature becomes not that hard to motivate.
Fwiw, I also think that a switch to disable the feature should always be present for those of us who care.
I don't advise turning this on because I think automatic updates in most cases are preferred to manual updates for most users. However, in Firefox you can in fact disable automatic updates on a per-addon basis. So you can have the addons that you trust automatically update, but for the addons that you're less sure about or that basically already work, you can just turn off updates for them.
Just go to about:addons, click on the addon you want to change, and then swap "Allow automatic updates" to off. You can also change the default behavior to not automatically update except for individual addons that you override (although again, I don't recommend it for most users).
I don't believe you'll get notified about updates (correct me if I'm wrong), which isn't ideal, so you'll have to periodically go and check for updates yourself.
I believe Firefox at least alerts you when an extension update has changed the permissions it requests (and you need to accept the new permissions). Of course, there are many cases where malicious code doesn't require new permissions.
I'd also prefer more visibility into updates. Enabling auto-updates might be okay, if there's a way to opt out of it, and if the updates were significantly more visible. I want to see a big modal when one of my extensions has updated, and ideally I'd be able to see the diff of its source code. But even without that, just knowing it updated would be enough for me to unpack the CRX and check for myself (like I did when I installed it originally).
Disclaimer: I run exactly two extensions in my main browser: uBlock Origin, and Little Rat (monitors network requests of other extensions). I have a separate Canary browser for web development where I install other extensions I might need.
The ideal solution would be similar to when an extension asks for new permissions: disable it with a pop-up that informs you of the change and allows you to re-enable it.
I believe this is how firefox behaves.
I'm pretty sure this is also how Chrome behaves. I think I've seen this happen a couple times.
Recently my favorite open source mouse gestures extension SmartUp Gestures was taken over by some shady entity (with github no longer being updated of course).
I opened Chrome ticket that they should ask to re-enable extension when ownership changes. They just closed the ticket replying with this link:
https://chromium.googlesource.com/chromium/src/+/main/extens...
:(
Realistically, automatic extension updates should be disabled by default.