Hacker News new | past | comments | ask | show | jobs | submit login

It seems like the majority of plugins will need to access all websites. Just looking at my list of plugins:

- EditThisCookie

- ResourceOverride

- Ad blocker

- Grammarly

- LastPass

I absolutely expect these to work regardless of website. It seems perfectly reasonable for this to be the default behavior.




And both Grammarly and LastPass have had security bugs that let any website worm their way into the extension and access all the data from the extension (anything you've ever typed, for Grammarly, and all your passwords, for LastPass). Extensions with wide-ranging access are useful, and there's a reason Chrome has support for it, but they're also very very hard to get right, even if your entire business is writing a security-focused browser extension.

You could go the approach Firefox is going on mobile where there are currently six vetted extensions. As it turns out, they all need access to every website (or fine-grained APIs, perhaps). But... there are six of them. https://blog.mozilla.org/addons/2020/04/14/april-extensions-...


Do you have a link for that claim on LastPass? I use the extension and am wondering if I shouldn't use an PM extension thats more reliable in terms of security. Any recommendations obviously welcome.


See my podcast's episode on this :) https://looseleafsecurity.com/episodes/password-manager-secu... (there's a full transcript in there if audio isn't your thing)

The LastPass issues are all pretty old at this point - I mostly mention it to drive in the point that getting this stuff right is hard. (For what it's worth, the researcher who found those issues has good things to say about LastPass: https://twitter.com/taviso/status/1167311357957435392 and also fairly negative things to say about 1Password, which is what I happen to use.)


Any opinion on Bitwarden?


IMO a password manager is an extremely critical piece of software that I'm ok with if I trust its security model. There are a couple whose security models I do trust. However, merging those security models with random extensions that may or may not have full run of all code executing in the same context as my password manager is a hard no. It's baffling to me that any legit password managers go to the trouble to write and support browser extensions, given the risk. It's betting your reputation for security on a very small amount of user convenience.


BTW the 6 extension whitelist is for Firefox Preview. The normal firefox app doesn't have a whitelist.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: