Sorry if this is a dumb question, I’m not a tech/IT person and am very early in my privacy journey.

I was going to install a web clipper browser extension that works with a notes app I’m trying out, but the installation page says it isn’t actively monitored for security by the organization behind my browser. The extension requires access to your data for all websites. However, the page also says that they don’t share data with any third party and don’t have access to this data themselves. What level of privacy risk am I taking on with this extension?

  • Jean-luc Peak-hard@piefed.social
    link
    fedilink
    English
    arrow-up
    1
    ·
    3 hours ago

    The real danger is in extensions that are safe to use but later get sold and updated to spy on you with the same permissions you’ve already granted.

    Best practice, as someone else already mentioned, is to use as few as possible and only those you trust or have wide community trust to help extend your own trust.

    Extensions I trust/use:

    • uBlock Origin (by Raymond Hill AKA gorhill on Github)
    • Snowflake (by the Tor project) doesn’t require any permissions.
    • SingleFile (by gildas-lormeau on Github)
    • Firefox Multi-account containers (by Firefox, obviously)
    • Dark Reader (by the Dark Reader Project)
    • Wayback Machine (by the Internet Archive)
  • blight@piefed.blahaj.zone
    link
    fedilink
    English
    arrow-up
    4
    ·
    7 hours ago

    By the number of stars on their git repository. I would never, ever, install an extension that’s not open source.

  • moonpiedumplings@programming.dev
    link
    fedilink
    English
    arrow-up
    7
    ·
    9 hours ago

    I check if it’s open source. If I can’t find the source code, it’s automatically a no go.

    Of course, even if it is open source, that’s not enough. Sometimes I delegate less trustworthy browser extensions to separate browser profiles, which are isolated and can’t read eachothers data.

  • neutronbumblebee@mander.xyz
    link
    fedilink
    English
    arrow-up
    3
    ·
    8 hours ago

    It’s disappointing but some nation state sponsored attackers are either adopting useful addons or creating them from scratch. After they have a sufficient base of trusting users they update the addon to add spying code that activates for a group of accounts possibly targeted by geolocation. The vast majority of users are not even affected. So with that going on it’s hard to be certain of an addons quality.

    I’d consider where the addons are hosted. Firefox and Chrome both allow reviewing existing addon permissions so disable when not required or split into risk level profiles for personal vs work vs anon browsing.

    • frongt@lemmy.zip
      link
      fedilink
      English
      arrow-up
      1
      ·
      6 hours ago

      That mostly happens with ad injection and credential stealing. I’m sure the kind of attack you describe happens, but it’s not relevant for most people.

  • frongt@lemmy.zip
    link
    fedilink
    English
    arrow-up
    1
    ·
    6 hours ago

    How sketchy it seems, and whether it has appropriately-scoped permissions. I’m too lazy to unpack an extension and analyze it.

  • artyom@piefed.social
    link
    fedilink
    English
    arrow-up
    5
    arrow-down
    1
    ·
    9 hours ago

    Checking if it’s open source is step #1. If it’s not, there’s really no way to verify if it’s private because there’s no way to know what it’s doing. Another thing you can do is analyze the web traffic with something like Wireshark. Theoretically a web clipper shouldn’t need to access any remote servers.

  • Jonas@lemmy.zip
    link
    fedilink
    English
    arrow-up
    2
    ·
    8 hours ago

    Check the extension’s privacy policy (usually linked on the installation page). If there’s anything you don’t like, don’t use the extension :)

    • CameronDev@programming.dev
      link
      fedilink
      English
      arrow-up
      1
      arrow-down
      1
      ·
      edit-2
      6 hours ago

      Privacy policies are entirely voluntary. No one validates them, they are meaningless.

      Edit: For anyone who thinks this is wrong, feel free to explain your reasoning. I have written two privacy policies for 2 separate apps, neither of them realistically restrict what I can do with the data that I manage. All google and discord care about is that the policy exists, they don’t verify that I am following them. Anyone with malicious intent isnt going to be affected by a privacy policy.