ChromeGalvanizer – Harden your browser against extension backdoors and exploits

Being a FF user I can't use it, but it made me think about the dangers of extensions being hijacked. It would be nice to have as a browser builtin feature a domain based whitelist that enables access to extensions according to a trust level, so that for example any new encountered domain can be accessed by all extensions by default, but if I assign say my bank domain a level of N, only extensions whose trust level exceed that N number would be able to access its data while others would be bypassed, then a fixed maximum value of say 10 would mean all extension bypassed for the paranoid. Probably even a trusted/not tusted flag would suffice, but just in case one wants to differentiate between locally written and installed extensions that can't self update, then official and non official ones. Doable?

I&#x27;ve made it a rule to right click all chrome extensions icons and then set them to &quot;This can read and change data &gt; On www.example.com&quot; on sites I really intend to use them. This prevents them from reading all sites but also prevents the annoyance of reloading the page every-time you need to use the extension. Also some extensions like Likepass inject some really ugly HTML into form fields (it also takes care of that)<p>It&#x27;s a pretty useful feature that many people miss.

This sounds great, I will try. Is it somehow possible to restrict the internet access of a single extension? For example I have an add-http-header extension that has no reason to create connection to an outside server.

Just tested in Windows with a registry file generated via the linked web interface[0]. Dark Reader was not prevented from accessing sites that should have been excluded based on the imported policy, even after a reboot. Has anyone successfully tested Chrome Galvanizer?<p>[0] <a href="https:&#x2F;&#x2F;thehackerblog.com&#x2F;galvanizer&#x2F;" rel="nofollow">https:&#x2F;&#x2F;thehackerblog.com&#x2F;galvanizer&#x2F;</a>

&gt; Using Chrome Galvanizer, you can protect yourself from attacks like this by specifying specific sites that one or all of your extensions can no longer access. For the MEGA case, if users had created a policy restricting access for the MEGA extension to access amazon.com, live.com, github.com, google.com, myetherwallet.com, mymonero.com, and idex.market then they&#x27;d be protected from the attack.<p>You might as well turn off the internet for some.

It&#x27;s a challenge to weigh up the risk of not using an adblocker versus the risk of the extension getting compromised.<p>I guess that solutions like DNS-level blocking or custom hosts files are a fair balance, but I still like the DOM-based per-element control found within adblock extensions.<p>And then I see people with like 20 extensions installed...

I open Chrome once in while for testing or on the rare occasion something only works there, so maybe this is useful for those occasions. But if you&#x27;re serious about security and privacy shouldn&#x27;t you be avoiding Chrome as your regular browser?

Who uses this?