Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

I know this is off topic, but how do people assess the risks of installing an extension like this? The permissions allow "access your data for all websites" which includes reading passwords you type into fields. This extension looks very useful, but in general I just don't know how to trust it.


Thanks for the comment. It's a valid concern.

Chrome and Firefox have a review team for their extension marketplace, though I believe there are instances of malicious extensions getting through anyway.

And while rather labor intensive, another path toward vetting is examining the source code. I haven't obfuscated it, and Googling for "view extension source code" has many results.

And for what it's worth, I can give an assurance that I'm not a bad actor.

Maybe relevant: https://www.cs.cmu.edu/~rdriley/487/papers/Thompson_1984_Ref...


If you update the extension does it automatically update for the users or does the user have to manually install the update?

Regardless I love the idea of this.


There's an option in Firefox to disable auto-updates for an extension.

Not as easy in Chrome, but there's ways to do it. For example here's one: https://groups.google.com/a/chromium.org/g/chromium-extensio...


> Chrome and Firefox have a review team for their extension marketplace

Has this Firefox extension been reviewed? because most don't get reviewed


I hit the same problem, however it does attempt to explain why it needs each persmission:

    Download files and read and modify the browser’s download history — Required to export data.
    Store unlimited amount of client-side data — Required to save sticky note data locally.
    Access your data for all websites — Required to load sticky notes on any page.


For note taking I'd only ever use extensions with no permissions needed. "Tagged notes" is an example of a good, simple notes extensions for Firefox.

If I need sync, I'd prefer not to rely on the extension for that. Why would I pay for my own cloud service AND a separate payment for random apps that use their own sync? Most people have their own online storage, and should always be the number 1 way to backup things like personal notes.


I appreciate the comment.

In my mind, the sync feature for this app is less about backup and more about maintaining a single instance across multiple computers/browsers.


If it is a well known extension i will trust it, but often i find myself to extract the extension and Look at the "source code" if it is not open source.


I only install extensions that are either have low permissions or are blessed by Firefox.

uBlock Origin is the only "access your data for all websites" extension I use.


so what if it reads your passwords if it has no network permission to exfiltrate?


FYI extensions don't need a network permission to make network requests.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: