
Browser extensions are underrated: the promise of hackable software - gklitt
https://www.geoffreylitt.com/2019/07/29/browser-extensions.html
======
zmmmmm
> The modern browser extension API has done a good job balancing extensibility
> with security

No, it hasn't. Almost every single extension I install tells me some variant
of "This extension can intercept and modify all of your browsing traffic".
That's not "well balanced", it's completely broken. This is happening clearly
for extensions by well intentioned people that _do not need those
permissions_. I can't help but cynically interpret the current situation as
intentional on Google's part because having the security model be "trust
Google to vet the extensions" happens to centralise all the power with them.
If you can't trust an extension from the wild then they might as well not
exist, right?

People laughed Java out of the browser because it took 500ms to start, but at
least it had an actual security model.

~~~
crazygringo
+1000

Extensions should be able to have their permissions limited by domain (e.g. to
customize YouTube or Reddit) at a minimum.

And I'd also really like a way to track both injected scripts and elements so
that they wouldn't be able to make any HTTP requests without additional
permissions, not even an <img src="..."> tag if the src isn't just a data URL
or local extension resource.

E.g. I want to be able to install an extension that stops YouTube videos from
playing as soon as I navigate to the page, without worrying my entire browsing
history or worse is being sent to a third-party.

~~~
hota_mazi
> Extensions should be able to have their permissions limited by domain (e.g.
> to customize YouTube or Reddit) at a minimum.

They already can: extension authors can specify that their extension only
operates on specific URL's.

The problem is that most extensions are designed to work on all web sites, so
you have to choose between security and convenience.

Most users pick the latter and trust the former.

This model works pretty well overall since harmful extensions never take long
before getting flagged by the community.

~~~
TuringTest
> This model works pretty well overall since harmful extensions never take
> long before getting flagged by the community.

No, this model works pretty well for stealthy extensions which take malicious
actions without getting detected.

~~~
jsutton
It also works well for normal useful extensions. We can figure out ways to
eliminate stealthy malicious extensions without removing the most useful
feature of extensions.

------
idoubtit
I believe many people should attempt to create their own web extension, even
if they don't publish it.

In my younger years, I used to crack and hack software just for fun. Those
were my Softice years. Later, when Opera was not Chromium based, I also had
several site customisations, since it was very easy to add my own JS and CSS
to any web site.

Nowadays, I have 4 extensions created and tailored for my needs. One that
deals with cookies (mostly "delete everything" outside of my white list) and
three that add functionalities to specific sites (automating, managing lists,
hiding or highlighting content, etc). Building them was fun, though not as
much fun as playing against "copy protections" long ago: like going from
competitive chess to creative DIY.

The only pain with custom made extensions is that Firefox is very reluctant to
load them. I don't want to upload them them on some Mozilla server, so I have
to enter some cryptic "about:..." URL, then click and navigate to my
extension, for every extension at every browser start. This is one of the main
reasons I'm using more Vivaldi than Firefox these past months.

~~~
scarface74
Besides having to do it on every restart, that’s a good thing. It should be
convoluted to do unsafe operations to protect the average user but allow the
advanced user flexibility.

~~~
wutbrodo
I feel like having a big scary warning would be sufficient instead of making
it inconvenient. It's easy for a competent user to ignore a warning that they
fully understand while it scares off those that are clueless.

~~~
aswan
The issue isn't about having a sufficiently scary warning. It is that the
browser has to store the fact that the user has agreed to this warning
somewhere (ie, presumably in the user's profile). That means any other
software running on the computer with regular user permissions can make the
same modification to the profile and then install an unsigned extension
without the user's consent.

Typically, when Mozilla finds out about software installing extensions without
user consent, the extension is added to the blocklist, but if the extension is
unsigned it can just claim that it is ublock origin or adblock plus or some
popular extension, leaving no practical way to block it.

This is described in greater detail at
[https://blog.mozilla.org/addons/2015/04/15/the-case-for-
exte...](https://blog.mozilla.org/addons/2015/04/15/the-case-for-extension-
signing/)

(in full disclosure, I am a Mozilla employee)

~~~
wutbrodo
Ah thanks, that's useful context. I was responding primarily to the claim that
convolutedness is necessary to protect unsophisticated users, which I
interpreted as meaning that the complexity of the UI scares users off. But
this is a separate technical limitation that makes a lot of sense.

------
gnicholas
Browser extensions are also really important for accessibility. People with
many kinds of disabilities use extensions to make websites more readable,
easier to navigate, or more accessible in other ways.

Unfortunately, the big mobile browsers do not support extensions, which is a
huge blow to accessibility. I think Firefox for Android is the only
mainstream-ish browser that supports extensions. Apple prevents them from
doing the same on iOS because it would be considered "an app store within an
app", which is forbidden.

The only thing Apple allows is action and share extensions, which have to be
manually activated on every single page (2-3 taps to do so — which is super
user-unfriendly, esp. for PWD). It's great that Apple does a lot for
accessibility in general, but I really wish they would open things up a bit
more so that users could customize the iOS experience to make it more
accessible.

As a dev, I would be more than happy to have my code scrutinized even further
in order to ensure that what we're doing doesn't create security, privacy, or
performance issues. We'd just like to make our accessibility software as
useful for folks on mobile as it is on desktop!

~~~
apsanz
Which specific extensions work well? My wife is visually impaired and she has
tried a several extensions. All of them have cause more problems than they
have solved. In addition, IE and firefox's attempts to change behavior when
using windows high contrast mode also breaks many sites. Safari is the browser
that works the most reliably.

~~~
gnicholas
Well, I'm the founder of BeeLine Reader[1], and our extension is used for
speed reading as well as accessibility (vision impairment, dyslexia, ADHD). I
don't think it breaks websites, since we let the user decide how aggressively
it should try to run. There are also night mode extensions, as well as site-
specific ones (like for wikipedia) that are great.

1: [http://www.beelinereader.com](http://www.beelinereader.com)

------
ignoramous
Extensions can be uninstalled, revoked, disabled at will. Can't really bend
BigTech to do your biding, and that trumps whatever the security argument
brings to the table, imo. Extensions should be done in a security friendly way
[0], and not the other way around of making software secure by disabling all
extensibility [1].

Take the example of the Android ecosystem: If plugins were allowed for apps,
pretty sure there'd be a better story around privacy today. An astonishing 40%
of connections from an Oppo/Vivo or Xiaomi phones are to ad networks and
trackers. And there's nothing you could do (without root) except to firewall
it (apps have started working around pi-hole esque setups). XposedMod has
brought plugin based development to Android [2], but it is niche and requires
not just root, but replacing key framework components. Using it might still be
worth it, though, given the relentlessness of OEMs and carriers.

And that's just sad.

[0] One way to tackle the problem of developers selling away rights to their
extensions is to legally make it binding to publicly declare whenever
ownership changes hands. Disable extensions across all installs, and let the
users enable after the fact is made obvious to them.

[1] [https://www.eff.org/deeplinks/2019/06/adversarial-
interopera...](https://www.eff.org/deeplinks/2019/06/adversarial-
interoperability-reviving-elegant-weapon-more-civilized-age-slay)

[2] [https://www.xda-developers.com/best-xposed-modules/](https://www.xda-
developers.com/best-xposed-modules/)

~~~
on_and_off
> If plugins were allowed for apps, pretty sure there'd be a better story
> around privacy today .

Honest question : Can you expand on how this would work please?

If anything, extensions as in chrome extensions is something I try to avoid as
much as possible : giving access to all of my data to a third party extension
promising that is going to increase my privacy but that I need to trust 100%
with a complete access is less than ideal.

~~~
ignoramous
> Honest question : Can you expand on how this would work please?

Such a thing is already possible today. Some require root, some require
breaking PlayStore's terms of use.

One such example is: XPrivacyLua [0] by the creator of NetGuard. It helps fake
location data, hide contacts and calendar, fake device-id, IMEI, MAC addresses
etc on a per-app basis.

Another example is how VPN in Android [1][2] is widely used to block trackers
and ads.

A third example would be how the accessibility service APIs are (ab)used to
temporary grant permissions to apps [3].

A fourth would be reversing engineering tools like Frida [4] that help with
inspecting apps, and even change their behaviour.

A fifth is repackaging APKs with advertisement and tracking code removed, like
with YouTube [5].

I am attempting to build an app with most of these features combined in to
one, lets see how far I get. My aim is probably to build something as close as
possible to uMatrix/uBlockOrigin but without requiring root.

\---

[0]
[https://github.com/M66B/XPrivacyLua/blob/master/README.md](https://github.com/M66B/XPrivacyLua/blob/master/README.md)

[1] [https://github.com/M66B/NetGuard](https://github.com/M66B/NetGuard)

[2]
[https://github.com/blokadaorg/blokada](https://github.com/blokadaorg/blokada)

[3] Sam Ruston's Bouncer app:
[https://samruston.co.uk/](https://samruston.co.uk/)

[4] [https://securitygrind.com/bypassing-android-ssl-pinning-
with...](https://securitygrind.com/bypassing-android-ssl-pinning-with-frida/)

[5] [https://youtubevanced.com/](https://youtubevanced.com/)

~~~
on_and_off
None of these answer my question though.

Repackaging, leveraging a security flaw to use xposed, etc, all of these add
more vectors that can compromise your data.

You need to have complete trust in the person that wrote these, way more trust
than just in the creators of an app that can just use the permissions you give
them :/

~~~
ignoramous
I agree. My point was the security risk is worth it if extensibility is
achieved. I cited the example of browsers and content blockers.

There are many intrusive permissions that already are major privacy and
security risks-- Launchers, SMS apps, VPNs, and even alarm clocks that mine
location data. The playing ground isn't level, right now, to counter this
intrusion.

One way to affect what other apps do, without root, is to route the traffic
via VPN and firewall as appropriate. That's possible only when a user enables
a VPN to do so. Similarly, the plugins could also require a user to explicitly
grant or deny permission for them to work. This is enough of a security
measure as its on par with the current system in Android (regardless of its
notoriety).

> None of these answer my question though.

May be I understood you wrong. I hope I made my point clear to you above?

------
burtonator
Extensions are awesome but I think this article is a bit too optimistic. I
mean I share the optimism but in practice a major challenge is the platform.

Chrome for example has a ton of limitations:

[https://getpolarized.io/2019/04/05/Google-Will-Kill-
Chrome-E...](https://getpolarized.io/2019/04/05/Google-Will-Kill-Chrome-
Extension-Innovation.html)

If you want to do anything significant you have to get their 'permission' and
at that point they throttle your extension release updates.

You can't just push an update immediately that gets sent out. They take a week
to approve your extension.

This might sound reasonable until you realize that a week is an eternity for a
continuous development shop. That might as well be a year.

ESPECIALLY if something is broken.

Imagine if you had a bug that destroys data and you need to rush out a fix.
Nope.. You need to wait one week for that to go out.

~~~
dessant
I experience the same one week delay with an extension. The publishing delay
is always about a week, and that is highly unusual.

They state that the extension update is under compliance review, which may
take several business days, though the similar approval times indicate that
this is actually an arbitrary publishing delay, and that no human review takes
place in all cases, otherwise there would be more variation between approval
times.

~~~
burtonator
It's always a week AND it's also applied at a week even if you change an
image. They don't need to audit an image.

I'm suspicious that they might be doing this for other reasons more likely to
punish people for more aggressive permissions.

------
seanwilson
I launched my side project
([https://www.checkbot.io/](https://www.checkbot.io/), a website best
practices checker) as a paid Chrome extension and have been happy with the
experience so far. The browser extension platform lets me easily support
Linux, Chrome OS, Mac and Windows, with automatic updates and small
installation size (~1MB). I get traffic from people discovering the extension
via the Chrome store, and users can install and launch the app in seconds
which lowers onboarding friction.

Compared to native apps, I think browser extension based apps reduce a lot of
headaches for developers and users.

~~~
ggurgone
Looks useful, how do you manage distribution and the payments? I am looking
for examples and resources of successful paid extensions who offer
subscriptions [https://readmo.app](https://readmo.app)

~~~
seanwilson
I use [https://paddle.com/](https://paddle.com/) for subscription payments.
Paddle deal with EU VAT for you which is a big benefit for me.

The Chrome store lets you take payments but it's not very flexible and it's
tied to Chrome.

~~~
ggurgone
ah sweet, so the extension is hosted on the Chrome Web Store but you manage
payments and licenses with paddle?

~~~
seanwilson
That's right. This gives more flexibility like selling a license that works on
Firefox + Chrome, and selling team based licenses.

I wouldn't be surprised if Google killed Chrome store payments in the future
as well - I pretty much never hear mentions or updates about it. I wouldn't
want to lose all my subscribers if that happened.

~~~
ggurgone
Makes perfectly sense. Thank you for the tips!

------
_trampeltier
Not just browser extensions. I miss an API in all kind of software we use at
work.

No wonder the half of the companys in this world run on excel.

~~~
TeMPOraL
Me too.

It's a thought I keep repeating that is probably worth expanding into an
article - modern software eschews interoperability, and in particular, SaaS is
based on preventing interoperability. What used to be a desktop application
operating on an independent source of data (filesystem) now vacuums the data
and offers it back over an official interface and an extremely limited and
locked-down API.

Wrt. those APIs, note that what just a decade ago on desktop was considered
normal interop, nowadays often requires the interoperating parties to _sign
contracts_ , adding a legal dimension that further shuts out end users.

------
Endy
Browser extensions are being underrated deliberately by browser developers.
Ever since we lost XUL Firefox, anyone who wants to really do anything worth
doing around a web browser should have already switched to Pale Moon. Doubly
so with Google's Manifest v3, which is going to kill selective content
download management.

~~~
eitland
Even as much as I want my old Firefox extensions back I reaaly don't feel I
can trust a small bunch of developers to keep something as complicated as the
old Firefox patched in this day and age.

Am I wrong?

~~~
sma222k0n
I'm afraid you're

[https://forum.palemoon.org/viewtopic.php?f=65&t=22399](https://forum.palemoon.org/viewtopic.php?f=65&t=22399)

[https://forum.palemoon.org/viewtopic.php?t=22270&p=168663](https://forum.palemoon.org/viewtopic.php?t=22270&p=168663)

~~~
eitland
Sounds good! I'm all for more competition in the browser space and will
consider using it for my personal laptop as a first step.

------
andrenth
Next ([https://github.com/atlas-engineer/next](https://github.com/atlas-
engineer/next)) might be a truly hackable browser.

~~~
celeritascelery
All I really want is emacs for the web.

------
ohazi
I don't agree with the author. He pays lip service to security being
important, but then proceeds to ignore the threat because he thinks extensions
are great. I think people should be more hesitant to install a browser
extension than just about any other piece of software.

The threat is absolutely real. Bad actors regularly offer large paydays to
lone developers with popular extensions so they can roll out an update that
quietly adds a backdoor.

There's at least _some_ publicly documented evidence that Raymond Hill (uBlock
Origin) isn't likely to cave to this sort of pressure, but do you really
believe that _none_ of the other authors of your fifteen favorite extensions
would look the other way for $100k?

Keep in mind that these offers don't look like "Here's some money, please let
us roll out an evil update to your extension." They look like "Our company has
a product with a similar name. We love your extension and would like to offer
to acquire it from you so that we can use the name. We'll even let you keep
the rights to your software so that you can re-release it under a different
name if you'd like!" They'll make it really easy for the developer to remain
in denial about what they're actually facilitating.

~~~
seanwilson
> Keep in mind that it's not "Here's some money, please let us roll out an
> evil update to your extension," it's "Our company loves your extension and
> would like to acquire it."

I get messages like this every now and then for mobile apps and browser
extensions I manage and they're painfully obvious to spot.

They're often from sketchy looking generic email addresses, have no
information about the buying company, don't even attempt to demonstrate
knowledge of the app, and most importantly mention nothing about how they plan
to grow the app.

It's always just "would you like to sell?" and "how many users do you have?".

A recent one:

> From: __*@gmail.com

> My name is John.

> I have noticed your google extension
> "[https://checkbot.io/](https://checkbot.io/) Checkbot: SEO, Web Speed &amp;
> Security Tester ", its looks interesting would you considering to sell it?

> Best regards

I've had more elaborate ones but they're always generic with no obvious
business interest in the specific app they're asking to buy.

~~~
dessant
Same, I get an offer every month or so for some of my extensions. One has
quoted an offer of $0.25/user for the Firefox version of Search by Image in
their introductory email. That kind of money would significantly improve my
life, but it's all too obvious what they would do with my users.

Most extension developers are not getting any significant income from their
work, despite serving millions of users, and unless browser vendors will begin
to recognize the value of that labor and provide better tools for sponsoring
developers, we will continue to be vulnerable to such offers.

~~~
seanwilson
> Most extension developers are not getting any significant income from their
> work, despite serving millions of users, and until browser vendors do not
> start to recognize the value of that labor and provide better tools for
> sponsoring developers, we will continue to be vulnerable to such offers.

Any ideas what specifically could be done to help? You can integrate your own
payment systems into extensions and there's some ad vendors that support
browser extensions.

~~~
dessant
I'm specifically talking about extensions that strive to be free and
accessible for everyone.

A great example for how Mozilla is deprioritizing contributions for extension
developers is the new design of Firefox Add-ons. The contribution button was
pushed down below the fold. Previously it was at a very prominent place next
to the install button, and several modes for requesting contributions before
or after installation have been deprecated.

Yes, adding a donation button to your extension is a possibility, but it would
send a whole different signal if Mozilla would encourage users to support
developers, from a unified and trusted user interface, and experiment with
better ways to ensure that users are aware of support options for their
favourite extensions.

Mozilla directly supporting extensions which they consider to be of great
value could also be explored.

------
mikekchar
Here's an opinion that is likely to be controversial: I like Gnome Shell for
exactly the same reason. To be fair, it's something like 7 years since I used
it, so maybe things have changed a lot. I ended up abandoning it because I
don't like Gnome in general (I want something significantly more light
weight). But I _loved_ the idea that I could completely change the way my
window manager worked by writing a surprisingly small amount of JS. Not only
that, but it had (I hope still has) hooks into mutter, so you could do
anything you want to the compositter as well. For example, one of the things I
did was to have windows that zoomed the contents when I resized them rather
than increasing the size of area in the window -- I did it because I have
terrible vision and virtually every time I want a bigger window it's because I
want it magnified.

I just noticed Xlambda which was featured very recently on HN:
[https://news.ycombinator.com/item?id=20316920](https://news.ycombinator.com/item?id=20316920)
I wonder if there is compositor I could talk to as well... compton doesn't do
the kinds of things I want to do...

------
ocdtrekkie
On the contrary: Browser extensions are horribly overrated. They're a massive
security problem (the number one place malware is found on a computer) often
for the benefit of replacing the word "cloud" with "butt". They are rarely
adequately audited or restricted and have far more access to private data than
anyone generally realizes.

~~~
koverda
>> replacing the word "butt" with "butt"

Do you mean to say that extensions do nothing?

------
simon_weber
Browser extensions are an important part of my small business since there are
some things I can't reasonably do without them.
[https://autoplaylists.simon.codes](https://autoplaylists.simon.codes) is a
good example: Google Music just doesn't make some metadata available over
their OAuth apis.

I understand the broader extension security situation is pretty atrocious, but
I like to think there's some small improvement from url-limited extensions
like mine (that would otherwise exist as scripts that ask for plaintext
credentials).

------
saurik
I gave a highly related talk in 2010 called "Even Software Should Have Screws"
at TEDxAmericanRiviera, based on my background working in the iOS jailbreaking
community, where I maintained a software ecosystem similar to browser
extensions, but for apps and system software.

[https://youtu.be/ReKCp9K_Jqw](https://youtu.be/ReKCp9K_Jqw)

------
ggggtez
> personally use Chrome extensions that fill in my passwords, help me read
> Japanese kanji, simplify the visual design of Gmail, let me highlight and
> annotate articles, save articles for later reading, play videos at 2x speed,
> and of course, block ads.

So, autofill, autotranslate, HTML-only mode in gmail, (?), literally just
bookmark it, any html5 video player, and of course, block ads (which most
browsers seem to be moving to do by default). These are all either offered by
the browser by default, or will be (though firefox seems more interested in
adblocking than chrome right now).

Obviously they may not do it the same, but as someone who is suggesting addons
offer a lot of power, the writer is not actually _using_ most of that power. I
kind of agree with browser developers that more often than not, extensions
just offer a new vector for malware and no one really understands what power
they have so they make bad choices.

------
ggurgone
Shameless self-promo – I built Refined Twitter Lite which customizes the new
Twitter introducing features like Single Column layout.

I primarily built it for myself but maybe some of you folks might find it
useful too [https://chrome.google.com/webstore/detail/refined-twitter-
li...](https://chrome.google.com/webstore/detail/refined-twitter-
lite/adhbafkkfbonbogdlaebnoegpoogngcc?hl=en)

It is open source of course [https://github.com/giuseppeg/refined-twitter-
lite](https://github.com/giuseppeg/refined-twitter-lite)

------
falsedan
We won an internal hackathon by writing the API and no front end, using a
browser extension instead to manifest the client on the third-party page we
couldn’t get API access to in time. It sure was easy to write.

------
stevefan1999
I was involved into developing a simple app for WebExtension. Not gonna lie,
the experience is awful, for example, no IPC support, being way too
complicated in terms of API design and that really hateful manifest schema
file which echoes the horror of Android API permission XML. I give up at some
point, but I could provide the source code if I could get a chance to recover
my files.

~~~
stevefan1999
well no it indeed had IPC with WebWorkers, however it is also very difficult
to work with: data sharing between scripts is a complete clusterfuck. I had
found my code, it is written in Vue/Vuex and I will attempt to convert it to
using nuxt and upload it github maybe.

------
anantdgoel
We recently launched a browser extension
([https://www.getnobias.com/](https://www.getnobias.com/)) and have been happy
with the use cases we've been able to build around existing websites. Much
easier than convincing news publishers to integrate our products directly into
their websites. Users get to choose their experience.

------
modzu
here's a shameless link to my small batch of extensions, hopefully some find
useful. all open source of course!

[https://addons.mozilla.org/en-
US/firefox/user/13170802](https://addons.mozilla.org/en-
US/firefox/user/13170802)

------
0xDEFC0DE
Anyone with a foot/feet in pentesting/appsec feel that there could be a good
omni extension that encompasses cookie editing, header editing, local storage,
proxy toggle, and has other potential features?

------
Arkdy
I love that extensions turn the idea of browser differences into a strength.

It's a reminder that the websites you make don't just go into a black box,
they have to co-exist with individual user preferences/needs.

------
miguelmota
Sometimes popular abandoned browser extensions get bought up by malicious
actors that inject malware into your browser without you ever knowing because
extensions get automatically updated.

~~~
megous
That's why you uncheck "update add-ons automatiocally' in the add-on manager.

~~~
miguelmota
Standard users would have no idea they can do that or even bother. Extensions
are risky additions to the browser because it's 3rd party code that can read
your web pages and local storage values.

~~~
megous
Yes, but I didn't talk about standard users.

Also, most of my extensions are not 3rd party code and I want them to have
full access.

For the rest I update them once in a while and go check

    
    
        ~/.mozilla/**/*.xpi
    

for changes with something like this.

    
    
        find -maxdepth 1 -mindepth 1 -type d ! -name .git -print0 | xargs -0r rm -rf
    
        for f in ../extensions/*.xpi ; do
                unzip "$f" -d "$(basename "${f%.xpi}")"
        done
    
        git add -Af .
        git commit -m "Changes"

------
dman
I would really like a browser which attempted to be extensible the way emacs
is. No modern browser appears committed to extensibility as a key feature /
differentiator.

~~~
b3n
You mean like Next[1]?

[1] [https://github.com/atlas-engineer/next](https://github.com/atlas-
engineer/next)

------
calmchaos
Check out some kickass WebExtensions by Nodetics:
[https://nodetics.com](https://nodetics.com)

------
edgarvaldes
I would say that maybe they are underused or not well known by the general
public, but not underrated.

------
ardani
Hacking extensions are underrated, your browser software is unbrowseable.

------
DiseasedBadger
I haven't cared since XUL died, and I don't imagined I will. New extensions
are just webpages.

I can already make webpages.

