Over the years web browser have become much more secure. All modern browsers are now pretty well protected against most types of attacks and fixes are released promptly after a new vulnerability is discovered. Browser vendors like Google even offers cash prizes to those who reports security holes in their Chrome browser.
So where do we find most of the threats against browser users today? Anyone remember the Flashback trojan which infected over 600,000 Macs? How did it infect them? The Java plug-in was called from a web page and loaded a special Java applet that exploited a bug, gaining access to the system. And how is Java connected to your browser? It’s runs as a so plug-in which most often is installed separately but with access to the browser itself through a plugin API. Nothing the browser vendor does can circumvent the fact that this access to the user can represent a threat, and a threat that can only be identified and fixed by whoever wrote and published the plug-in or extension.
Now picture a browser with multiple plug-ins – Java, Flash, PDF reader, QuickTime, Silverlight and a bunch of extensions you can easily pick up and install, and you’ll see just how much plug-ins and extensions increase your so called attack surface. While browser vendors are under heavy scrutiny to write secure code, plug-in and extension developers do not seem to be put through the motions in the same way, and many of them have mediocre security records (to put it nicely).
The great thing about compromising a plug-in or extension is that you can target multiple platforms in one go. Compromise Flash and you have a barn door open into a bunch of browsers and the platform they run on, and you can wreck a lot of havoc before it’s discovered, *if* it is discovered that is.
Plug-ins and extensions lack behind browsers as far as security goes and their often frequent automatic updates adds to the threat they represent. Some of these buggers are updated as often as once a month making it really difficult to keep track of development and security implications. In most cases frequent updates is a good thing making sure bugs are fixed and security is increased, but with plug-ins and extensions it also complicates matters and make it hard for the user to know where they are at as far as security goes. Most people think that as long as their plug-ins and extensions are installed through a familiar trusted vendor like Google or Mozilla they will be safe and do not pay much attention to the security risk. This is not the case.
You don’t have to look very long and hard to find studies about how big a problem browser plug-ins and extensions are. A study from 2011 study found that 94% of Adobe Shockwave, 70% of Java, 65% of Adobe Reader, and 42% of QuickTime installations in the enterprise were out-of-date. Although very frequent updates is a threat in itself keeping them around for too long is even worse. You simply can’t win.
Some will claim that browser plug-ins and even extensions should be on their way out. Plug-ins are still often necessary (Flash and Adobe) but companies like Google and Mozilla are working on solutions that would make many of them obsolete. The old plug-in API’s are also being phased out. As for extensions they are still very much alive and kicking and being put out there by anyone who can put together some pieces of code and think they have found a need they would like to fulfill. There are also those who would like to see a browser that does it all without needing to expose the user to the threat plug-ins and extensions represent. Personally I would welcome such a browser, but for the extension addicts it may be a step back, but one worth taking if you care about your security and privacy.
I started warning about the dangers of too much flexibility and lack of coordinated planning and testing when Firefox first came with an interface for browser extensions. The concept of “apps” takes that one step further, especially since systems using apps tend to prioritize functionality over safety. Ideally I would want a browser (or any app) to have to communicate through a dedicated firewall where I could have rules for just that program.
Yeah, the concept of Browser extensions has never made me feel very secure.
At least when say … the original Opera Browser had all the functions built in, we knew that it was all being designed and tested under one roof by personnel of a certain skill level. Now that Browsers, including the new Blink-based Opera, are trimmed down of functions out of the box and we have to add functions via extensions … that myriad of extensions is NOT designed and tested under the same roof. And those extensions are designed and put out there by people whom I’m sure have wide-varying skill levels.
I’m keeping extensions on my Opera 20.0.1387.91 to an absolute minimum. I only have 2 extensions installed — Smart RSS and RSS Detector. Both of those are by BS Harou who if I am not mistaken, either still works for Opera or used to. So I guess I feel a little bit more at ease there knowing that I am at least somewhat familiar with the creator of those 2 extensions.
BS-Harou does not work for Opera, he wants to finish his study at the university first.
He wrote that extension in pure self-defense because he really missed the M2 based RSS feeds inside of the browser. During the non public alpha and early beta phase I helped him with testing to make the extension as tight as possible. It could have been made in a different way but we opted for security first and all content is displayed in a sandboxed iframe, such using the browsers own security mechanisms to decouple it from the OS as far as possible. Yes, it has some drawbacks, like that you can’t play embedded Flash in RSS feeds (which are an abomination IMHO) and scripting will not work inside, but I still think it was the best way to go for an extension.
I personally divide extensions in 2 categories anyway: Active and passive extensions.
By my definition an active extension uses techniques like XHR or injected code etc. to retrieve and send data from and to other sites, passive extensions just work with the content and do not send anything to 3rd parties.
I don’t install any extension without first downloading and unzipping it to look what is in the code. Mostly it is harmless stuff that only runs locally (apart from integrated google analytics stuff which i simply throw out). Then I look which access rights the extension really needs and set it in the manifest file before repacking and signing it with my own key again.
I am always astonished to see which rights some extensions want to have, often half of those are not needed.
I saw it during the quick hack I made because I needed viewer for Image meta information:
https://vivaldi.net/blogs/entry/exif-viewer-extension-for-chromium-based-browsers
(You don’t want to know which permissions I set in the first internal developer version, but in the end it only needs access to the context menu for images (otherwise you could not right click at all :D) and to access http and https sites to request the raw image because there seems to be no way to get the raw image data from the browser cache to begin with.
I could have injected code into the page to display the information in a fancier way, but why should I? The only benefit would have been, that it is a bit fancier – but the drawback is, that it eventually would change the page code and even potentially break the security of a secured page because an extension can indeed perform cross site requests from secured sites too. That all led to the decision to open a real popup window and perform all necessary things in that.
Drawback: Does not look as fancy as some of the other solutions.
Benefit: Stays clear from the site you opened and gets only the URL of the image you want to inspect and only when you want to inspect it and can’t manipulate other tabs. Does not block interactions with the main page, like a layer would do.
For me it was absolutely clear what to use. Sadly many developers opt-in for fancy …
Doh! Okay … so BS Harou doesn’t work for Opera.
So far that Smart RSS extension is working fine. About the only thing I’d want added would be like when I am in the Trash page … I could use a [b]Select All[/b] Button. Cuz as it is right now, I have to delete the trash in little bunches as selected by Shift Left Click. Unless there IS a Select All function somewhere in there and it’s just escaping my sight. IS there one?
The usual shortcuts should just work fine on the list.
Click on the trash can to switch to trash view, click on one item in the list, “Ctrl+A” “Del” – done – or right click on the trash can -> empty.
You really make it seem so easy together with your presentation however I to
find this matter to be actually one thing that I believe I’d by no means understand.
It kind of feels too complex and extremely broad for me.
I’m having a look ahead in your subsequent submit, I’ll try
to get the hang of it!
My blog: sext chat rooms