Hot topic: Browser extension / add-on security

A hot topic in recent days has been about security around extensions / addons in browsers. The terms "extensions" and "add-on" are interchangeable and amount to the same thing. Chrome uses the term extensions, IE and FireFox use the term add-ons. I'm a Chrome user so I'll use the term extensions from here on out.

Regardless the term, extensions can provide handy functionality to your browsing experience. To do so, they have to be granted some level of permissions upon installation to do whatever "handy thing" the extension promises. For instance, last week I discussed and recommended the Evernote Clearly extension. This extension allows for manipulation of the display of web pages. I feel comfortable in recommending this extension as I trust the Evernote folks to not do something else nefarious in the extension.

At the bottom of this post is a good article from Ars Technica discussing the latest kerfuffle and discussing the pros / cons of extension handling in the major browsers. It also has some links to more information about the issue that may be of interest.

What does ProTechCoach recommend?

  1. Regardless of what browser you use, stick with "major brand" extensions. I currently have 8 extensions installed in Chrome published by the following entities. I trust these organizations based on past experience, reputation and that they are large enough that if they do something purposely heinous, it will hurt their brand immensely.
    • Adblockplus, Bitly, Evernote, Google, Lastpass, Picmonkey
  2. Review your extensions and uninstall any you aren't using or don't know how they got there. You can always reinstall them later if something you really depended on suddenly isn't working. If you want to check if you are using them you can start by disabling them for a day and if you don't notice anything critical changed in your browsing experience, you can go ahead and delete them or re-enable them if you do realize why you had them for.
  3. I'm sticking with Chrome. As the Ars Technica article mentions, Chrome has made changes and more are coming in June to further secure extension handling.

Chrome’s regulations for existing extensions are set to change in June 2014. The changes should prevent extensions from being anything but “simple and single-purpose in nature,” with a “single visible UI surface” in Chrome and a “single browser action or page action button,” like the extensions made by Pinterest or OneTab.

This has always been the policy, per a post to the Chromium blog back in December. But going forward, it will be enforced for all new extensions immediately and for all existing extensions retroactively beginning in June.

Here's a quick video showing how to check and manage your extensions in Chrome.

Ars Technica: After Chrome’s recent extension drama, what browser has the safest add-ons?

http://arstechnica.com/business/2014/01/seeking-higher-ground-after-chrome-extension-adwaremalware-problems/#p3