The subtle point of delegating everything to remote services is your user doesn't need to know when you've modify behavior. If Amazon were to bundle the content, you'd need to explicitly update your extension.
You're delegating to Amazon that they'll continue to respect your privacy (no claims were made they weren't), but also their systems are secure, and will continue to be. This is too much trust to give any entity. No thanks.
From Amazon's perspective, they probably have more than one team working on the extension. A coordinated deployment process at scale is painful. Allowing each team to deploy to its own endpoint and communicate with other components via message passing (events) is exactly how you'd expect a company that grew up on SOA to design.
> Putting these JavaScript files into the extension would have been possible with almost no code changes
The AMO team at Firefox used to outright ban addons with remote script injection. I guess it matters who you are -- like on the Apple App Store, big names just need to pull the right strings or call the right people for a free pass. Rules are not applied equally. The playing field is NOT level.
> Rules are not applied equally. The playing field is NOT level.
That's true, always has been.
> big names just need to pull the right strings or call the right people for a free pass
I'd be curious if that's the case.
For the most part in B2B, "the rules" generally only apply when the risk of a client doesn't out weight the benefit of that client. T&C and Contracts are always negotiable, it's just a matter of if it's worth it to both parties.
Amazon has more street cred than say, me, as a developer. And Amazon has a lot more to lose from their Add-On doing a bunch of evil things that I would if I decided to do evil things with mine. Amazon is big enough to assume liability for both itself and Mozilla if something goes wrong, I can't.
I'm not defending Amazon but what did they do that was evil? From what I read in the article, they were doing things a normal add-on developer isn't allowed to do, but that isn't inherently evil.
In a similar vein, your reasoning would conclude that white hat hackers are evil as well.
Having the power to do something bad, and doing something bad with that power are not equivalents.
Is it unfair that they received that power? Yes. Does that make it evil? No. Do I trust them? No.
I'm not defending Amazon, I'm questioning your reasoning because I don't arrive at the same conclusion.
Individuals in the US are not allowed to own machine guns except with extremely limited exceptions. Owning a machine gun does not inherently make one evil, so why can’t we own them?
> Individuals in the US are not allowed to own machine guns except with extremely limited exceptions.
That's not true. The laws vary by state with California being one of the most restrictive but other states like Idaho, Iowa, Montana, Nebraska, New Mexico, and Mississippi having no restrictions at all.
The AMO team used to review every submitted add-on. They no longer do, now it just says “This add-on is not actively monitored for security by Mozilla. Make sure you trust it before installing.” on virtually every add-on. They still enforce this policy, but usually only when someone reports an add-on violating it. I reported this add-on, we’ll see now when/how they take action.
Note: I’m the author of this article and a former AMO reviewer.
Browser extensions being enabled for all webpages by default is bad practice for security and privacy. Often the user only wants to use the extension on specific webpages. For example, if I have a video downloader extension, chances are that I only want to use that extension on the page with the specific video I want to download.
Extensions should be disabled by default upon install. If the user wants to use the extension, the user should be able to click on the extension to active it for this specific page for one time only. None of the major browsers are capable of this (so far as I'm aware), so I always have to remember to disable an extension when I'm done using it.
Steps have been taken toward making this the norm in Chrome but it’s not clear yet to what degree it will be enforced. Already user can chose on install or at a later time to limit the domains an extension is active on (no matter what permissions it requests) and the ‘declarative’ model for interactions (wake on invocation by user or declare rules/lists to be applied on your behalf by the browser itself) is heavily promoted.
My extension is intended to work from any site (Browser Routr). I could dynamically update the extension manifest from its complimentary native app, but that creates races with the extension update process. And for many extension the concerns are cross cutting. For example I want dark style overrides everywhere.
Chrome has this functionality, other Chromium-based browsers most likely as well. But how many users would actually manage access lists for extensions?
I will test out Chrome - thanks. Yet I was hopeful there'd be other choices.
I believe more than one user would actually manage access lists for extensions but you have asked a really loaded question given that browser users are not being given the choice here.
If the dominant web browser wasn't an ad company, browser extensions would not exist in the way they do today. Because any responsible security engineer would nuke browser extensions from orbit, but currently everyone who isn't an ad company has to maintain feature parity with the ad company for competitive reasons.
They are by far the most risky thing one could possibly put on a PC. They essentially remove any alleged benefit to HTTPS/encryption or anything of the sort, because they live inside your web browser and have post-decryption access, often to every website you visit and everything you enter into them.
Do not use browser extensions. Ask your IT person to restrict the ability to install browser extensions.
Huh? From my point of view extensions like uBlock Origin and 1PasswordX further enhance and secure my browsing, with uBO I'm blocking ads and trackers (including malicious ones) and with 1Pass I get secure form fill.
Novelty extensions are a completely different story but I wouldn't go so far as to ban all extensions ever.
I would say any feature worth building as an extension should be a browser feature (like Edge and Firefox have brought ad/tracker blocking). An extension or two for critical functionality is fine if you really, really trust the source, but the default should be hostile to extensions.
But how would you differentiate between useful and gimmicky extensions? If you give users freedom, it always comes with a risk. For the average user, a system like Safari on iOS might be the best solution while more advanced users should have the option to install whatever they like.
I’m not familiar with Chrome/Firefox extensions, but for Safari Web Extensions you can indeed restrict extensions. [0]
Edit: Looks like this feature is present in Chrome/Firefox extensions as well but for all these platforms (Safari included I think), this needs to be implemented in the code itself[1]
My first thought was BonziBuddy: a free "assistant" program that was monetized by capturing and selling your personal data and displaying ads directly.
The Google toolbar specifically had a privacy settings popup with a big fat red "PLEASE ACTUALLY READ THIS" notice, explaining what it does, and letting you choose between a mode that only worked locally (unless you were making a search or explicitly triggering some other online feature of course) vs. one that sent some data to Google with each visit (with PageRank display being tied to sending the data).
Users weren't pushed to choose one or the other. Both buttons had the same size and color. It was VERY clear that the developers wanted users to make a meaningful, free choice vs. "just click approve".
The benefit for Google was that installing the toolbar made it easier for you to do Google searches, driving usage up.
Unfortunately, that’s only your word. The way this system is designed, nobody will notice if Amazon chooses to be less obsessive about it. Or if their systems are hacked. Are you certain that these web services are secure? I’m not (one obvious vulnerability has been reported). If someone compromises one of these services, the results will be disastrous.
Speaking for myself, not the co: we all decide who we want to trust and why, whether it’s browser extension, or a browser, or a phone.
For me, it comes down to alignment and value. Amazon stands to lose a lot if they decided to suddenly stop caring about customers, or not take security seriously. And the Internet gets pretty small if your threat model requires zero trust.
I work on a shopping assistant type browser extension and I am very confident that if I proposed an architecture and implementation such as the author identifies here I would be turned down immediately: having good intentions around privacy is one thing but deliberately designing your application in a way that allows to bypass almost entirely the review process required on submission to the store is something that should be answered for.
It will be interesting to see how the developers of this extension respond to Google’s roll out of extensions Manifest V3 - the new specification could almost be directly targeting them: with service worker replacing background script there will no longer be a concealed window to mount those iframes. Thanks to the author for this write-up
No, it's not possible to see what Amazon does with this information but it's clear they can do way too much. And, they can change the behaviour at any moment without the user getting notified within these existing wide permissions. At the very least it's very poor design.
Not only did you miss the point of the article, you must have missed where in these very comments the author replies to someone else who just barely skimmed the article.
I will copy/paste it for you.
"You could also read the article before commenting. It’s one thing when an extension could do something but its code can be inspected to verify that it doesn’t. It’s an entirely different thing if it delegates its privileges to a web service that could do anything and that nobody can inspect.
> It’s an entirely different thing if it delegates its privileges to a web service that could do anything and that nobody can inspect.
Would it be more accurate then to say it potentially lets Amazon track you? Without the word "potentially," or similar, it makes it sound like they are in fact doing it when you just said it "could."
To be clear, I'm not the author so I cannot answer on their behalf.
In my opinion though, "could" is so close to "potentially" in definition that it seems rather pedantic to hinge the entire article and its conclusions on that single choice of word.
If Amazon does track some users of their extension right now, we wouldn’t know. It’s a web service, nobody can tell whether it behaves the same for everyone. It has all the privileges, and I can look into what it does with these privileges in my case, but I cannot tell whether it works the same for you.
All right upon closer reading you are correct. I seem to have missed the point of the article. There are some good points that the author brings up.
However I still think the title could be better. There are lots of things that applications "can" do. I put more trust into random applications that run on my system.
Yes, you put considerable trust into applications running on your system. But I hope that you don’t just install random applications. You probably choose only vendors where you can reasonably assume that they don’t want to accept the backlash of having shipped a malicious application.
Now shipping a malicious application is always a risk. This application release is evidence of misbehavior, should someone choose to analyze it. This risk is almost non-existent with dynamic web applications. It would have to be the one targeted user who analyzes megabytes of code.
To sum up: there is a good reason why websites are sandboxed and don’t get any access to your system.
"Still, I was astonished to discover that Amazon built the perfect machinery to let them track any Amazon Assistant user or all of them: what they view and for how long, what they search on the web, what accounts they are logged into and more.
Amazon could also mess with the web experience at will and for example hijack competitors’ web shops.
Amazon Assistant log with a borg eye
Image credits: Amazon, nicubunu, OpenClipart
Mind you, I’m not saying that Amazon is currently doing any of this."
This goes for any browser extension you install if you don't limit which websites it's allowed to read data from.
In both the title and beginning paragraph, the author essentially describes the privacy risks that would apply to any browser extension, but words it in a way that implies Amazon is actively abusing those privacy holes, before finding any evidence for it.
I really wish people would stop giving views to blatantly manipulative and slimy clickbait like this.
You could also read the article before commenting. It’s one thing when an extension could do something but its code can be inspected to verify that it doesn’t. It’s an entirely different thing if it delegates its privileges to a web service that could do anything and that nobody can inspect.
This distinction seems somewhat meaningless in practice. Are you going to audit every line of every extension you install, assuming it's all local code? And are you going to do this again every time it's (automatically) updated?
This is a greater issue with the extension/app ecosystem.
This morning I wanted to find a android app which would help me time exercises, specifically planking.
It should be simple, set up countdown times for front and each side with 5 second breaks in between, playing a tone to let me know when I can move on or I am done with the exercise.
I looked through at least the top 20 apps on the play store and all of them require at least full network access and to run at startup. Many were so invasive as to request location and to be able to record audio and take pictures.
Being able to monetize these apps is an important thing for developers but it is becoming a real problem I do not see getting any better soon.
The whole extension is all about “let’s see when customers go to competition and try to bring them back.” That’s rather shady but it’s exactly the advertised functionality. And I’ve already got the first comment on the blog essentially saying “I don’t care what else they do, this extension gives great suggestions and I love that.” :-)
The subtle point of delegating everything to remote services is your user doesn't need to know when you've modify behavior. If Amazon were to bundle the content, you'd need to explicitly update your extension.
You're delegating to Amazon that they'll continue to respect your privacy (no claims were made they weren't), but also their systems are secure, and will continue to be. This is too much trust to give any entity. No thanks.
From Amazon's perspective, they probably have more than one team working on the extension. A coordinated deployment process at scale is painful. Allowing each team to deploy to its own endpoint and communicate with other components via message passing (events) is exactly how you'd expect a company that grew up on SOA to design.