Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

While I fully agree with the hacker ethos of this post, a major issue I have with extensions today is that they're hard to trust. Chrome updates them automatically in most cases, which means a malicious update can easily slip by undetected. There are hordes of data companies looking to buy popular extensions or pay their authors to sneak spyware or other trackers in. The risk surface is massive, which is sad because I believe extensions are also one of the best modalities for extending what people can do online.


Entirely agree, although as a developer the auto updating is definitely a feature. Since it lets you assume users are all on the same version.

It is definitely a risk for users though.

You can also "opt out" of automatic updates, but the process is a bit involved.

1. Locate the extension on disk

2. Copy it to some other location

3. Add it as a developer extension via the "Load unpacked" button in the extensions screen.

I would also advocate for extensions being open source, but of course most of them are not.


Great points. I'm the author of a few extensions and I do agree that it's nice to see the vast majority of users end up on the same version within a day. I think a reasonable middle-ground would be for Chrome to confirm that you want to perform the update if a privacy-sensitive change is made. For example: "This extension would now also like access to X/Y/Z. Confirm update?".

Even that would only be a small step in the right direction, though, since plenty of apps already have broad enough privacy settings to inject scripts on any page with no change needed to the app manifest's permissions.


Same thing with NPM/PIP dependencies (they can launch arbitrary code and clean up after, unlike Java deps from maven that just copy immutable archives).




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: