Someone pointed me to this paper: http://www.cse.chalmers.se/research/group/security/publications/2017/extensions/codaspy-17-full.pdf
ABSTRACT Browser extensions provide a powerful platform to enrich browsing experience. At the same time, they raise impor- tant security questions. From the point of view of a website, some browser extensions are invasive, removing intended fea- tures and adding unintended ones, e.g. extensions that hi- jack Facebook likes. Conversely, from the point of view of extensions, some websites are invasive, e.g. websites that by- pass ad blockers. Motivated by security goals at clash, this paper explores browser extension discovery, through a non- behavioral technique, based on detecting extensions’ web ac- cessible resources. We report on an empirical study with free Chrome and Firefox extensions, being able to detect over 50% of the top 1,000 free Chrome extensions, including popular security- and privacy-critical extensions such as Ad- Block, LastPass, Avast Online Security, and Ghostery. We also conduct an empirical study of non-behavioral extension detection on the Alexa top 100,000 websites. We present the dual measures of making extension detection easier in the interest of websites and making extension detection more difficult in the interest of extensions. Finally, we discuss a browser architecture that allows a user to take control in arbitrating the conflicting security goals. The new version of our verification extension should not be detectable using this technique. Uzair: do you want to look into this as you're in the process of rewriting a good share of the code of our extension? _______________________________________________ Tails-dev mailing list [email protected] https://mailman.boum.org/listinfo/tails-dev To unsubscribe from this list, send an empty email to [email protected].
