Ask HN: Do you use browser extensions, and if so, do you worry about security?

For some reason the &quot;Copy as Markdown&quot; extension I use is demanding new permissions to upgrade. Its been working fine for a year and more without them, and seems fine without being given new permissions or upgrading. It does not <i>need</i> &quot;Sync and Save data&quot; for what it does.<p>So yeah maybe you should worry.

Qubes OS helps a lot here, since I can have several independent browsers with independent sets of extensions, none of which have access to all my data or browsing history.

I trust my tab manager because I wrote it myself.<p><a href="https:&#x2F;&#x2F;addons.mozilla.org&#x2F;en-US&#x2F;firefox&#x2F;addon&#x2F;grasshopper-urls&#x2F;" rel="nofollow">https:&#x2F;&#x2F;addons.mozilla.org&#x2F;en-US&#x2F;firefox&#x2F;addon&#x2F;grasshopper-u...</a>

&gt; Do you use browser extensions<p>Yes. In fact, I write browser extensions.<p>&gt; and if so, do you worry about security?<p>Yes and no. I don&#x27;t worry about the security of extensions any more or less than I worry about the security of any native code that I install on my system. Native code is very powerful, and I think that people tend to overestimate the protection of sandboxing and other technological measures.<p>&gt; They probably wouldn&#x27;t feature this on the front page of the app store if the app was harvesting data. Right? Somebody has reviewed this, right? Lots of people use it, and it seems fine!<p>IMO this is the wrong way to think about it. You can&#x27;t trust the App Store, app review is a joke, and crowdsourced anonymous reviews are a joke too, at best uninformed, at worst fake, fraudulent.<p>The best way to evaluate software is &quot;old school&quot;, as it has always been since before the App Store existed: get your recommendations from friends and family, trusted associates, industry veterans, and professional published tech media reviews. Make sure to investigate and scrutinize the software developer; that&#x27;s often more important than investigating and scrutinizing the software itself. It&#x27;s all a matter of trust, and trust needs to be earned.<p>&gt; even if they&#x27;re being good citizens now, there&#x27;s no guarantee they won&#x27;t sell the extension to some nefarious data-harvesting company later<p>Well, developers who have a reputation for honesty and principles aren&#x27;t likely to do this. Moreover (disclaimer: I make upfront paid extensions), I would argue that upfront paid extensions are more trustworthy than free extensions in this respect. It&#x27;s a common refrain that if you&#x27;re not the customer, then you&#x27;re the product. And upfront paid extensions tend to have fewer total users than free extensions, for the obvious reason, which makes paid extensions much less interesting to data harvesters. Anyway, all software can get sold, so again there&#x27;s nothing special about extensions in this respect. Don&#x27;t enable auto-update. ;-)<p>&gt; the NSA hasn&#x27;t insisted they scoop up data and placed a gag order on them.<p>This is pure empirically unjustified paranoia. You need to worry about this for your operating system vendors, not for little indie app developers. The NSA doesn&#x27;t give a crap about the latter. It would be like fishing in a rain puddle.<p>By the way, if you want to read more software reviews, go with the tech publications who still publish a monthly paid magazine. Sadly, the free online tech media have mostly (though not entirely) abandoned software reviews in favor of publishing corporate PR, rumors, and tweets.