
Show HN: Extension Monitor to detect high-risk browser extensions - flysonic10
https://extensionmonitor.com/blog/introducing-extension-monitor
======
ziddoap
Instant pop-up of a chat, from "Matt - A Real Human" is a significant turn-off
for me.

For a company that is promoting privacy, it's also discouraging to see that
your privacy policy seems to only apply additional data protection rights to
those within the EEA, rather than universally applying them. I'm hoping, in
good faith, that this applies to everyone but is specifically spelled out for
those within the EEA. If this is the case, you might want to be clear that
those rights apply to everyone, not just those residing in the EEA. (If not -
I'd love to hear the justification!)

~~~
flysonic10
Thanks for the feedback. Privacy rights are meant to apply to everyone. Will
check the wording of the privacy policy to make that clear.

Regarding the instant popup, unfortunately I'm not able to keep it hidden with
Drift, but wanted to make sure visitors know they can easily reach me.

~~~
reneberlin
I would like to know more about how the scoring-system works. I think this
will be added, don't hurry - but i am curious how that works in "realtime".
Every second younbeloved extension can potentially turn into your enemy.

And how does IT react on a match? Unplug the machine from the net? Close the
browser? Turn off power? Sirenes?

I love the idea of your service. But how to execute countermeasures, when the
red flag is raised?

~~~
flysonic10
Realtime refers to installations, not necessarily the threat of the extension.
If a user installs an extension, you should know if the extension is a threat
as soon as possible whether or not it has exposed data.

Scoring is a complex problem and there's some literature on the subject. We
can break down scoring / threat intelligence into a few buckets:

\- Known bad actors: some extensions are known bad actors. They've exposed
data and even made the news for it. Let's make sure those are absolutely not
running in your environment.

\- Heuristic classification: a number of heuristics can be used to score the
threat of an extension, for example, the permissions it requests, its content
security policy, etc...

\- Automated code review: even if an extension developer is not themselves
intentionally malicious, the extension may be using outdated or vulnerable
libraries that can be exploited by others.

\- Manual review: there are over 200k extensions so an extensive manual review
of each is not practical. Still, for the most popular extensions, a manual
review can effectively score the extension based on factors that are difficult
to automate. For example, review of the privacy policy, investigation of the
owner entity and its business practices, etc...

\- Corroboration / triangulation: a category of threat detection that
Extension Monitor will be able to provide at scale is that of cross-
referencing installations with purchased data to single out likely sources.

These may also apply to a single extension across versions / time.

Regarding counter-measures, Extension Monitor is read-only at this time, so
remedying the threat is environment specific. Some fleet management solutions
may provide this. Other self-managed machines would require the machines
administrator to remove the extension. Some teams that already allowlist or
blocklist extensions would find the threat scores useful in their own manual
investigations of which extensions to allow or block.

Hope this helps,

Will (still a real human... and not a Matt)

------
helb
The website seems a bit broken (in Firefox 67):

\- "Log in" link does nothing

\- this green link(?) also does nothing
[https://i.vgy.me/D0oGjd.png](https://i.vgy.me/D0oGjd.png)

\- the Pricing page is empty
[https://i.vgy.me/17yhiD.png](https://i.vgy.me/17yhiD.png) (it works in Chrome
though)

\- the newsletter form layout is broken
[https://i.vgy.me/P4qtHn.png](https://i.vgy.me/P4qtHn.png) (seems okay in
Chrome too)

~~~
flysonic10
Thanks for reporting these. I'll check it out in Firefox.

I heard about the pricing section being an issue for some but haven't been
able to reproduce it. I'm going to setup BrowserStack to find all of the
issues.

