To be fair for me the extensions that get that are uBO, Privacy Badger, and Tampermonkey.
I trust gorhill and the EFF to not fuck me over on my data, and Tampermonkey kinda needs those sorts of permissions to work. My password manager has read access to every website but I'm already trusting it with all of my passwords so...
These extensions should not store any data without a master password that you input every time.
What if someone stole the signing key, and submitted an update to Chrome store, even for a little? Oh wait that is only for Chrome Apps. For extensions, they can literally update themselves anytime. Someone would just have to steal the certificate.
If an extension that reads all data uses a CDN (like CloudFlare) that CDN can execute a MITM attack against it and download new code, that would he catastrophic even if it was caught 1 day later.
>Oh wait that is only for Chrome Apps. For extensions, they can literally update themselves anytime. Someone would just have to steal the certificate.
Mozilla reviews signed extension updates. Something tells me uBO is one of the most scrutinized given how very many users it has.
>If an extension that reads all data uses a CDN (like CloudFlare) that CDN can execute a MITM attack against it and download new code, that would he catastrophic even if it was caught 1 day later.
My threat model doesn't include state actors targeting me specifically. Not sure much of anything works against that threat model besides maybe iOS in Lockdown Mode as your only device.
I trust gorhill and the EFF to not fuck me over on my data, and Tampermonkey kinda needs those sorts of permissions to work. My password manager has read access to every website but I'm already trusting it with all of my passwords so...
reply