Sign in Subscribe

📬 Browser extensions can let people snoop on what you see, hear, and type

Last updated on 
A wall-full of security cameras in shades of grey all pointing in the same direction.
Photo by Lianhao Qu / Unsplash

Browser extensions (glossary), also called add-ons, can add useful functionality to our internet experience. But in 2019, a journalist at the Washington Post found extensions selling personal and business information, while being installed in your browser (Source: 1).

"I’ve watched you check in for a flight and seen your doctor refilling a prescription. I’ve peeked inside corporate networks at reports on faulty rockets. If I wanted, I could’ve even opened a tax return you only shared with your accountant." - Source: 1

Four years later, as of 2022, of all the major browsers, only Mozilla Firefox has an active program to verify the extensions made available to you. This, despite a report from late 2022 that popular extensions on Google Chrome, Microsoft Edge, and Brave were deceitfully manipulating the behaviour of people's browsers (source: 4).

A browser is likely a productive human's most used app in the modern age. And we have some ideas about how to protect it. But how does one figure out which extensions slash add-ons to trust enough that we can install them in our browsers?

To be protected, here are two suggestions for your use of browser extensions.

Use Mozilla-made extensions

Mozilla is the maker of Firefox. Well, Firefox is open source, so it's more accurate to say Mozilla's employees are the main contributors to Firefox. You could also split Mozilla into Mozilla Corporation and Mozilla Foundation...but we won't go there now.

Screenshot of Firefox Multi-Account Containers entry in a Firefox browser.
An example of a Mozilla-made extension.

I trust Mozilla to make Firefox safe. I trust the measures taken by Firefox contributors to make the browser safe. By extension, I also trust Mozilla-made extensions.

Screenshot of the Extensions by Firefox Mozilla page.
Mozilla-made extensions are reviewed for the same security and policy compliance as the Firefox browser itself.

Firefox has a program called Recommended Extensions. In a nutshell, browser extensions nominated for the program are reviewed for security and policy compliance. So, I trust extensions with this badge to be vetted by this program.

Screenshot of uBlock Origin entry in a Firefox browser.
An example of a Recommended Extension.

The Recommended Extensions program manually reviews for security and policy compliance. I understand that to be that people actually go over the code of the extensions.

Screenshot of the Extensions by Firefox Mozilla page.
Recommended Extensions are reviewed for the same security and policy compliance as the Firefox browser itself.
I don't know if every subsequent update to the extension needs to go through the same level of review. I don't know if subsequent reviews become partially automated. That needs to be clarified by Firefox. But this program is a great start to bring sanity to the browser extension marketplace.

The Recommended list is curated. When the popular and Recommended HTTPS Everywhere extension was sunset, Firefox sensibly removed it, and you wouldn't have to manually do so on your devices.

HTTPS Everywhere removed from Firefox on Android. It's no longer needed.

Use no unverified extensions

This suggestion may be a pain for you. Extensions often add valuable functionality. But the price you could pay for an unreviewed extension is hidden and costly.

Mozilla-made extensions are few. The Recommended Extensions program has a fair number of very useful extensions, including the Firefox extension for Bitwarden. But you may find that some extensions you like using are not checked by the Recommended Extensions program.

A small workaround

You'll notice that Chrome doesn't have a program for vetting and verifying extensions at all. So the suggestions above imply totally avoiding extensions in Chrome.

There's a workaround. Use Firefox as your main browser, and limit installing browser extensions to the categories suggested earlier.

📬 These 7 trustworthy extensions jumpstart our browser security and privacy
Extensions can make your browsing faster and safer, if done right. Install, and you’re set.
Majorcord | safer businessEditorial Team
These extensions are a pre-selected set worth installing in Firefox.

You can also have multiple browsers on your computer. In other browsers, you can install those unreviewed, untrusted browser extensions, that you think you really need. Don't use those browsers for much else.

Until we have widespread review processes in place by other browser-makers who run the extension marketplaces, this is the least we can do to keep our browsers safe.

Meta

Helpful words

Sources

  1. https://www.washingtonpost.com/technology/2019/07/18/i-found-your-data-its-sale/
  2. https://support.mozilla.org/en-US/kb/add-on-badges
  3. https://support.mozilla.org/en-US/kb/recommended-extensions-program
  4. https://www.bleepingcomputer.com/news/security/chrome-extensions-with-1-million-installs-hijack-targets-browsers/
Dog with heart-shaped nose in a screen, AKA the Majorcord logo.