GooglePlus denizens (Google+rs? gplusies? gah…) learned yesterday that the Google+Facebook and Google+Twitter extensions are malicious. Days earlier, I had decided not to install Google+Facebook when I first heard about it on Susan Mernit’s stream. I shared my concerns on Susan’s post. Susan sent out an additional post specifically to warn folks. Between us we helped at least some folks avoid the onerous process involved in eradicating all traces of the extensions once installed.
I want to share with you what I wrote in that comment. My goal is skills development: to help folks learn how to choose wisely about when to install a plugin / extension / add-on. (A note on terminology: Developers have secret meetings to come up with more words for what is essentially the same thing! Then we laugh ourselves silly at the thought of everyone else trying to understand the differences and go out for snacks. In this post I use the terms interchangeably to advance our master plan.)
I am concerned about privacy / security issues with this extension. As with any extension from a provider I do not know, I checked to see if it was listed through the browser’s own interface. For those who might not already understand the significance of this step: extensions go through a vetting process to get listed. I could not find Google+Facebook on the Chrome repository.
When I went through the first few steps on Chrome to see what the installation interface would tell me, I got:
Install this extension? It can access:
- your data on all websites
- your tabs and browsing activity
- your list of installed apps, extensions, and themes
In order of reasonableness:
- Tabs and browsing activity is a must for what it does.
- It does not need access to all websites. It is possible to restrict that access to facebook.com (and subdomains) and google.com (and subdomains) and many well written extensions these days do just that. What’s more, because restricting scope is not uncommon, the code is not hard to get.
- I could hypothesize reasons for the third, but in light of the rest of the information, I decided that this extension was way over the line.
I would rather they took a week to code something solid and respect my privacy and security needs.
A few comments about my comment (sorry, could not resist):
- It is not always the case that you should avoid an extension that is not listed on your browser’s official repository, nor is being listed on the official repository enough for you to just trust an extension. If an extension is not listed in the official repository for every browser it is released on, however, don’t install it until:
- you have researched it, or
- you check with a trusted tech savvy friend.
- The second point I just made is very, very important. Just because an add-on is listed in the browsers official list of add-ons does not mean it is safe! In addition, acceptable behavior for add-ons changes over time. In a collaborative coding environment, problems get solved and the solutions become available. Anyone who continues to treat the problem as unsolved becomes questionable. Either they don’t know very much, in which case you should not trust them with your safety, or they are hoping you don’t know very much, in which case you should not trust them with your safety. In this case, the code to restrict chrome extension’s access to select domains is out there, so granting an extension access to all domains is not reasonable for the vast majority of extensions. Again, don’t install until:
- you have researched it, or
- you have that tech savvy friend to hand or on call.
So, how do you research these things? You say it is a swamp out there and you are not a security geek? Neither am I! Geek, yes, security, no. You don’t have to be either. Sophos’s nakedsecurity is a terrific place to start researching this sort of thing. Research until you run of out time, energy, brain cells, or you figure it out… and remember that you will eventually make a bad call whether you decide for yourself or take an expert’s recommendations, so if you don’t have an automated backup system, get one now. What, do you run with scissors, too?
thanks for listening,