So this is an interesting philosophical question - the market value of the extension is the value of "monetizing" it by stuffing ads, or worse, monitoring/tracking/exfiltration, into the extension. It's the market value of the trust of the extension's userbase. Is that the value of the extension developer's labor?
I would argue not really. The value of a bank, for instance, is not the amount of money in all of the vaults. That money is held in trust for customers, and it is not for the owner of the bank to dispose of. Therefore, nobody who makes a fair offer for the bank should expect those resources in the transaction, so a fair market price for the bank is much less - such as the present value of the interest earned by the bank minus the interest returned to customers.
In particular, the only reason the bank has customers is they expect to get their money back, generally with interest, at some point in the future. If they didn't, they'd put their money elsewhere. So if a bank is willing to sell the contents of the customer accounts, that indicates incomplete information in the market - customers didn't know the bank wasn't trustworthy. The true market value of the bank, in a perfect-information market, would be close to zero.
It seems like the problem here is that we know two ways of compensating browser extension developers: "don't" and "breach your users' trust." Those point to wildly undervalued and wildly overvalued estimates of the fair market value of the developers' work. And we should come up with some fairer way to value their work (or, more fundamentally, to compensate them; we may not need to monetize the extension, necessarily) first, and I'm not totally sure it's the fault of browsers for not having had such a clever idea - it seems like we collectively need to figure that out.
While users may feel bad about extension developers not being compensated, I feel like the larger story here is that:
- Companies are buying extensions for nefarious purposes, which presents a huge security risk.
- Evidently, app stores are sufficiently bad at detecting this that it remains profitable.
Also I think it's reasonable for browsers to require complete auditable source (even if there's some obfuscation happening before it gets to users), which would probably have a deterrent effect on weakly-ethical developers - it's harder to ship code you can plainly see is malicious than to just sell the extension and wipe your hands of it. (There are enough stories of founders who care about their companies selling startups to acquirers that don't that I think there is something in human nature that makes it easier to hand off your creation to someone who will do bad things with it than to do the same bad things yourself.)
Put another way, if the browser manufacturers run an extension store, they are (or ought to, at least) endorse the extensions in that store as reasonable to install. I don't see how they can do that without source. I think they could sort of make that endorsement without proactive auditing if they can remove extensions they discover are malicious, but if they can't even human-audit the source in response to a report of problems, I don't think there's any way they can responsibly offer extensions to their users.
Mozilla does a lot to protect users from malicious extensions, thousands times more than Google.
Unless you think plugins for HTTPS Everywhere, Google Translate, and LastPass should be signed by an individual developer - in which case you'll have to solve the problem of what to do when that developer moves between jobs :)
A buyer company or individual ought to have to create a different name and convince users to install/trust their extension if ownership is transferred instead of merely taking control of the existing name and having the next automatic update install malware.
Extension systems and language specific package managers on the overall have garbage security and are going to be a way bigger problem in the future. They are low hanging fruit.
I suppose you could argue that when Facebook buys Instagram the Instagram app should be uninstalled from users' phones and all their accounts and posts deleted, because they didn't agree to trust Facebook or consent to the data being shared with Facebook. There's a certain logic to that, but it would be a big change to how the current tech ecosystem works.
It's a superficially attractive answer, but the reality is that it's unenforceable.
Nation states get unstuck here on taxation, and bluntly it is unlikely any browser vendor will ever invest as heavily as nation states do on getting revenue.
To be blunt most current software in use in US/Europe already comes from US/Europe.
Right that solved pirating, torrenting and hacking.
None of the above happens on internet any more since cfaa was passed.
Shady people will do shady stuff, no mater what law says. And you will never catch all or even most of them.
So if it's all the same it would be better if we come with solution, that prevents abuse from happening in the first place
If you can buy or take over responsibility for extension foo and automatically exploit thousands of people who automatically get updated to foo 1.1 now with 1000% more malware then it will happen.
If you have me/foo and you want to take over maintaining foo and you have to create you/foo and convince people to remove the working version of me/foo and switch to your you/foo this is a small burden for legitimate users but a higher bar for scummy companies whose accounts will doubtlessly either have a bad history or far more likely none at all to lean on.
Further the time required to convince users to switch will be much longer leading to more time for something to be discovered as malicious before users are effected.
Best this whole process makes exploiting users much less valuable and thus you have less of it to start with.
Holding an individual responsible for the company is simply not plausible in most jurisdictions for anything short of actual criminal actions.
What percent of extensions connect/download from the internet? That could be an easy way to identify a much smaller group of vulnerable extensions. Make extensions request permission to connect, then you can see the smaller group and watch any new extensions that request the permission. Connections could also be domain restricted to a list defined before distribution (and IP connections banned.)
Also, Mozilla could force extensions to make requests through proxies it controls... although that would be a whole other issue.
Yes, you can imagine a way where extensions provide some declarative input to the browser saying how to block certain elements, and don't have any connection to the web page. That's more or less what iOS ad blockers do, as well as Chrome's new proposed ad blocker approach, and extension authors generally dislike it. And that only helps you remove elements, not add them - things like night mode extensions generally want to add either elements or at least CSS to the browser, and if you have that much access, you can definitely add ads or inject referral links into shopping sites.
Hrm. I would say that it indicates that there are two different types of market. There is the market for free, ethical extensions. This market is full of products that have no value, either being freely given away by their author, or having insufficient reach or utility to garner commercial success. Then there is the black market for remote access to millions of end user machines. This market is likely illegal, but plausible deniability allows unethical devs to sell access to end users on this market.
It should not surprise anyone that it's tough to get compensated when you don't charge anything for the product you sell. Despite the name "Chrome Web Store," I could not find any for-sale extensions on the featured page. It seems like it's not in the culture to pay for extensions, possible because most of them are low-effort and have little marginal utility.
The only people who are making money ethically on the Chrome Web Store are folks who are selling a service to which their extension is a portal. And I don't really see how it will ever be otherwise.
Take the developer of uBlock Origin and uMatrix, Raymond Hill, for example. He continues to refuse payment / donations.
Oxygenated air has next to zero price you could sell it for, but it has basically infinite value to somebody deprived of it.
Browser extensions create a ton of value, but its likely very little of that can be turned into a paycheck for somebody without destroying the value they create.
Browser providers pay for ecosystem improvements -- a better product.
The upcoming changes to the Chrome browser, will limit the performance and capabilities of actual ad-blocking extensions like uBlock Origin. Google claims these changes are being done to protect users privacy.
This would not create a scenario for extension developers to get rich, but it would provide some support to keep going, which could justify turning down potentially harmful monetization alternatives.
Hosting a conference or creating a fellowship for top extension developers could also work -- some measure of appreciation that helps developers earn a living, directly or indirectly.
Of even worse, inserting malicious code such as a keylogger.
Even Google Chrome's built in Spell Checker is constantly sending data back to Google and functions as a keylogger.
Labor itself has no intrinsic value at all. You don’t have to think very hard to come up with a list of things that would be laborious but not valuable. Economically speaking, the value of any product can only ever be what people are willing to pay for it. If your users aren’t willing to pay for your product in one way or another, then your only option is to sell access to your users, in one way or another.
At almost $200k/year, a starting google developer makes ~$4K a week (pre tax, but also ignoring health care, facilities, etc).
The browser extension offers are comparable to months of developer time, but since they are made after an extension succeeds, they’re not accounting for the probability that a new extension won’t become wildly popular.
Put another way, if the scammers could develop (or steal) extensions for less than they’re buying them for, I’m sure they would.
I do think that $200K/year is a wild overestimate of the value of the extension, on the ground that Google and other similar companies assign very few new hires to write browser extensions. But yes, the amount of skill and time and focus that goes into the average extension and the average new hire project is at least within the same order of magnitude.
We are generally bad at finding ways to compensate/monetize people for skilled labor that does useful things for the world but isn't directly profitable, so I think trying to tackle that for the case of extensions is a harder problem than is reasonable to demand.
For example, Netflix' use of in-browser DRM makes it a must-have for mainstream browsers.
Unless we've created self-replicating, web-enabled, grey goo first.
You can browbeat developers with your ethics and ideals, but your approval doesn't feed anyone's children.
Therefore the only way that your extension has value is if you are intentionally withholding information from users about your willingness to sell. Which, even without getting into the ethics of deceiving your users, is at odds with the generally-accepted sense of the word "value" in economics. If a company is withholding information about it doing poorly and has a higher stock price than it would if it didn't, you generally say the company is "overvalued," that people are erring in attributing that value to it, not that it increased its actual value.
Regarding the monetization of NoCoin, I advertise the fact that I am accepting donations in the description of the extension and have links on the GitHub page. There is also a button to donate directly on the Firefox add-ons page. Almost all donations came from the Firefox Add-ons store. I guess if Google would do the same on the Chrome store, developers would get more donations?
I probably get a couple of offers a year for it. Of those that have offered specific sums, they ranged from from $10-20k. I always reject them, because it’s pretty obvious they want to turn it into malware.
I’ve had a couple of cases where I felt they went to some effort to schmooze me first, presenting themselves as having benign intentions, almost like a carefully crafted con. But as far as I can tell, there is no legitimate, ethical reason to want to acquire it, and I won’t sell out my users like that.
So a) there are other extension authors with similar coverage who are selling out and/or b) they can't turn a reasonable profit at a higher price.
BUT - extensions are also often the cause of a slow and frustrating Firefox experience, which then leads folks to talk about how Chrome is better-performing/faster (I've been guilty of this myself in the past). Mozilla needs to make sure Firefox is keeping pace with Chrome, which they've presumably decided means de-emphasizing extensions.
That said, not sure why Mozilla needs to de-emphasize donation buttons.
IE (used to?) have this bottom notification warning about 'X plugin is slowing IE, would you like to disable it?'. Perhaps Firefox should add similar feature and notify users about slow plugins, maybe even with some actual data instead of a vague slowness claim.
Then I went to check it out and found that I don't remember opening it since it's pretty much useless. It does show how much memory each consume and the _current_ energy impact. Utterly meaningless and doesn't help me at all to understand that a certain extension slows my browsing experience.
I've not checked the source, but my guess is firefox stores the history in a SQLite db and when you select 500 history items then delete them, it's doing 500 DELETEs, maybe even without a proper index. It's seriously slow.
There seems to be a lot of low hanging fruit in Firefox, but not being employed by Mozilla I don't particularly feel like my thoughts or contributions are welcome. The last time reported a bug on bugzilla.mozilla.org (which is a pain in the neck) I was told that accessibility on MacOS wasn't important enough for Mozilla to care about (paraphrasing.)
I doubt that this is true. Some extensions like Adblockers even make browsing faster.
There's a fair few others that can upset Firefox but never seem to be the same extent of annoyance for Chrome.
Shift-Escape? what? I'm supposed to just randomly press every key combination till something happens?
His change was changing array population from repeated concat to push. This is not an unpredictable hot spot but a developer not knowing his tools. Common sense is not premature optimization.
You have any recent data on this? I am not convinced this is true anymore.
In over a year of using Firefox every day I haven't noticed any slowdowns after Firefox made the move to drop compatibility for those extensions.
That doesn't seem right - doesn't Google let developers monetize extensions in the chrome web store?
You can publish Hosted Apps, Chrome Apps, Chrome
Extensions, and Themes in the Chrome Web Store.
Collectively these are called simply "Items". You have
many choices when it comes to making money from items
that you publish in the Chrome Web Store. This page
covers just a few ways to monetize your store item:
- In-app payments
- One-time charge
- Offering a limited trial version of your item
The issue of developers selling out their chrome extensions to 3P (that the author references) probably has more to do with the fact that bad actors get better money for harvesting user PII than the developer would if they maintained the extension as it was originally meant to be. This is a real privacy issue, but it's also why Chrome cracked down on extension APIs recently by restricting what is shared with the extension.
A letter from the New York AG got them to respond, but I still need to email them every time I need my data (they get an engineer to run a db query manually, from what I can tell).
I did get an email today that they're migrating to a new system, so maybe it'll work in the future, but I wouldn't trust them based on what I've seen.
It'd be nice if they had 'trusted devs' or similar. Even if they provided a paid meatbag extension review service, I'd pay to get the plugins I use reviewed!
In the end, I couldn't get something satisfactory working, and went with Paddle for payments. Cost per transaction is quite high in our case ($0.75 on a $5 monthly subscription) but it was fairly painless to set up, and they handle VAT/sales tax. Would love to find a way to offer $3/month subscriptions without handling tax ourselves.
If you want to do this stuff you have to do it all from scratch and hope Google doesn't decide to get mad at you.
They also make it very hard to push updates promptly which means if a major bug or security issue is found it can take multiple days for users to get a fix, so you end up having to find your own way to push updates (despite the fact that store policy sort of prohibits doing so).
It feels as if Google doesn't want you to actually make Chromeos apps.
It would benefit us all if browser vendors would enable users to easily support extensions, and do so from a unified user interface, like an extension store.
It sends a different signal for the user when a browser vendor encourages and handles contributions for extensions, instead of leaving developers on their own to build makeshift donation prompts and expect users to give out credit card data or sign up to third-party services just to donate.
Sponsoring your favourite extensions right from your Google or Firefox account would help projects receive more funding, be more user-centered, and further enrich the browser extension ecosystem, while encouraging new developers to publish their own extensions and support user needs.
Direct payment from browser vendor to useful devs: not sure where that money would come from.
Alexa can probably support it since more use of an Alexa likely has a strong correlation with increased purchases through Amazon - they essentially directly profit off popular extensions, in a measurable way because they track everything, since it keeps people using Amazon in general.
I'm not sure Mozilla gets much money from e.g. adblock. Or other popular extensions. Plus they're a non-profit, so their cash-in-hand isn't too likely to change dramatically, unless we can convince more companies to donate (which could allow donating to extension devs).
Web browsers are insanely profitable thanks to search referrals.
I thought Firefox was going to get better with their redesign but it seems like it just resulted in lost functionality. Their misguided quest to get more market share has been a completely failure and pushed anyone who valued their customizable experience away.
Well, it got me to switch from Chrome to Firefox on Windows, so there's that at least. Firefox feels much faster to me now, and strongly reminds me of Chrome in the very early days.
disclosure: I work at mozilla, but not on this.
Chrome realized that if it jumped ahead in version number, it could gain a huge PR advantage, and then Firefox was forced to follow that pattern or appear outdated. Users may have gained some rapid iteration, but in the long term, I think we lost the ability to understand how the browsers are changing (of course, some of that is a matter of the inherent complexity explosion in the Web).
And once you change to the constantly-incremented version numbering scheme, how can you ever go back to something more meaningful? Who's would blink first?
Happily, Pale Moon, for example, retains more modest version numbers. I hope their developers continue doing well. Imagine if it (or a similar project) were the next Phoenix, the way Firefox rose from Netscape's ashes.
Personal anecdote, but of all the non-technical people I know (which I define as those who may barely know what a browser is, and only use the computer for browsing a tiny fraction of the Internet), none of them like the constant change, especially when it breaks their workflow, and those who do pay attention to version numbers think the rapid "version explosion" (to quote one) is completely silly. Like a lot of other things in life, they just put up with it because they're powerless.
I really wonder who the browser makers are targeting with the "move fast and break things constantly" attitude, because it's definitely neither the technical nor non-technical users I know.
However, in all the tabbed browsers I've used, Ctrl+F4 closes the current tab.
Or Chrome 30001?
That's a gross mischaracterization of the situation. There are far, far more extensions than just ad blockers.
Google could trivially block ad blockers without killing all extensions, and ad blockers can survive just fine without extensions (pihole being the obvious example of one such alternative).
Google even has their own rather large suite of extensions: https://chrome.google.com/webstore/category/ext/15-by-google...
None of any of this has anything to do with ad blockers nor some hidden agenda to kill them. It's about how selling a hobby project can be disastrous for users, and what (if anything) Google/Mozilla should be doing to prevent those hobby developers from wanting to sell in the first place.
Personally I think that's treating the symptom and not the cause, and a better policy would be something like Google or Mozilla preventing updates to extensions whose backing developer has changed. Although that would be hard to enforce.
In the long run, this might sadly be true, but I disagree for now. No way Google is doing this because of the goodness of their hearts.
They do it because they haven't completely squeezed out all competitors yet.
Removing or utterly crippling addons now would force users to realize what Chrome is while there still are options, meaning a huge chunk of the users would go to other browsers.
Look to Chrome mobile, the one that they can force ram down the throat of > 50% of mobile users. Chrome mobile doesn't have addons because it doesn't compete.
Sorry to all Googlers here for being so blunt, and feel free to point out one or more examples from the last few years where Google has prioritized their users above quarterly / yearly profits.
I used to be a huge fan but Google has massively disappointed me over the last 5-10 years.
> Sorry to all Googlers here for being so blunt, and feel free to point out one or more examples from the last few years where Google has prioritized their users above quarterly / yearly profits.
No need to apologize =]
An example that comes to mind is the current focus on accessibility. I think from an objective financial/engineering perspective, it's much preferable to just ignore accessibility because it adds complexity and isn't used by the vast majority of users. However, providing access to everyone is the right thing to do.
Another example is crisis tools (https://crisisresponse.google/). I don't think we make money from these apps.
Of course, I'm sure people will say this is just for marketing or something but in the end, how can one get around that?
I don't think Google is flawless. Far from it! But it's a huge company with way too many products so it's only natural there will be bad decisions and good ones, just as there are bad people as well as good people.
> Look to Chrome mobile, the one that they can force ram down the throat of > 50% of mobile users. Chrome mobile doesn't have addons because it doesn't compete.
I'm not sure I understand.. are you saying that Chrome mobile takes up a lot of RAM? Because if so I would agree with that, but isn't that precisely why extensions shouldn't be allowed? Implementing extensions would add an even greater burden and poorly written extensions would provide a bad user experience.
If anything I really wish we could strip Chrome down. I think people adopted Chrome early on because it was really light and personally I really feel like we let everyone down by letting it get so bloated.
I imagine it's support for things like "Chrome Apps" or more generally the desire to get websites to be able to do the same things as native apps. I suspect there's also the fact that Chrome has to support Chrome OS as well.
But I am new to Chrome OS so admittedly I am not too familiar on the history or background =]
For some reason I thought Chrome Apps were deprecated. PWAs can do most of the same things today.
That being said, I am not familiar with the technology so this is very much an uninformed opinion!
I could see this as a way for Mozilla to further distinguish Firefox from Chrome. If Firefox was seen in the developer community as the platform to target if you want to make money, it won't take long for extension developers to start targeting Chrome only as an afterthought, and users would start to shift towards thinking of Firefox as "the one I can extend."
I have no idea what this means, especially capitalized like a brand of some sort, so I don't know how supporting extension developers would help or hinder that.
> users would start to shift towards thinking of Firefox as "the one I can extend."
Users already thought of firefox as the browser you could extend, but mozilla decided that wasn't a priority. I don't see them suddenly reprioritizing that.
They'd loose their influence on the browser world and loose the ad revenue as well.
For that matter I don't think open browser producers can be expected to foot the bill for it either. their browsers do not cost a thing, after all and browser extensions only impact a very small part of their userbase.
Please remember that not everyone has a problem with ads, 'privacy invasion' and targetting. Some people do and think that everyone should think the same. I find this mentality rather stifling.
I feel like people should be more informed over the implications. If they still don't care once I explain the issues, that's their prerogative to not care. I feel like most people don't understand why the "I have nothing to hide" mentality will cost us plenty of freedoms we still have.
I agree with you though, most people aren't like the majority of HN users, they just don't care or don't understand.
Third or even half of the userbase is not a small part.
> Please remember that not everyone has a problem with ads, 'privacy invasion' and targetting.
Everyone has a problem with this once they understand what's going on and how it can be used against them. It's just most people are not software engineers and security, privacy related issues are hard for them to understand.
Look at something as simple as putting the tabs below the address bar. If Mozilla respected their users, it would be as simple as hitting the Customize button and then dragging the tab bar to the bottom. Then they stuck it in an about:config option. Then they required you to make a custom userChrome.css. Now guess what, in the newest version userChrome.css loading is disabled by default and you have to manually turn it back on. How long it will take before it's entirely disabled? I have no idea, but the message from Mozilla is clear: "You can use it the way we want you to or you can go to hell".
"Last updated: 3/12/2018"
I think if you already know web dev, you probably don't need a specific resource to figure it out - just dive right into it and look up which parts of API you need for certain things.
If you don't already know web dev, perhaps it would be better to learn that first and then look at extensions.
There are a couple of issues that come up if you just plonk a package.json in your root folder, for example - now you the same information like extension name and version number duplicated across two files, the npm package.json and the webextension's manifest.json. Nevermind the fact that it's not obvious at all how to distribute the npm dependencies with the extension once you have them installed on your computer
On all of these issues, the best "tutorial" I've found is just looking at the structure of sindresorhus's "refined GitHub" repo. He and the contributors have totally nailed how to integrate npm, automate the build and manage the package.json files plus much much more, in a very readable way. I would definitely consider mirroring the rough structure of refined GitHub just for sanity reasons. Everything about it makes sense.
Here's a link to the refined GitHub repo --https://github.com/sindresorhus/refined-github
And if it helps here's a link to the extension I built using refined GitHub as a model -- https://github.com/spookyUnknownUser/laconic_hover
I tried to implement the most minimally important features of the build and packaging system of refined GitHub in my project.
Use Stripe and bake billing/account management into your app.
Same experience across browsers.
I feel like it's hard to justify paying for an extension so I'd love to know how you convince people to pay.
1. The browser introduces a flat monthly subscription, e.g., $5 per month.
2. If the user signs up, the browser would distribute the money between the extensions that the user has installed, by default.
3. The user would also have the option to direct the money to specific extensions and/or to exclude specific extensions from this payment.
4. This system would be completely optional, but the browser cold in return provide an advanced extensions UI with extra privacy and security options.
I have a few extensions with 10-100,000 users and have received many emails from people asking to buy one. The numbers in the article seem accurate - if you have 100,000 users you could be looking at offers for tens of thousands of dollars. So, it's no surprise that developers cave in and compromise their users' security.
What's the best way to blame / troubleshoot a bad plugin? Because as soon as I add them all I experience 1-2 page crashes/infinity loops per hour
You don't do that if the plugin is provided for free, you can just say "thanks" or "no thanks", just don't use it / develop your own.
I have way bigger stones I can grind my axe on, if I ever feel the need.
It will help addon developers or even bring new developers to support addons whose original developers want to move on to other things.
And no, the reaction to security issues should not be to further limit the extension API and declare war on the concept of general computing.
I don't condone this idea for browser plugins because the userbase for plugins are usually install and forget. I don't think most devs spend their time reading all the release notes of every plugin they install.
When you install a database server / engine, you take time to figure out if it's the one you want or not. You research the company and other companies using the product.
It is not as if every mainstream language doesn't have libraries to handle networking requests.
I wouldn't have switched to Firefox from Chrome if most of the extensions I was using wouldn't have had readily available equivalents or workarounds. I would have held off on test-driving the new Edge as my daily workhorse browser if I hadn't noticed an extension for my password manager in the Microsoft Store and found that I can install most extensions from the Chrome Web Store too.
Netscape and Opera prove that the paid browser business model is dead, sure, but that doesn't mean browsers (especially browsers developed by companies with lots of related paid services) don't represent value for the companies developing them -- and that those companies don't profit from that value.
Google especially benefits massively from Chrome's marketshare -- even to the extent that their own web services can get away with treating competitor browsers as second-class citizens. Extension developers contribute to the value driving that marketshare and open source extension developers do so with practically no return on investment.
This is just another example of the true sharing economy of open source clashing with capitalism (which is inherently based on extracting surplus value as profit, not sharing it back). Which would be fine, really, if the people participating in the sharing economy wouldn't also exist in capitalism and have to rely on their success under capitalism to ensure basic subsistence like food, shelter and the means of extension development.
Extension developers using ads, tracking, malware or selling their extensions to malicious entities are just trying to find ways within the system to capitalise at least on some of the value they've provided. That's undesirable and developers shouldn't be in such dire circumstances to be willing to give in, but this is a systemic problem.
Luckily unlike with most systems, this system is almost entirely in the hands of browser vendors. Browser vendors could emphasize donation options -- just look at how big open source projects like some Linux distros push donations while still allowing for freeloading. But browser vendors currently have no direct incentive to do so -- in fact, doing so might actually harm their metrics.