this post was submitted on 16 Jul 2026
25 points (100.0% liked)

Privacy

10338 readers
343 users here now

A community for Lemmy users interested in privacy

Rules:

  1. Be civil
  2. No spam posting
  3. Keep posts on-topic
  4. No trolling

founded 3 years ago
MODERATORS
 

Sorry if this is a dumb question, I'm not a tech/IT person and am very early in my privacy journey.

I was going to install a web clipper browser extension that works with a notes app I'm trying out, but the installation page says it isn't actively monitored for security by the organization behind my browser. The extension requires access to your data for all websites. However, the page also says that they don't share data with any third party and don't have access to this data themselves. What level of privacy risk am I taking on with this extension?

top 14 comments
sorted by: hot top controversial new old

I check if it's open source. If I can't find the source code, it's automatically a no go.

Of course, even if it is open source, that's not enough. Sometimes I delegate less trustworthy browser extensions to separate browser profiles, which are isolated and can't read eachothers data.

Afaik, any browser can save a webpage as a pdf without an extension. Best practice is to go with a single extension - uBlock Origin.

[–] blight@piefed.blahaj.zone 6 points 1 day ago (1 children)

By the number of stars on their git repository. I would never, ever, install an extension that's not open source.

[–] CorrectAlias@piefed.blahaj.zone 1 points 16 hours ago

You can use stars, but I still don't trust that metric alone, personally. I also check the recent issues and make sure that normal users are reporting bugs, and also that the closed issues aren't trying to mask vulnerabilities or malicious findings from other users.

[–] blah3166@piefed.social 3 points 1 day ago

The real danger is in extensions that are safe to use but later get sold and updated to spy on you with the same permissions you've already granted.

Best practice, as someone else already mentioned, is to use as few as possible and only those you trust or have wide community trust to help extend your own trust.

Extensions I trust/use:

  • uBlock Origin (by Raymond Hill AKA gorhill on Github)
  • Snowflake (by the Tor project) doesn't require any permissions.
  • SingleFile (by gildas-lormeau on Github)
  • Firefox Multi-account containers (by Firefox, obviously)
  • Dark Reader (by the Dark Reader Project)
  • Wayback Machine (by the Internet Archive)
[–] artyom@piefed.social 4 points 1 day ago

Checking if it's open source is step #1. If it's not, there's really no way to verify if it's private because there's no way to know what it's doing. Another thing you can do is analyze the web traffic with something like Wireshark. Theoretically a web clipper shouldn't need to access any remote servers.

[–] neutronbumblebee@mander.xyz 3 points 1 day ago (1 children)

It's disappointing but some nation state sponsored attackers are either adopting useful addons or creating them from scratch. After they have a sufficient base of trusting users they update the addon to add spying code that activates for a group of accounts possibly targeted by geolocation. The vast majority of users are not even affected. So with that going on it's hard to be certain of an addons quality.

I'd consider where the addons are hosted. Firefox and Chrome both allow reviewing existing addon permissions so disable when not required or split into risk level profiles for personal vs work vs anon browsing.

[–] frongt@lemmy.zip 0 points 1 day ago

That mostly happens with ad injection and credential stealing. I'm sure the kind of attack you describe happens, but it's not relevant for most people.

[–] IndianaJones@lemmy.zip 2 points 1 day ago (1 children)

Check the extension's privacy policy (usually linked on the installation page). If there's anything you don't like, don't use the extension :)

[–] CameronDev@programming.dev 0 points 1 day ago* (last edited 1 day ago) (1 children)

Privacy policies are entirely voluntary. No one validates them, they are meaningless.

Edit: For anyone who thinks this is wrong, feel free to explain your reasoning. I have written two privacy policies for 2 separate apps, neither of them realistically restrict what I can do with the data that I manage. All google and discord care about is that the policy exists, they don't verify that I am following them. Anyone with malicious intent isnt going to be affected by a privacy policy.

[–] IndianaJones@lemmy.zip 1 points 18 hours ago (1 children)

True, however, if it turns out (ie gets leaked or proven) that this company doesn't follow their Privacy Policy, it is a very bad look for them and subjects them to fines (or other punishments) from DPA's.

[–] CameronDev@programming.dev 1 points 18 hours ago (1 children)

Malicious actors simply don't care about that though. They are either small fly by night operations that will just phoenix and restart under a new name, or they are huge like google, who have the resources to turn the fines and punishments into slaps on the wrist.

Privacy policies only hold honest operations to account, everyone else is free to do what they like.

[–] IndianaJones@lemmy.zip 1 points 17 hours ago

Google has everything that they do listed in their Privacy Policy, you may not like it but its all in there. A small malicious company might not care so much indeed.

[–] frongt@lemmy.zip 0 points 1 day ago

How sketchy it seems, and whether it has appropriately-scoped permissions. I'm too lazy to unpack an extension and analyze it.