📬 Browser extensions can let people snoop on what you see, hear, and type
Browser extensions (glossary), also called add-ons, can add useful functionality to our internet experience. But in 2019, a journalist at the Washington Post found extensions selling personal and business information, while being installed in your browser (Source: 1).
"I’ve watched you check in for a flight and seen your doctor refilling a prescription. I’ve peeked inside corporate networks at reports on faulty rockets. If I wanted, I could’ve even opened a tax return you only shared with your accountant." - Source: 1
Four years later, as of 2022, of all the major browsers, only Mozilla Firefox has an active program to verify the extensions made available to you. This, despite a report from late 2022 that popular extensions on Google Chrome, Microsoft Edge, and Brave were deceitfully manipulating the behaviour of people's browsers (source: 4).
A browser is likely a productive human's most used app in the modern age. And we have some ideas about how to protect it. But how does one figure out which extensions slash add-ons to trust enough that we can install them in our browsers?
To be protected, here are two suggestions for your use of browser extensions.
Use Mozilla-made extensions
Mozilla is the maker of Firefox. Well, Firefox is open source, so it's more accurate to say Mozilla's employees are the main contributors to Firefox. You could also split Mozilla into Mozilla Corporation and Mozilla Foundation...but we won't go there now.
I trust Mozilla to make Firefox safe. I trust the measures taken by Firefox contributors to make the browser safe. By extension, I also trust Mozilla-made extensions.
Use only extensions from Firefox's Recommended program
Firefox has a program called Recommended Extensions. In a nutshell, browser extensions nominated for the program are reviewed for security and policy compliance. So, I trust extensions with this badge to be vetted by this program.
The Recommended Extensions program manually reviews for security and policy compliance. I understand that to be that people actually go over the code of the extensions.
I don't know if every subsequent update to the extension needs to go through the same level of review. I don't know if subsequent reviews become partially automated. That needs to be clarified by Firefox. But this program is a great start to bring sanity to the browser extension marketplace.
The Recommended list is curated. When the popular and Recommended HTTPS Everywhere extension was sunset, Firefox sensibly removed it, and you wouldn't have to manually do so on your devices.
Use no unverified extensions
This suggestion may be a pain for you. Extensions often add valuable functionality. But the price you could pay for an unreviewed extension is hidden and costly.
Mozilla-made extensions are few. The Recommended Extensions program has a fair number of very useful extensions, including the Firefox extension for Bitwarden. But you may find that some extensions you like using are not checked by the Recommended Extensions program.
A small workaround
You'll notice that Chrome doesn't have a program for vetting and verifying extensions at all. So the suggestions above imply totally avoiding extensions in Chrome.
There's a workaround. Use Firefox as your main browser, and limit installing browser extensions to the categories suggested earlier.
You can also have multiple browsers on your computer. In other browsers, you can install those unreviewed, untrusted browser extensions, that you think you really need. Don't use those browsers for much else.
Until we have widespread review processes in place by other browser-makers who run the extension marketplaces, this is the least we can do to keep our browsers safe.