It’s a good point to be aware of and to raise from.time to time, but the subject line should be amended to indicate that this article was written in 2014.
Yeah, I have a Firefox extension with around 50k installs, and get emails every so often from people offering to monetize it.
Here's an excerpt from a recent one, from Nick at NJB Brands Sales:
> We offer .50 CTR (per 1,000) traffic and can use each unique IP up to 10 times a day. There is no limitation to what we will purchase other than the cap per unique IP. We offer flexible payment options via PayPal, Bitcoin, WesternUnion or Check. Payment can be done every 1 day, 7 days or 30 days.
I have a relatively popular novelty extension and I get approached by ad companies to buy/monetize it regularly.
I refuse, because I despise advertising and I don't need the money.
But I suspect I am in the minority and that many extension owners probably just decide it is easier to sell it and not think about it.
I switched my chrome extension to a paid model (one off payments). Most the offers from these shady people, work out as approximately 1 year worth of sales.
> "Update: Google got back to us, and stated that Chrome's extension policy is due to change in June 2014. The new policy will require extensions to serve a single purpose."
But it couldn't/won't guarantee anything, say Chrome could notify user the change ownership of an extension then the new owner state that they won't be evil, blah blah blah, but 1 or 3 months later they changed their minds and send ads to users. What next?
Still a large risk, even though this was authored in 2014.
I would be surprised if extensions that "read and change content on all websites you visit" haven't yet been used in some wide-scale account/identity compromise without making much noise.
I'm not sure about Chrome but on Firefox for a time being one still can install extensions the classic "old school" software installation way - by placing the files on disk.
Not OP, but I live without adblock. In Chrome, I disable Javascript on all sites by default. Rarely do I need to unblock a new site. I have a paid subscription to the Washington Post (which grants access to articles, but doesn't actually hide the ads...), and the ads on other sites I visit aren't too oppressive.
More than anything else, over nearly twenty years on the Internet I've developed the mental reflex to "tune out" and automatically ignore any Internet ad, anywhere, unless it's literally shoved in my face to the exclusion of all other content.
I've previously used adblock extensions, but my reasons for going without mirror the link author's. I simply can't trust Google/Chrome not to autoinstall a new, broken, malware-infested version of my favorite extension. I don't feel I should have to mess with directory permissions or application sandboxing in order to achieve some half-measure of extension security, so instead I eschew them completely.
Never ran into a problem really. Maybe a couple times a year I'll manually open the host file and ctrl+f a host I need to comment out temporarily after seeing it's causing an issue via the browser's network tools.
It's pretty easy going without adblock. There are a lot of websites without obtrusive ads and it's pretty easy to start to recognize which sites I just don't want to go to anymore.
manually installing unpacked extensions is the only way that currently works, update_url doesnt work for more than a year, Chrome just calls home on hardcoded IPs.
Yes, but I have JS disabled on most sites. Regarding adblock, there were posts that it slows the browser down, injects huge CSS rules into every iframe etc.
Chromium can do that. You can disable JS globally in the settings and then there will be a script icon in the address bar to enable it on a specific site.
you can do it quite effectively outside the browser using a host block[1] list or pi-hole. my uBlock now only fires sporadically for cases I don't catch with the /etc/hosts approach (e.g. disallowing e.g. remote fonts)
Not true. Extensions are still subject to manual review, however they are permitted to be posted publically as soon as they pass a suite of automated checks.
