Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Pro tip: don't use chrome extensions. They are a trivial and huge security risk. Similar how random exe was some years ago, only much worse. Use tampermonkey scripts instead.

Tampermonkey scripts are

  - open source and easily modifiable 
  - permissions are firmly controlled
  - you can disable auto update


> permissions are firmly controlled

Not meaningfully. A tampermonkey script has complete access to the information in a webpage it runs in. This is necessary for its operation and not something I have a problem with, but I'd never say its an improvement in terms of security.


Further, there's no requirement that a tampermonkey script be open-source. They usually are, but so are the regular extensions I choose to install.

I don't know about chrome, but Firefox also allows automatic updates to be disabled on a per-extension basis.

I'm a fan of userscripts but lets not pretend they're magically better.


There is a block and allowlist for which sites can it run.

For example Firefox can't even control on which websites the extensions run. This is stupid and bad. Tampermonkey just does this thing right too.

Edge at least has an allowlist, if I'm not mistaken.


The permissions to run scripts in the context of a webpage (i.e. full access, what tampermonkey does) are gated on a per-site level.

E.g. here's the "bypass paywalls" extension requesting permission to inject content scripts into particular domains sites: https://github.com/iamadamdev/bypass-paywalls-chrome/blob/c6...


But I want to use extensions! Extensions do so many useful things that go beyond what scripts with fewer permissions can do. I want a utility that handles screenshotting sections of pages. I want a thingy that tracks the price history of products on Amazon so I know if something is real on sale or fake on sale. I want a thing that makes ssh sessions clickable for my weird internal ssh thingy. I want the stupid and experimental web mashup extensions that add weird stuff like "a chat room for every website you visit so you can chat with other people using that website." Well, okay, I don't want that last one, but I want it to exist.


These things worked well when the internet was a toy.

Now it's no longer a good idea because that same browser is also:

- your bank,

- likely your point of contact with the government / tax folk

- the place you do your shopping

- the portal for most of your communications with the rest of the world


The price for convenience is security. If you are willing to hand your digital life to others, you will gain the convenience that you seek. You are seeking to become a digital king by gaining digital servants that handle every aspect of your life. The day one of them betrays you, it will be painful for you at the very least


Sure, but to continue the metaphor, the price for not relying on others is having to do everything yourself. And no king can succeed alone.


Fuck that. Pardon my language but that's a falsehood I am so sick of hearing repeated, and the only reason anyone believes it's an inevitable tradeoff is that this belief has been imposed on us by proprietary software ecosystems that have obtained the monopoly status needed to unilaterally reject competing models

The price for convenience and security being compatible is for these extensions to be auditable and for updates to be opt-in. Sure, someone could still install malicious updates under this model, but the value proposition of doing so scales with the number of people who care about the thing, and auditability allows experts who care about the thing to warn people if it does something suspicious, which also scales with the number of people who care about the thing


As the web becomes more of an OS this becomes increasingly absurd. Extensions are becoming like apps, and they can be synced across machines.

TM still requires trusting their extension and script authors.


Would be nice to have extension manager that operates like tampermonkey, be able to customize code and manage revisions.


Tampermonkey itself is a browser extension and closed source, so you have the same problem if the ownership changes.


Your point stands in case of any browser, but I am still curious: Why use Chrome at all?


It's what people are used to and usually what they're expected to use at work. Most people don't care too much about privacy/their data.


Just install extensions directly from github/gitlab/whatever. No auto-updates (probably) and it's open source.


You forgot that Tampermonkey itself is an extension and has the same problems that you mentioned


a closed source extensions plus a bunch of random scripts ("unpackaged extensions" essentially, by even less well known authors with no review anywhere) is not the win over extensions that you think.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: