This weekend, I was doing a little 'housekeeping', and went through an old machine. I was looking at my Google Chrome browser, and pulled up all the plugins. What to my surprise did I see on a VPN plug in: A red triangle with an exclamation point and the words, "This extension contains malware." (Yes, the Irony is strong with this one).
My mind immediately thought several things at the same time:
- Who does quality/screening for plugins in the store? What does this process look like?
- How can you know enough about my browser to feed me this warning (I am pretty sure I would not have downloaded this if the warning had been there previously)?
- What else do you know about my plugins? My browsing history?
- Why didn't Elton John go with 'John Elton'?
- Did I forget to take my Adderall?
So, I started to
review a few other plugins, and saw something that I found
'concerning'. Many plugins required a LOT of permissions when
installing, so they could 'function properly'.
What exactly is 'a lot'? Well, take a look at the screenshot again from this VPN Chrome extension:
- Read and change all your data on the websites you visit
- Display notifications
- Manage your apps, extensions and themes
WHY would I ever
give a plugin the ability to read and CHANGE my data on the sites
I visit?!
Or manage my other apps, extensions and themes (keep in mind that this particular plugin was supposed to keep my communications private and secure)?
The answer is: Because apparently, we don't get a choice. Any extension that interacts with websites will almost always require “Read and change all your data on the websites you visit” permission.
Because apparently, we don't get a choice.
Our good friends over at howtogeek also explained that Chrome is one of the few browsers that asks for your permission, instead of just blindly installing it. So, I guess that’s something?
Chrome has a
permission system for its extensions, while Firefox and Internet
Explorer do not. Every Firefox and Internet Explorer extension has
full access to the entire browser and can do anything it wants.
OK...so
Explorer/Edge and Firefox, are just installing extensions without
even asking me for my permission or telling me what they are able to
do. Huh, good to know. Time to go dig out my Netscape 3.0 floppy
disk.
What should you do when faced with this scary warning? Theoretically, do not worry (LMAO). Any 'store' that offers browser extensions should have a screening process monitored by the company, and the ability to remove bad extensions. Obviously, the reality is different.
(One day, when I get
around to telling how hard it was to get my Zombie Scanning App
approved by the Apple Store, you will really appreciate this irony. I
was rejected several times for making false promises that the
hardware was not really capable of scanning a person to see if they
were a zombie. It took numerous emails to explain the history of
zombies, and that they were, in fact, not real. It's a good story,
but back to the show).
So what is 'best practice'?
The 'best practice' is the usual when installing any type of software.
- Ask if you really need it
- Is there an alternative?
- Is it worth the risk?
You may want to run some anti-virus/malware scans on your device after installing it - just to be safe.
Something to think about when you're not freaking out about all the other things happening.
Stay Safe!
-Aaron