Sorry if this is a dumb question, I’m not a tech/IT person and am very early in my privacy journey.
I was going to install a web clipper browser extension that works with a notes app I’m trying out, but the installation page says it isn’t actively monitored for security by the organization behind my browser. The extension requires access to your data for all websites. However, the page also says that they don’t share data with any third party and don’t have access to this data themselves. What level of privacy risk am I taking on with this extension?
The real danger is in extensions that are safe to use but later get sold and updated to spy on you with the same permissions you’ve already granted.
Best practice, as someone else already mentioned, is to use as few as possible and only those you trust or have wide community trust to help extend your own trust.
Extensions I trust/use:
- uBlock Origin (by Raymond Hill AKA gorhill on Github)
- Snowflake (by the Tor project) doesn’t require any permissions.
- SingleFile (by gildas-lormeau on Github)
- Firefox Multi-account containers (by Firefox, obviously)
- Dark Reader (by the Dark Reader Project)
- Wayback Machine (by the Internet Archive)
By the number of stars on their git repository. I would never, ever, install an extension that’s not open source.
Afaik, any browser can save a webpage as a pdf without an extension. Best practice is to go with a single extension - uBlock Origin.
I check if it’s open source. If I can’t find the source code, it’s automatically a no go.
Of course, even if it is open source, that’s not enough. Sometimes I delegate less trustworthy browser extensions to separate browser profiles, which are isolated and can’t read eachothers data.
It’s disappointing but some nation state sponsored attackers are either adopting useful addons or creating them from scratch. After they have a sufficient base of trusting users they update the addon to add spying code that activates for a group of accounts possibly targeted by geolocation. The vast majority of users are not even affected. So with that going on it’s hard to be certain of an addons quality.
I’d consider where the addons are hosted. Firefox and Chrome both allow reviewing existing addon permissions so disable when not required or split into risk level profiles for personal vs work vs anon browsing.
That mostly happens with ad injection and credential stealing. I’m sure the kind of attack you describe happens, but it’s not relevant for most people.
How sketchy it seems, and whether it has appropriately-scoped permissions. I’m too lazy to unpack an extension and analyze it.
Checking if it’s open source is step #1. If it’s not, there’s really no way to verify if it’s private because there’s no way to know what it’s doing. Another thing you can do is analyze the web traffic with something like Wireshark. Theoretically a web clipper shouldn’t need to access any remote servers.
Check the extension’s privacy policy (usually linked on the installation page). If there’s anything you don’t like, don’t use the extension :)
Privacy policies are entirely voluntary. No one validates them, they are meaningless.
Edit: For anyone who thinks this is wrong, feel free to explain your reasoning. I have written two privacy policies for 2 separate apps, neither of them realistically restrict what I can do with the data that I manage. All google and discord care about is that the policy exists, they don’t verify that I am following them. Anyone with malicious intent isnt going to be affected by a privacy policy.






