alt Hacker NewsI think the main problem here is the ideology of software updating. Updates represent a tradeoff: On one hand there might be security vulnerabilities that need an update to fix, and developers don't want to receive bug reports or maintain server infrastructure for obsolete versions. On the other hand, the developer might make decisions users don't want, or turn even temporarily (as in a supply chain attack) or permanently (as in selling off control of a browser extension).
In the case of small browser extensions from individual developers, I think the tradeoff is such that you should basically never allow auto-updating. Unfortunately Google runs a Chrome extension marketplace that doesn't work that way, and worse, Google's other business gives them an ideology that doesn't let them recognize that turning into adware is a transgression that should lead to being kicked out of their store. I think that other than a small number of high-visibility long-established extensions, you should basically never install anything from there, and if you want a browser extension you should download its source code and install it locally as an unpacked extension.
(Firefox's extension marketplace is less bad, but tragically, Firefox doesn't allow you to bypass its marketplace and load extensions that you build from source yourself.)
Replies
If the extension does something that isn't changing, like JSON Formatting, I guess it's best to disable updates right after you install it.
I just did this for all extensions I have in Firefox. Not sure about extensions like uBlock though? Doesn't it fetch new lists of sites to block or something like that? Or is that done separately from updates?
For me, the solution is simple: anything you download and run locally should not auto-update ever, period. Installing an update (or refusing one) should always be a conscious user action. Otherwise it's just a socially-accepted RCE backdoor.
>Firefox doesn't allow you to bypass its marketplace and load extensions that you build from source yourself
It's less than ideal but you can 1) load extensions temporarily in about:debugging, 2) turn off xpinstall.signatures.required in nightly or dev edition to install them for good or 3) sign on addons.mozilla.org without publishing to the marketplace.