How/why do you feel safe using a browser with plugins installed?

I just installed Tampermonkey in Chrome, and it alerted me that it can "see and modify" everything I do online. From a technical standpoint, how do people use plugins like this and still feel secure when, say, doing online banking? I know that most people use browser plugins and extensions and scripts. It's probably a rarity to find someone with no plugins installed. But I'd like to hear from technically oriented people, why it's okay to use browser plugins and then do things online. Isn't every browser plugin you have installed able to see everything you're doing? How do you feel comfortable logging into your bank account or your 401K when all these plugins, many of them written by a hobbyist programmer (as in the case of Tampermonkey), can see everything you're doing? Is there some level of protection going on that a non-tech person wouldn't know about?
Answer:

Hey, I'm a technical guy. You are right to be suspicious. But that warning is not itself evidence that there's a problem. By design, Tampermonkey has to be able to access and modify all web pages, that's what the extension does. I make my peace with the risk by evaluating my trust in the extension authors. Something like Tampermonkey is broadly used by technical people, so I have more hope that if it did something shady someone would have noticed. Open source extensions are better. (I'm a little confused about Tampermonkey's being open source, there's https://code.google.com/p/tampermonkey/ but it looks out of date.) It's also pretty hard to obfuscate an extension's code and activities, even if it's not open source it's open to inspection. This trust can be misplaced. A few months ago some sleazy company started paying Chrome extension developers to implant ad tracking malware. And because extensions update automatically and silently, no one noticed for quite awhile. http://www.ghacks.net/2013/12/26/hoverzooms-malware-controversy-imagus-alternative/ is one such extension alleged to include malware; it was quite popular and probably still is. I used to run it. Now I use Imagus although writing this reply now, I'm not sure why I trust it. There's been some shenanigans in the ad blocking world too. I recently switched to https://chrome.google.com/webstore/detail/%C2%B5block/cjpalhdlnbpafiamejdnhcphjbkeiagm?hl=en, which is https://github.com/gorhill/uBlock. There is no hidden technical protection, Chrome does not have meaningful security restrictions on extensions. Once you approve that list of access permissions, there's not much else it can do. Google did recently restrict extension distribution; it's now pretty hard to install an extension in Chrome unless it comes through Google's curated app store. But I don't trust the moderators of that store to really inspect for malware. As rada noted above, Incognito Mode does not load extensions (by default). I use this regularly for high value sites like my bank. OTOH I also rely on the LastPass extension to store my passwords, and I have no idea if a rogue extension could infiltrate my password database. In conclusion: extensions are a security disaster waiting to happen. OTOH they are very convenient. Pick suppliers you trust.

jbickers at Ask.Metafilter.Com Visit the source

Was this solution helpful to you?

Other answers

Extensions can and do make browsing the web unsafe. These are some of the things that an extension with liberal permissions can capture and send to its maker: 1. Your browsing history such as a list of all the websites you visit. 2. Data you input into forms such as login information. 3. Data on all pages you visit. 4. Cookies. There isn't very much that can be done to avoid the inherent security risks. Google has this to say about Chrome extensions for example (http://blog.chromium.org/2009/12/security-in-depth-extension-system.html): Our defenses against malicious extensions focus on helping the user avoid installing malicious extensions in the first place: 1. We expect most users to install extensions from the gallery, where each extension has a reputation. We expect malicious extensions will have a low reputation and will have difficulty attracting many users. If a malicious extension is discovered in the gallery, we will remove it from the gallery. 2. When installing extensions outside the gallery, the user experience for installing an extension is very similar to the experience for running a native executable. If an attacker can trick the user into installing a malicious extension, the attacker might as well trick the user into running a malicious executable. In this way, the extension system avoids increasing the attack surface. .. which is b/s for several reasons e.g. some extensions start out benign, get popular and then get bought so they can be adapted to serve malicious purposes.

rada

Is there some level of protection going on that a non-tech person wouldn't know about? One thing you can do is run https://support.google.com/chrome/answer/95464?hl=en or http://kb.mozillazine.org/Safe_mode. These usually disable extensions/add-ons, unless you specifically allowed them to run in those modes.

rada

It is ok to use plug-ins. However, it all goes back to trust: can you verify your plug-ins in some way? Does the plug-in give transparency in some way? For example, in order for https://adblockplus.org/ to do its job, it has to read the elements of a webpage to determine if they match ABP's database of bad elements. As it is an open source project, you could go and start looking at the code. Some evil villain might also create an adblocker, that can detect credit card numbers on the side and send them to evil villain hq.

troytroy

Related Q & A:

How to find the derivative without using a symbolic function in Matlab?Best solution by Stack Overflow
Why do we feel more emotional watching a figure skating program than a gymnastics floor routine?Best solution by Yahoo! Answers
How can I play my PS3 using a laptop as a monitor?Best solution by Yahoo! Answers
Why do drinks feel really cold in your mouth after you've had a spearmint?Best solution by Yahoo! Answers
How does it feel to get a tattoo redone?Best solution by ChaCha

Just Added Q & A:

How many active mobile subscribers are there in China?Best solution by Quora
How to find the right vacation?Best solution by bookit.com
How To Make Your Own Primer?Best solution by thekrazycouponlady.com
How do you get the domain & range?Best solution by ChaCha
How do you open pop up blockers?Best solution by Yahoo! Answers

For every problem there is a solution! Proved by Solucija.

Got an issue and looking for advice?
Ask Solucija to search every corner of the Web for help.
Get workable solutions and helpful tips in a moment.

Just ask Solucija about an issue you face and immediately get a list of ready solutions, answers and tips from other Internet users. We always provide the most suitable and complete answer to your question at the top, along with a few good alternatives below.