I'm not fond of Chrome's app permissions at all. Too many apps just ask for permission to access everything, and there is little insight into what they exactly do.
I run the Ghostery extension and a year or so ago I noticed that when visiting YouTube ~15 analytic trackers were being blocked. Turns out a couple of extensions were injecting tens of trackers into popular sites (without my express permission), and I would have had no idea unless I had another extension to block and report this activity.
My girlfriends computer is worse - her extensions seem to inject actual adverts into lots of her pages. I asked her why there was an obnoxious "click the bottle to win 1000000$" flash advert on Facebook and she thought it was just how Facebook is. Same thing for YouTube and other popular sites.
I just downloaded the app and went hunting. It indeed connect to some service, more specifically it creates a webview (think iframe but better separated) with url "https://www.diigo.com/account/thirdparty/openid?openid_url=h... (which you should totally not access with a logged in google account, or in any other way).
It then adds several callbacks one of which handles loading stopped which causes the app to send a command "handshake" to the app. I have so far found two, one of which is a response to the handshake and the other is a command "launch" which opens the index.html command with a given title and data url.
This shit has China written all over it - and I mean so literally because the bg.js file has the following user information at the top, with a Chinese date:
Will keep digging. So far I haven't found out what it is it sends, but it does request access to both your google drive account and (most worringly) to your EMAIL.
This is definite no install.
_Edit_: Remember what I said about your email info? Awesome screenshot can upload your screenshots to your gdrive, it does so using oauth2, which tells us the client that has access to it. In this case the app signs in as awesomescreenshot.com/client, but use https://secure.diigo.com/kree as the actual signin url - which means that they now have access to your gdrive files.
That's why I started to build a list of trusted extensions which I've reviewed every line myself. Except for ones like Pushbullet, Pocket, and Lastpass
I stopped using ANY extensions for the same reasons. In most cases, the risks outweigh the benefits in orders of magnitude. Well, there are few exceptions, of course, but those are widely used developer tools.
For me, the Internet is largely unusable without adblock at the very least. I removed Ghostery and started using Disconnect instead. It does a much better job methinks.
In addition to this on Firefox at least I invoke about:config and make several settings changes:
- I disable prefetch.
- I disable media.peerconnect.
- I disable geo tracking.
- I disable HTTP/S referer.
- I disable DOM storage.
- I disable visited link tracking.
I also use EasyList, EasyPrivacy, and Malware domains adblock subscriptions.
In addition, as a Linux user, I want to use Flash on those sites that use it, but I don't want to deal with LSOs tracking me, so I take advantage of Flash by sending those LSOs to /dev/null. The Website is none the wiser and I get the benefit of the Website.
rm -rf .adobe
rm -rf .macromedia
ln -s /dev/null .adobe
ln -s /dev/null .macromedia
Surf with relative comfort knowing that you've already paid for your Internet connection with cash, no need to give away more of your privacy than needed. Blocking ads is great if you use any social media, as you don't have to see the sodden ads.
I use several web browsers, so rather than installing a different 'adblock' plugin for each one, I use Dan Pollock's excellent list as part of my hosts file:
http://someonewhocares.org/hosts/
(Mentioned in HN previously.)
Works well for MacOS X, Linux and Windows, and doesn't care what browser you're using.
I have been using it for 3+ years now without any problems.
I have a script to toggle moving the file out of the way and then back again, mostly so that I can give ad revenue to those sites that I feel are deserving.
I have toyed with the idea of using hosts files instead, but what bothers me is the lack of daily updates. Granted, there is so much bad crap out there that it's impossible to avoid it all.
Another thing I want to do is find a router that allows host files and script regular updates. It would be great to never have to install extensions or tinker with hosts file for every box on the network. I've also said I'd be interested in seeing a proxy server that strips out all of this stuff so no maintenance on the user end is required.
Why do you find Disconnect.me better than Ghostery? I tried the former for a few days, but found its UI unwieldy, and couldn't find a way to disable just some things for specific sites (e.g. Disqus comments).
Ghostery is owned by a company that has ties to ad networks. I am, by principle, opposed to ads in Web content, so I want to use a product that loathes the idea as much as I do.
I have the right to browse the Internet without being tracked, my data sold without my permissions, have targeted ads delivered my way, you name it.
I've often thought about setting up a colo proxy server for people that strips out all ads, beacons, tracking cookies, you name it -- and give it away for free. With cheap hosting and unlimited bandwidth, this could be a good thing.
Disabling media.peerconnect does nothing to improve your anonymity. peerconnect (and, well, all websockets datachannels) requires user action to be enabled
The entire premise is that somehow hole punching is dangerous and unstoppable with webrtc. Enterprise grade NAT environments can easily deal with both STUN and TURN hole punching.
If leaking internal IP's from your network is a security risk, you need to reevaluate what you're calling "security".
None of the article's concerns are concerns to any competent sysamin
E: replaced 'exposing' to 'leaking' to avoid confusion
To clarify (because I misunderstood the meaning of the comment before clicking the link), the parent is referring to leaking the IP addresses themselves, not 'exposing' access to them.
Did you know you could actually read the source code of most extensions that are on the chrome webstore. I'd rather that people start publishing their privacy policy honestly else Google blocks them from the webstore.
Of course I know - at a point in time though. With Chrome autoupdate mechanism, unless permissions change, I don't have to approve. I'm sorry, but if I multiply by my hourly rate the time I need to invest to secure the benefit of using extensions, which work only on the desktop anyway, this will be a huge investment I'm not willing to do. I was thinking at some point to create a bunch of Chrome profiles and silo different web activities, but this is too much work, and to be able to sync across machines, I need separate Google accounts, i.e. too much effort still.
6 years ago I reported reported 2 important issues [1] to Diigo (XSS in all URLs if their extension is installed and information leakage for SSL pages - similar to what author said).
Due to their response and lack of ability to understand security issues I stopped using them, it's a shame to see they are not any better after 6 years!
Free tools that provide value should hence be avoided. While evaluating a tool, I've always checked for if a company runs on 1.subscription money, 2. ads, 3. selling my data
Usually stay wary of signing up for anything which tilts towards 3.
Quite a lot of tools are actually really just free. Say, the Linux kernel, or most of the free software we all use everyday.
Then there are also the miscellaneous services run by someone on the internet mostly for themselves or a small community (or just to get some publicity for themselves) which are also free and don't run on ads, selling data or subscription. I do that, myself. Do you trust Naptha[0]? It was posted on HN some time ago, from the comments[1] I don't even see anyone bringing up the issue of trust.
Alternatively, for the use cases not needing to be in-browser, why restricting to extensions? Your platform has full featured apps doing the job out of the browser:
"Save to Google Drive" will create screenshots when applied on common websites. I use this now instead of bookmarking, as the screenshots are OCRed by Google Drive, giving me a searchable archive of interesting sites!
Heh, so you take a text format, make a picture out of it and let google OCR back it to text? Are you sure you don't just want to save the HTML and resources (i.e. ctrl-s)?
A page nowadays is easily composed out of hundreds of different files, several MB in size. A jpg is small, easy to store and share. I'd go as far that the OCR of a screenshot gives me a ways better search base than the source code, with all its formatting, meta-tags, variable-names etc.
Unfortunately that's half broken since months (years?). It's not possible to take full page screenshots, and the option panel creates error messages all the time.
There is a fork out there, unfortunately it's not in the Chrome Web Store yet. Maybe it will if it gets some love from HN:
I am using Full Page Screen Capture[0], which is a similar extension, but it still asks for "Access your data on all websites" and "Access your tabs and browsing activity".
I find it very hard to verify that an extension needs that to take screenshots, but now I have disabled that as well.
I guess the only real way to fix this is using something like PhantomJS to take pictures of public websites.
It’s malware & spyware free. I built the extension to take a screen cap of a seating chart that I built as a web page for my wedding—since all the other extensions at the time were broken. Why a web page for my seating chart? IDK, I wanted to play with CSS3 columns, alas I should have used photoshop…
I have been contacted by people who want to buy the extension, but it seems too dangerous, since they could easily install their own malware—I wonder if anything like this happened to “Awesome Screenshot”? My own conscience and, more importantly, my personal brand is too important to me to sell it.
In terms of the permissions, when I built it, I had to ask for those permissions in order to make it work. If you find any changes to chrome permissions that let me ask for fewer, please let me know or, better, submit a pull request.
Also, instead of PhantomJS, if you have a Mac, try out `webkit2png`, which works great as long as you don't need to login or interact with a page before the screenshot:
> You can drop api28.webovernet.com and the other site into your browser to see where they lead, but we’ll save you the suspense: they are actually redirects for the API for a company called Similar Web, which is one of many companies doing this kind of tracking, and selling the data so other companies can spy on what their competitors are doing.
Is that part of SimilarWeb Pro? It's not clear from the website how their service could be used to monitor the web client traffic of specific companies. An independent reference on the quoted claim would be helpful.
Regarding tracking. We had a hickup at work, with a url that triggered an expensive cronjob. It was being hit mysteriously. It turned out to be the new tab page in Chrome or Firefox (I can't remember which one), which was requesting the url routinely. This basically shows that whenever you open your browser a group of sites get requests, whether you have them open or not. Therefore if you have FriendFace say as a most visited site, they'll get a request from you everytime you sit in front of your machine pretty much.
Yes, be careful because probably all of the developers of popular extensions are regularly getting offers to share their users' browsing data or to insert/replace ads on websites.
For Mac it's also possible to use 'Stache' from the app store. This has a full-page screenshot functionality built in. It cost's $6,99 but it is also possible to store collections of interesting or inspiring pages/websites in a nice looking library. https://itunes.apple.com/us/app/stache/id870659406
I run the Ghostery extension and a year or so ago I noticed that when visiting YouTube ~15 analytic trackers were being blocked. Turns out a couple of extensions were injecting tens of trackers into popular sites (without my express permission), and I would have had no idea unless I had another extension to block and report this activity.
My girlfriends computer is worse - her extensions seem to inject actual adverts into lots of her pages. I asked her why there was an obnoxious "click the bottle to win 1000000$" flash advert on Facebook and she thought it was just how Facebook is. Same thing for YouTube and other popular sites.