Extension security 101 · 2014-02-24 17:42 by Archive
We’ve received a couple of questions from users worried that Adblock Plus might be compromised lately. Don’t worry, it’s not. But that alone doesn’t warrant a blog post, does it? So here’s me talking about extension security a bit:
Any software you install, browser extensions are no exception, can do things against your will and without your knowledge. That’s commonly called malware or spyware. It’s a real problem, which is why there’s a filter list that blocks sites known for distributing malware.
But the most important thing is to be careful about the software you install. It’s ultimately your decision, and you should make it based on whether you trust the person or site you got it from.
In the case of Firefox extensions, I strongly suggest that you only install them from addons.mozilla.org. They’re quite trustworthy: Anything that’s for download there has passed their review process, and you can be quite sure that no shady code makes it past that. You don’t have to worry about automatic updates either, because updates need to be reviewed as well (that’s why Firefox users didn’t get Adblock Plus 2.5.1 yet). And they’re keeping a particularly close eye on popular extensions that would affect many users, like Adblock Plus.
For Chrome extensions, the most reliable source is the Chrome Web Store. To install extensions from other sources you have to jump through some hoops, and on Windows it’s not even possible anymore. While Google doesn’t review the code of every extension, they do keep an eye on them (particularly the popular ones) and take anything down that’s known to be malware. With Opera it’s similar.
Internet Explorer extensions are probably the ones to be most worried about. They’re installed by installers, which can generally do things to your system malware extensions couldn’t do in their wildest dreams. Installers can replace applications you trust (including browser extensions) with malware, install new malware, do anything really. And there’s no third party you can trust on this, you have to trust the site you’re getting it from.
When it comes to trusting us: Everything we make is open source, we have mandatory code reviews for every change, and we’re doing our best to keep our download servers well secured. So you can rest assured that we won’t let malicious code make it into any version of Adblock Plus you can download from adblockplus.org.
Commenting is closed for this article.