8

Motivated by the Chrome extension Under New Management, I want to suggest a mechanism that detects if the owner of an extension changes.

For a detailed background story on that, I would suggest reading the "Under New Management" repository readme.

As a short motivation:
It could be the case that shady actors attempt to buy popular/viral extensions.
Changing the ownership itself is not the problem, but there are cases where the new owners infiltrate the code with damaging or spying capabilities.
Having automatic updates in this case could be harmful. I know that this could also happen when updating manually because one does not always verify if the owner of the extension still provides trustworthy releases, but it would be a nice feature to have.

I think the "Manage Extensions" menu still has enough space to cover these details.

  • Vlad replied to this.

    oxi_moron Would you like to expand the proposal with thoughts about how would that look in the interface?

    Also sumamry technical details about the mechanism surfaced in this post would be great for anyone wanting to participate. Does this work for both Chrome and Firefox extensions?

        As a separate question but linked to this one, and motivated by a similar question - it would be good to understand if there's any checks on the integrity of an extension before an update is carried out.

        For example, are there any signatures that are verified across the extension, or matching of a public key to the previous extension's signature etc?

        (The answer here might well be "no" - I am not familiar with the security ecosystem around browser extensions, but this feels like a question people may ask when hearing a browser has extension auto update, and isn't a first party "same browser maker as extension store operator")

        • Vlad replied to this.

          gp There are no such checks currently.

          • gp likes this.

            Vlad Based on rudimentary assessment of the extension, the code is making an api call to https://api.extensionboost.com/v1/developer?extension_ids={extension ids} and then comparing the values received with those received earlier to detect change of ownership.

            Example, for chrome uBO extension

            https://api.extensionboost.com/v1/developer?extension_ids=cjpalhdlnbpafiamejdnhcphjbkeiagm

{"ignored_extension_ids":[],"matched_extension_data":[{"developer_email":"ubo@raymondhill.net",
"developer_name":null,"developer_website":null,"extension_id":"cjpalhdlnbpafiamejdnhcphjbkeiagm",
"extension_name":"uBlock Origin","offered_by_name":"Raymond Hill (gorhill)"}],
"unmatched_extension_ids":[]}

            While the extension is doing this every 60 minutes, Orion, if it adds support for it, can execute the code only when the extension updates to avoid uncessary api calls.

                joystmp Thanks for looking into this.

                We'd prefer not to send any equests to non-official third parties, and any such mechanism should work for Firefox extensions as well ideally. Everything else gets complicated to explain UX wise.

                    Vlad While the extension may have to make requests to non-official third parties, Orion, being the browser itself, should ideally already have access to these things (I think!). So no need to make requests.

                    Also, irrespective of above extension, Orion should keep a record of core details of extensions installed and everytime an extension is updated, compare these values with those of past and notify user if these've changed and let user make the final decision whether to install/not install/delete extension

                        No one is typing