top of page
Search

Browser Extensions: A history, threat analysis, and plan for Secret Chest



Software developers want to make everything extensible, or at least borrow all the extensible things others have made. Build an API for everything. Connect everything. Integrate everything. Computing itself is about productivity. Pascal built a calculator to be more productive. The generations of human computers and then electronic computers have done the same. Connecting different tools to automate different things or calling tools inside other tools is one way we can allow for people to boost their own productivity, rather than be prescriptive.


This is one reason that browser extensions have become ubiquitous. They add functionality and allow people to customize their own online experience. And they go back to the early days of the Internet, with one of the best companies at APIs and extensibility, Microsoft when they added Explorer Bars to  Internet Explorer 4 in the late 1990s. These were essentially toolbars with additional features like search or translation. While limited, they sparked the concept of user-expandable browsers. It didn’t take long before the technology world realized that integrating browser extensibility with operating system could also lead to some pretty wild stuff happening. Those Explorer Bars could be turned into spyware, extensions integrated with the file explorer could go far further in good and bad ways than anyone could have thought. But then, we were just waking up to a globally connected world


With the launch of Firefox in 2004, things took off even faster. Firefox embraced extensions wholeheartedly, calling them "add-ons" and building a thriving community around them. Developers flocked to create tools for productivity, accessibility, and entertainment, making Firefox the browser of choice for customization enthusiasts. In 2009, Google Chrome entered the scene, introducing a new approach based on web APIs. This allowed for more powerful and integrated extensions, paving the way for complex tools like grammar checkers and password managers. The launch of the Chrome Web Store in 2010 further fueled the growth of extensions, offering a central hub for discovery and easy installation. A store, which is now available in every browser.


Extensions Today

The rise of smartphones and tablets brought extensions to mobile browsers in the 2010s. While initially limited, mobile extensions have evolved to offer features like ad blocking and password syncing, adapting to the needs of on-the-go browsing. What’s old is always new again. As extensions became more widespread, security concerns emerged. Malicious extensions posed risks to user privacy and data. Browser developers responded by implementing stricter review processes and sandboxing extensions to limit their access to sensitive information.


Still, these extensions unlock features that are unparalleled - often allowing functionality to be used across any website. Let's delve into the top contenders in various categories:


Productivity:

  • uBlock Origin: Say goodbye to intrusive ads and trackers. It's customizable, resource-efficient, and open-source.

  • Grammarly: Your digital writing companion, Grammarly catches typos, grammatical errors, and suggests improvements to your writing style. Perfect for emails, social media posts, blog posts, or even crafting that next masterpiece of fiction.

  • Todoist: Keep tasks organized and conquer your to-do list with this intuitive task manager. Set deadlines, prioritize tasks, and collaborate with others to boost your productivity.

  • Momentum: Transform new tab pages into a beautiful and inspiring dashboard. Momentum displays stunning images with motivational quotes, helping start the day with a positive mindset.

Privacy Protectors:

  • Ghostery: Take control of online privacy with Ghostery. It blocks invisible trackers and scripts that collect your data, safeguarding your privacy across websites.

  • Privacy Badger: This extension learns browsing habits and automatically blocks trackers it deems invasive, protecting from unwanted data collection.

  • DuckDuckGo Privacy Essentials: Enhance privacy on all fronts with this comprehensive suite from DuckDuckGo. It blocks trackers, enforces HTTPS connections, and even provides email protection.

Entertainment Enhancers:

  • Pocket: Save articles, videos, and webpages for later with Pocket. Access saved content offline, on any device, making it the perfect tool for catching up on interesting reads later.

  • Dark Reader: Transform websites into a soothing dark mode with Dark Reader. This is a boon for nighttime browsing, reducing eye strain and creating a more comfortable reading experience.

  • Honey: Find coupons and deals automatically. There are a few of these. Most are shady though. Some weren’t, but became shady!

  • Loom: Record a screen and webcam to create quick and engaging video messages or tutorials. Loom simplifies communication and adds a personal touch to your online interactions.


There are also plenty of password managers that either only work as a browser extension, or that use a browser extension to expose different capabilities than just automatically filling a password. One example would be the early passkey support options available in some password managers. Most actually exposed a lot of their backend logic to other developers - because browser extensions are mostly just Javascripts that allow anyone to look at raw source code. There’s more HTML, CSS, and other bits spread in there, but the core is a typically lightweight Javascript. Hopefully one that’s signed so it can’t be tampered with. But we’ll get to that in a bit.


Again, most everything on a computer is about productivity, going back to Pascal. Extensions allow for task management, note taking, time tracking, grammar checking, coupon clipping, exporting, and whatever other features someone can think of - directly on a webpage. They also allow for further personalization with some browsers and accessibility options for users who need things like text-to-speech, screen readers, or color contrast adjustments.


Every major browser has its own extension store, offering a vast library of options. Popular stores include:

  • Google Chrome Web Store

  • Mozilla Firefox Add-ons

  • Microsoft Edge Add-ons

  • Apple Safari Extensions


Protecting Extensions

While generally safe, going back to the 1990s bars, it's crucial to be critical of installed extensions. Again, just like any software, they can introduce vulnerabilities if not approached cautiously. let’s look at some steps to keep extensions secure:


Before You Installing:

  • Stick to Official Stores: Download extensions only from official browser stores like Chrome Web Store or Firefox Add-ons. These platforms have vetting processes to minimize malicious extensions.

  • Scrutinize Reviews and Ratings: Don't just go by star ratings! Read user reviews to understand the extension's functionality, potential issues, and overall reputation.

  • Examine Permissions: Be wary of extensions asking for excessive permissions unrelated to their advertised function. Only grant the minimum permissions necessary for its core functionality.

  • Check the Developer: Research the developer's background and see if they have a good track record of maintaining and updating their extensions.

  • Look for Open-Source Options: Open-source extensions allow anyone to examine the code, potentially revealing hidden malicious intentions.


After Installing:

  • Keep Extensions Updated: Outdated extensions often contain unpatched vulnerabilities. Regularly update your extensions to benefit from security fixes and new features.

  • Disable Unused Extensions: Don't clutter your browser with inactive extensions. Regularly review and disable those you no longer use, reducing potential attack vectors.

  • Consider Antivirus Scans: Some antivirus software offer scans for malicious browser extensions, adding an extra layer of protection.

  • Be Wary of Phishing Attempts: Extensions can be used for phishing scams. Double-check URLs before logging in to sensitive accounts within extensions.

  • Report Suspicious Activity: If there’s unusual behavior or privacy concerns, report the extension to the browser store and consider removing it immediately. Also the source code is there. Read it if there’s something funky.


Additional Tips:

  • Use a Dedicated Browser for Sensitive Activities: Consider having a separate browser for online banking, shopping, or other sensitive activities where you use fewer extensions.

  • Enable Two-Factor Authentication (2FA): Wherever possible, use 2FA for accounts accessed through extensions,adding an extra layer of security.

  • Educate Yourself: Stay informed about common browser extension security threats and best practices.


Links to more technical bits I wrote about extensions:



At the end of the day, giving a browser extension access to the file system or an autofill credential provider or almost any resource, really, like being able to read objects on the screen, will open an individual (and through the individual, an organization) up to productivity boosters that have a chance of coming with some not great things. That’s been a struggle for me, personally, when I think of writing extensions for apps I work on. And really, lots of developers face a crucial decision when crafting new features: should they build it as a browser extension or integrate it directly into a native app, if there is one?


Secret Chest and Extensions

Both options have their merits and drawbacks, and the optimal choice depends heavily on the specific functionality and target audience. It’s funny, as I think deeper about something, like is it just that I’ve been told that these suck, or is it just that I’ve always considered them to be a security risk that holds me back from doing more with extensions - because they can help Secret Chest users who use Chrome or Firefox. But let’s take you through the deeper thinking we’ve done, while strolling through olive gardens like a Thales of Miletus might have done in the 500s BCE. Actually, it’s too cold for that in Minnesota. But moving on to some pros and cons of browser extensions, from a developer’s point of view:


Pros:

  • Faster Development and Distribution: Building extensions typically requires less coding and resources compared to native apps. They can be quickly developed, tested, and published on extension stores, reaching a wide audience across different platforms (Chrome, Firefox, etc.).

  • Minimal Permissions: Extensions access limited parts of the browser environment, reducing privacy concerns and potential security risks for users.

  • Easy Updates: Bug fixes and new features can be rolled out through store updates without requiring users to download and install a whole new app.

  • Users can see source code: I want to be transparent.

Cons:

  • Limited Functionality: Extensions are restricted by the functionalities exposed by the browser API. They can't access hardware features or perform complex tasks typically available in native apps.

  • Reliance on Browser: Functionality depends on the user having a specific browser installed and updated.

  • Security Concerns: Malicious extensions can pose security risks if users unknowingly install them.

  • Users can see source code: they see my embarrasingly bad code.

  • Yet another artifact and build and variation and test cases…


But then trying to build certain functions into native apps also has its own set of pros and cons:


Pros:

  • Rich Functionality: Native apps can leverage the full potential of the device's hardware and operating system, offering enhanced performance, offline functionality, and access to broader system resources.

  • Customizable UI/UX: Apps provide complete control over the user interface and experience, allowing for deeper engagement and branding opportunities.

  • Offline Access: Certain functionalities can work even without an internet connection, which is crucial for specific use cases.

Cons:

  • Complex Development and Distribution: Building and distributing native apps for different platforms (iOS, Android, etc.) requires more time, resources, and platform-specific expertise.

  • App Store Approval: App stores have stricter review processes, potentially delaying release or requiring changes to comply with guidelines.

  • Larger Downloads and Updates: Updates and new features require users to download and install the entire app again, which can be inconvenient.


The optimal approach depends on the specific needs of any project. Consider these factors:


  • Functionality: Does the feature require deep system access or offline functionality?

  • Target Audience: Do you aim for a broad reach across platforms or a specific user base with a preferred browser?

  • Development resources: How much time and expertise can you dedicate to development and maintenance?

  • Security and privacy considerations: How sensitive are the user data and functionalities involved?


Ultimately, I still haven’t found a compelling read to write an extension. Secret Chest almost certainly will, eventually. Just going to wait for a request that requires an extension for now. So alllll of this was just to take you through what was going through our heads when we took this thought journey months ago, and what we think each time it comes back up. Yes, it will happen - but we’d rather build cool features into the core app and kick the can down the road a little further.

9 views0 comments

Recent Posts

See All

Comments


bottom of page