Funny thing, my company is big on extensions on chrome and I would literally tell them not to do so because of the APIs and them possibly tracking your data. Even when you don’t clear your browsing history, that data is still vulnerable in some way! Once again, thank you so much, Naomi! You are a hero and I am such a huge fan!
They probably won't change those bad habits until they get sued for breaching their customer's data or until they get a ransomware attacked. Make sure you don't start acting like them because when they get a serious breach or attacked, they could change tune completely and try blaming or even suing employees for installing questionable software and extensions. Some naive people have a tendency to look at habits that increase their vulnerability and the absence of known bad consequences as encouragement to become even more vulnerable. If they don't know about criminals slowly building up lots of data and planning a profitable attack, they just install another plugin, don't update their vulnerable software. Equifax is no different which is why they got breached in 2017 along with most Americans who had their personal information at Equifax.
1:00 "The trust you place". This (trust) is the core of everything privacy & is by every measure applicable to opensource too just like the chatgpt for google extension. 18:52 That's the advice I hate the most. Telling people to use "reputable sources" is one of the worst cliche advices without telling how to evaluate "reputation" or "trust". This is especially a problem since privacy communities are against antiviruses. Fortunately this video does a great job at mentioning factors for reputation. 20:20 I can't thank you enough for advising *not* to trust open source blindly.
absolutely, trust is essential. People can't trust by analyzing code themselves. We need to rely of companies that are well known that have large communities around them that are scrutinizing the product. That's what is meant by reputable.
@@NaomiBrockwellTV I absolutely agree with that. But what do you do when you don't have large communities & well known companies that have analyzed the code for the opensource project you need? Just as with these browser extensions, there is a mountain of foss apps that people need but are not analyzed. How many of the foss android apps we use have large developer or security capable communities?, let alone have their code analyzed?. We need to reduce the reliance on trust. We need to rely on least trust & most verification by design. Whether it's reproducible builds, strong e2ee, *zero knowledge approaches*, certs & signing, etc. Above all, we need to make analyzing code easier, empower as he said in the video. Something I hope AI can be very helpful with. As the saying goes, trust but *verify*
Videos like these have given me the Legend Status in my friend circle. People think I am some geek. All thanks to Naomi who makes average joe like me a Privacy Superman
What a foolish simp. Wow.. If want privacy disconnect from the net and sell your "smart"phone. Never leave your home because of the CCP style camera surveillance state around the globe now. Never visit a restaurant for example because they are recording you without consent. Punishing paying customers. Of course this milktoast YT channel for kids will never tell you the hard truths. She's trying to convince you to sign up to her site so she can sell your data 🤣
You should remember that she's just an average jane to people like Matt. She presents the information from researchers to us, she just does it to a lot more people than any of us
People should use different browser profiles for different purposes, and severely limit the extensions they install in a profile dedicated to critical tasks such as online shopping or banking. Brave Browser is ideal for this because it lets you create and sync a profile without an email address - it uses a long passphrase instead of a username and password. And Brave has ad-blocking built in so users don't need to trust extensions to do that.
You can segment them with different profiles? That's good to know. I've been using entirely different browsers for some extensions that are helpful in web development .
oh i'm a huge fan of Firefox for it's multi-container aspects. even beyond privacy it's super useful for isolating different online personas or tasks. Unless you go full snowden tracking is gonna happen but contains really allow you to isolate some aspects of tracking really effectively.
Wow, that's an eyeopener. I only use a handful of extensions now because of security concerns but that may still be too many. But of course XUL extensions were dangerous but the current Chrome APIs are completely safe. So much for having complete faith in Firefox to always tell the truth.
It's surprising that despite this (and not to mention the astronomically larger market share of chrome) Firefox has a healthier selection of notable open-source extensions to the point that I have far more extensions on firefox than chrome and 100% are open source
Wow! I didn't realize know that browser extensions have predatory premissions just much as smartphone apps. I'm more awareness because of this video. I'm think multiple times with discernment before install. big thanks!.
For non-developers, you have no real choice but to just not use extensions. As a developer I at least have the ability to audit the underlying code of each extension because they're written in JavaScript and I can just open it up and look at it, whether they claim to be open source or not. Even the minified and obfuscated extensions are still technically source available, so a simple prettyfier program can aide in reading the code. If you can't tell what it's doing, don't use it, and if you don't have time to audit it, if you're even a developer, then don't use it. There are a lot of extensions out there and nearly all of their functionality *should* be built into the browser, but browsers are so large and complex these days that such features never get added and everything runs slower. There's simply not enough data on screen at any given point to justify the memory usage that most have, and websites don't do enough to justify it either. Technology is really going backwards because too many developers have eschewed optimization and it makes me angry.
@@DigitalNomadOnFIRE Indeed. No method is foolproof, and no person is perfect. However, it gives me better odds than someone that doesn't know how to program. I only use two extensions, and the functionality of both *should* be built into the browser. I would advise that if you can't audit what you're using, don't use any.
@@anon_y_moussebro please help me, answer these questions - 1) - would it help if i disable them while doing some important work 2)- using incognito mode would do any help 3) - is there any thing as how to use extensions safely like some tips since you're a developer Please help bro
@@Playerone1287 If you're trying to keep things secret, don't use Chrome. Firefox is better although not perfect. Second, don't use extensions at all. If you find that you need the functionality provided by an extension, then all you can do is hope that it's trustworthy because unless you can read its code you're screwed.
Hi Naomi, I just discovered your channel and been binge watching your videos! I have purchased your book but would you ever consider putting together a course teaching people how to protect themselves online? I'm sure most of your subscribers would be interested in something like that. Keep up the good work! 👍
God Mz Brockwell - you really are keeping me up at night here.... The more I see of the browser the more it genuinely scares me, especially that protection seems to be focused on lawsuit mitigation and stopping theft of lucrative data that's valuable to the browser creator (thinking location data) first and foremost, the more use-risk stuff is more flippantly managed. I feel this risk is even greater too with the obsession major ERP makers (e.g. SAP) have had with moving to a browser based interface over their proprietary GUI. "oh I know, lets put the entire corporate ERP interface onto the same application people use to browse Pornhub or Silk Road!". I doubt the conversation went quite THAT way but I do know hit was swayed by a desire to let trendy looking middle managers approve leave requests on their corporate iPads while waiting for a meeting to start. Your reference to the LTT breach was timely, also intensely irksome are the supply chain attacks going on - the ones you hear about (Solarwinds, etc.) are probably dwarfed by the ones that were quietly hidden away and not publicised too. This extends to cloud service supply chain attacks - such as major providers being infiltrated, major clients of those services keep equally quiet about the breaches in their supply chain lest they be dragged into a public scandal as well. The more I see the more the old conservative principles of zoning, containment, least privilege and perhaps now isolated-purpose dedicated literal and virtual infrastructure may be the way forward; compartmentalisation and severely restrained flexibility will probably be what happens, particularly as the world seems to be drifting to wider scale war sadly.
Wow. I learn so much from you Naomi it's really fantastic. I had no idea about the problems with idle tabs. Thank you again so much for the information. You are brilliant!!
I always knew... just never thought of it in such great depth. Thanks for sharing the information and I hope many will benefit from this or at the very least think twice before simply granting access.
The fact that a transfer of ownership doesn't trigger a warning is a huge flaw in the Chrome Web Store. I can't think of any good explanation to justify not showing a warning. Given how Google positions itself as serious about protecting against bad extensions, I would like to know their official explanation for not showing such warning.
Probably why it's a bad idea to keep any old plugin or extension running that you don't use anymore. Unfortunately it's very hard to fully trust any extension as Firefox and Chrome don't actively monitor their add-on extensions. Thats why its probably better to have at least two browsers - one for general browsing (with your useful extensions) and one without any extensions running for more secure use (like banking and shopping). And as you mentioned when a site generally asks for your location permissions or notifications generally select no.
It's like the old fashioned toolbars. Everyone was installing them because they want to search. At the moment i only have 2 extensions running, Ghostery and Adblock plus. And always block pop-ups and messages and even location service if one site wants it. I mean why should a supermarket need a location service if you need to put the credentials in later on? I try to be as safe as possible ;-)
Basically, a developper creates "You can Trust me" addon, and gets a public that appreciates that trustworthiness... Then sells it to the first conman what throws enough shinies at their face and bam, customers have been fooled once more. If the former developer was so trustworthy, he wouldn't have sold it at all to begin with. This world functions on trust. When the trust is gone, everything goes to ruins.
even when you pay for a product, you are still the product since apple, microsoft, vpns etc. collect your data even when you paid them for the product/service
Miss Naomi Thanks 🙂 for spreading awareness for privacy... Please also make a video on Decentralised solutions.... I mean decentralised/Web 3 alternatives of google services .......can it will be good for privacy.... ?
Data mining information had a market number of £162.6Billion in 2021, it's estimated to be worth £273.4 Billion in 2026. These amounts show partly why this is happening, money 💰 🤑 💸! The even more nefarious side to it is the freedoms that are lost .
I think the best solution is for browsers to instead of requesting to enable permissions should: 1. Enable them by default 2. Give a popup whenever something related to a permission (such as event capture) is attempted by the extension 3. These popups should not allow permanent override until a user set number of popups have been triggered and allowed CONSECUTIVELY, say for example 100 times by default 4. Extensions should NEVER be allowed to query that number of popups, an attempt to do so in any way (such as loading the file that contains it via another api) 5. The file that contains the popup count and any other position can be in javascript but it MUST have a "magic number" at the top that only that install of the browser would recognise (such as build number etc being used to generate invalid code of length related to the build) I say "user set" & "allow permanent override" on that 3rd one so that extensions can't just pretend to be safe for X attempts then go nuts when the permanent permission is given since by making the count arbitrary and the permanent permission override non-automatic they'd have to guess if it was given which means it'd be so much more difficult to abuse permissions.
Popup fatigue would break that unfortunately. After a while people just click accept without even realising what they're ok-ing, and it risks that fatigue moving over to illegitimate plugins.
Bula Vinaka, Naomi! Greetings from Fiji. Thank you for your kind informative words. I use multiple browsers. One browser may be used for more private tasks, while others may be used for tasks where no personal information is exchanged. I find it helpful in keeping personal information safe and secure. If I suspect that an extension is lurking where it should not, I remove it immediately. I warn others about such extensions on Twitter so that others may avoid or verify them. I wonder if my method is reasonable or if there is still a way around it?
Stumbled on this after an extension was asking for access to debugger background. Didn't expect a rabbit hole. Something you should tack on to the end of the video is if people do have extensions installed, they should at the very least switch all of them to access on click instead of the default access to all websites. I was going over all my extensions as I was watching the video, majority had access to all sites... very concerning. So, yea, anyone reading this. Change access to on click. You only need to click it once, and the access will persist on that site. But you won't be giving them access to all sides like banking or FB, unless you say otherwise.
As always thank you for the tips and the information of today that will educate us young people and most vulnerable to cyber attacks across the web and how avoid being the next victim.🎉 Peace.
Is there any website or service which keeps track of what extensions are or may be problems?? It's all very well to alert folks to install only extensions they trust, but without some source of reliable information, how would a typical user know what to trust??
nope! So my advice would be to not install any unless you have been explicitly told by someone you trust and who has the knowledge necessary to make this assessment that it's safe.
Yeah, this is why I haven’t installed a tab manager, much as I could use one… I started work on writing my own, which then at least I can trust. Hopefully I’ll get back to that project one day, and get it to a state of being useful.
Is there any resource out there reporting and listing known "bad actor" extensions? Is there a short list of particularly problematic permission items?
This is why you should only use the most widely used and reviewed extensions. If an extension is doing covert activity on your data and privacy, it would get exposed by the huge user base and review base. Always search online on any particular app or extension for info and reviews and red flags.
I used to use Brave but it's Chrome-based and I don't want them to have a monopoly on browsers so I switched to LibreWolf which is firefox-based. So far so good. I always knew browser extensions can easily be exploited that's why I limit my use of it and only use reputable ones. 😔
There was a Firefox extension, that would supposedly hide the comments and recommendations bars on RUclips, but it would also inconspicuously like dozens of random RUclips videos and subscribe you to dozens of random channels. Most of them were South-East-Asian: Thai if I were to guess based on the script. Took me a while to figure out what was going on because it only started a couple of weeks after the installation.
browsers really should have internet access be a separate permission for extensions. there's no reason a dark mode or youtube screenshot extension should be able to access anything on the internet other than what's on the screen
Hi Naomi, could you talk about whether extensions like Cookie AutoDelete and Startpage Privacy Protection are actually private or not? Having short, 2-4 minute videos talking about the privacy and security of individual extensions, apps, programs, Linux operating systems, etc would be helpful. Thank you for all you do!
I do have a couple of questions: in regards to Chromebooks and to avoid extensions, is it possible to “Degoogle” a Chromebook to avoid have chrome extensions? I figured I ask because if your device does not have it, your data cannot be taken advantage of at that point! What are your thoughts on this?
What would be great is if you can detect which extensions are installed and their permissions from JavaScript - though that could be open to some malicious misuse if they're not careful. Ideally then a banking website could determine if key listening is happening and refuse login. That, or categorise them into 'dev' and 'production' style extensions; so certain kinds of permissions can be deemed 'dev' only; all of your network traffic manipulation plugins etc and 'production' can only have a limited subset of permissions. Chrome in particular has too many handy permissions for debugging that are fairly dangerous out in the wild.
and what if you want to use one of the 'dev' features? ad blockers can't work without manipulating network traffic for example. The solution is a granular permission model, not disabling powerful (and useful) features
@@mega_gamer93 Well, there's the rub. You can expect production websites to block dev features. That's how you keep banking safe. Or at least have high/medium/low 'risk' permission categorisation so that things like banking can block to keep customers safe. Granularity is the problem, really, as people will just accept as the pages and pages of permissions will be redacted - that was the problem highlighted in this video. For adblockers... Well, the problem there is letting a plugin manipulate your data. As mentioned in the video, having adblockers means you *really* have to trust the author of the adblocker. However, there's no reason for (for example) video or music streaming sites to enforce high security. At least not until you go to the account page. Medium-level plugins should still be allowed, so your adblocker will still work as it lives in the same field as the (frankly terrible) Grammarly extension. Google need to work something out, because this shit is just a mountain waiting to collapse.
Extremely interesting, thank you for the information. Sadly, as a foreigner I can not support your work. I will point out I have always suspected many things coming to browsers as being malicious, incl extensions. I only use 3 or maybe 4, depending on the browser. Adblock and Ghostery are my selected alternatives to Ublock and Panda. On top of that, I use a VPN, #PIA , full time, and multiple browsers, each only used for the things it is ... no cross-over between sites and browsers .. and that includes portable (non installed, invisible) browsers. One thing to note is even with a VPN, some sites can see your actual location via webRTC connections. I also control that with an extension, my 3rd. What more can I do?
I stopped installing chrome extensions after your previous video on the topic. After seeing this, I’m so glad I don’t have any on any of my home devices. But I have been using Microsoft edge more recently and it has a lot of built in functionality that would require an extension on Chrome. Do I trust Microsoft? 😬 nope
I never trusted the WeVPN browser plugin, the company has shut down now after being compromised over a year ago. They were not in control of their own servers. It's possible the whole operation was a honeypot. They used to claim that they never kept logs, but would contact customers who they thought used too much data! They also recommended the browser extension and now I think I know why - to obtain data and manipulate it. There was something odd with that company - meant to be ex-PIA staff. Can anyone analyse the old WeVPN browser plugin?
thank you, another very interesting (but scaring too) video... I use FF and I've added right now Privacy Badger, it works togheter UBlock Origin and Block Tube... I've also Tab Session manager, is this one potentially dangerous? ... on top of all I use Pihole in a dedicated Rasp3 that act as DNS server too ;)
@@trappedcat3615 Thanks. I'm just wondering if there's something more inherent to Firefox add-ons that gives developers fewer dangerous permissions and/or allows dangerous ones to be detected and removed. Verify always, of course, but is Firefox just better at extension privacy in general than Chrome?
@@MrWhipple42 It depends on many factors. Each browser has different teams vetting software in their store. Chrome has a larger store and possibly a larger pool of bad actors they overlook. Both browsers allow extension to access history and page content if you give permission. Bookmark managers and ad blockers require this. In my opinion, it's more about trusting the extension devlopers than the browser and store security. A good practice is to avoid tools that closed source or closed to public audits, any one developer shows.
@@NaomiBrockwellTV Brave is good, but I can't personally support a company run by a bigot. Until there's a change in the C-Suite there, I'm sticking with hardened Firefox.
@@tsundokujimOL, so you switch to a company founded by the same bigot. 😅 I hope you can learn to use tools without concern about the ideologies of the maker. Your car was probably invented by a bigot. I mean who knows, right?
Hi Naomi, what about Mozilla Firefox add-ons? Especially on my mobile devices. There's a whole lot of them that are accessible from within the app itself and I'm now questioning the safety of all of them, what about noscript, privacy possum, etc?
are there browsers where you have more granular control over given permissions? the way it currently works its either yay or nay, but no way to withdraw single particular permissions from the whole permission package
This video is enough to give me a heart attack. You can do all the security you like and then you have this back door that is essentially wide open and you can't tell if or when it's been opened. Time to purge all extensions.
I use Brave rather than Chrome, and my only extensions are the BitDefender extension and NordPass. I am also uninstalling apps like LinkedIn from my phone and iPad and using the webpages instead, since these slimy companies use app permissions to get at more of my data. I would love being able to ditch all internet usage from my life, but that just isn't realistic. What a cesspool.
Unfortunately not, code can change at any time. I recommend avoiding extensions, and just using a password manager (that is reputable) and maybe an ad blocker if your browser doesn't already do blocking by default (brave does)
How do we know things like SponsorBlock and uBlockOrigin are not doing this? Both amazingly useful, but what else are they really doing in the background.
The difference is whether the app is open source, and after that it matters whether the app has been reviewed by a lot of people or not. UBlock is a good example of one that has been vetted by security professionals and it is built in to Mullvad Browser , which the tor project contributed to.
Don't use that garbage just get the brave browser and adjust your settings to block ads aggressively. Brave does it all baby. No stupid extrnsion for dark mode, no stupid extensions for ads, extensions are just stupid. Build your own extensions if you're really concerned about privacy.
@@lussor1 Probably is a very bad word in security & privacy. Even if it is analyzed that's history. It can change just like the chatgpt for goggle extension. Hence it needs periodic audits or at least the continued massive community engagement of many eyes.
Even 'reputable' ad blockers are collecting very personal information and permissions enable them to screw with everything. Might be better to put up with the ads, just not click on them?
Funny thing, my company is big on extensions on chrome and I would literally tell them not to do so because of the APIs and them possibly tracking your data. Even when you don’t clear your browsing history, that data is still vulnerable in some way! Once again, thank you so much, Naomi! You are a hero and I am such a huge fan!
They probably won't change those bad habits until they get sued for breaching their customer's data or until they get a ransomware attacked. Make sure you don't start acting like them because when they get a serious breach or attacked, they could change tune completely and try blaming or even suing employees for installing questionable software and extensions. Some naive people have a tendency to look at habits that increase their vulnerability and the absence of known bad consequences as encouragement to become even more vulnerable. If they don't know about criminals slowly building up lots of data and planning a profitable attack, they just install another plugin, don't update their vulnerable software. Equifax is no different which is why they got breached in 2017 along with most Americans who had their personal information at Equifax.
1:00 "The trust you place". This
(trust) is the core of everything privacy & is by every measure applicable to opensource too just like the chatgpt for google extension.
18:52 That's the advice I hate the most. Telling people to use "reputable sources" is one of the worst cliche advices without telling how to evaluate "reputation" or "trust". This is especially a problem since privacy communities are against antiviruses. Fortunately this video does a great job at mentioning factors for reputation.
20:20 I can't thank you enough for advising *not* to trust open source blindly.
absolutely, trust is essential.
People can't trust by analyzing code themselves. We need to rely of companies that are well known that have large communities around them that are scrutinizing the product. That's what is meant by reputable.
@@NaomiBrockwellTV I absolutely agree with that. But what do you do when you don't have large communities & well known companies that have analyzed the code for the opensource project you need?
Just as with these browser extensions, there is a mountain of foss apps that people need but are not analyzed. How many of the foss android apps we use have large developer or security capable communities?, let alone have their code analyzed?.
We need to reduce the reliance on trust. We need to rely on least trust & most verification by design. Whether it's reproducible builds, strong e2ee, *zero knowledge approaches*, certs & signing, etc.
Above all, we need to make analyzing code easier, empower as he said in the video. Something I hope AI can be very helpful with.
As the saying goes, trust but *verify*
You consistently make videos about the inconvenient truths about today's internet! Hats off!
Videos like these have given me the Legend Status in my friend circle. People think I am some geek. All thanks to Naomi who makes average joe like me a Privacy Superman
I love this :)
What a foolish simp. Wow.. If want privacy disconnect from the net and sell your "smart"phone. Never leave your home because of the CCP style camera surveillance state around the globe now. Never visit a restaurant for example because they are recording you without consent. Punishing paying customers.
Of course this milktoast YT channel for kids will never tell you the hard truths. She's trying to convince you to sign up to her site so she can sell your data 🤣
You should remember that she's just an average jane to people like Matt.
She presents the information from researchers to us, she just does it to a lot more people than any of us
I've been a software/network engineer for 25 years, and I've long said extensions would become the new toolbar apocalypse.
And you’re wrong
@@coolinmac If you say so, Gomer. I mean it's not like every browser has 5 or more extensions installed or anything. Oh, wait...
Incorrect
Any good ways to check in coming and out going traffic. How can find the browser traffic in wire shark, tcpdump, sockets in Linux?
is mozilla firefox hardened any good? Is tor or brave better?
Thank you for bringing this to light Naomi. I had no idea extensions had such malevolent abilities.
People should use different browser profiles for different purposes, and severely limit the extensions they install in a profile dedicated to critical tasks such as online shopping or banking. Brave Browser is ideal for this because it lets you create and sync a profile without an email address - it uses a long passphrase instead of a username and password. And Brave has ad-blocking built in so users don't need to trust extensions to do that.
Advantages over Librewolf?
You can segment them with different profiles? That's good to know. I've been using entirely different browsers for some extensions that are helpful in web development .
oh i'm a huge fan of Firefox for it's multi-container aspects. even beyond privacy it's super useful for isolating different online personas or tasks. Unless you go full snowden tracking is gonna happen but contains really allow you to isolate some aspects of tracking really effectively.
Brave is owned by google, so they cannot be trusted
portable browser installations are convenient for compartmentalizing browsing for the average user and require no knowledge of VMs / CTs etc.
Wow, that's an eyeopener. I only use a handful of extensions now because of security concerns but that may still be too many. But of course XUL extensions were dangerous but the current Chrome APIs are completely safe. So much for having complete faith in Firefox to always tell the truth.
It's surprising that despite this (and not to mention the astronomically larger market share of chrome) Firefox has a healthier selection of notable open-source extensions to the point that I have far more extensions on firefox than chrome and 100% are open source
good reminder. just started to review my privacy and security approach and this is good idea to pay some attention why i use extensions
Wow! I didn't realize know that browser extensions have predatory premissions just much as smartphone apps. I'm more awareness because of this video. I'm think multiple times with discernment before install. big thanks!.
For non-developers, you have no real choice but to just not use extensions. As a developer I at least have the ability to audit the underlying code of each extension because they're written in JavaScript and I can just open it up and look at it, whether they claim to be open source or not. Even the minified and obfuscated extensions are still technically source available, so a simple prettyfier program can aide in reading the code. If you can't tell what it's doing, don't use it, and if you don't have time to audit it, if you're even a developer, then don't use it. There are a lot of extensions out there and nearly all of their functionality *should* be built into the browser, but browsers are so large and complex these days that such features never get added and everything runs slower. There's simply not enough data on screen at any given point to justify the memory usage that most have, and websites don't do enough to justify it either. Technology is really going backwards because too many developers have eschewed optimization and it makes me angry.
You could easily miss something or not know what it's doing.
@@DigitalNomadOnFIRE Indeed. No method is foolproof, and no person is perfect. However, it gives me better odds than someone that doesn't know how to program. I only use two extensions, and the functionality of both *should* be built into the browser. I would advise that if you can't audit what you're using, don't use any.
@@anon_y_moussebro please help me, answer these questions -
1) - would it help if i disable them while doing some important work
2)- using incognito mode would do any help
3) - is there any thing as how to use extensions safely like some tips since you're a developer
Please help bro
@@Playerone1287 If you're trying to keep things secret, don't use Chrome. Firefox is better although not perfect. Second, don't use extensions at all. If you find that you need the functionality provided by an extension, then all you can do is hope that it's trustworthy because unless you can read its code you're screwed.
@@anon_y_mousse so using incognito and disabling extension doesn't do any help at all???
Thanks for replying
Hi Naomi,
I just discovered your channel and been binge watching your videos! I have purchased your book but would you ever consider putting together a course teaching people how to protect themselves online? I'm sure most of your subscribers would be interested in something like that. Keep up the good work! 👍
Stay tuned as its in the works for later in the year
@@NaomiBrockwellTV Awesome!
@@NaomiBrockwellTV People like you, Shannon Morse, Guy@CoinBureau and Louis Rossmann do the online community a great service.
Thanks for keeping us all informed. Great work, as always!
Awesome video! 👏
This was actually something I was wondering about. Thank you, Naomi.
Best security video I've ever watched.
God Mz Brockwell - you really are keeping me up at night here.... The more I see of the browser the more it genuinely scares me, especially that protection seems to be focused on lawsuit mitigation and stopping theft of lucrative data that's valuable to the browser creator (thinking location data) first and foremost, the more use-risk stuff is more flippantly managed.
I feel this risk is even greater too with the obsession major ERP makers (e.g. SAP) have had with moving to a browser based interface over their proprietary GUI. "oh I know, lets put the entire corporate ERP interface onto the same application people use to browse Pornhub or Silk Road!". I doubt the conversation went quite THAT way but I do know hit was swayed by a desire to let trendy looking middle managers approve leave requests on their corporate iPads while waiting for a meeting to start.
Your reference to the LTT breach was timely, also intensely irksome are the supply chain attacks going on - the ones you hear about (Solarwinds, etc.) are probably dwarfed by the ones that were quietly hidden away and not publicised too. This extends to cloud service supply chain attacks - such as major providers being infiltrated, major clients of those services keep equally quiet about the breaches in their supply chain lest they be dragged into a public scandal as well.
The more I see the more the old conservative principles of zoning, containment, least privilege and perhaps now isolated-purpose dedicated literal and virtual infrastructure may be the way forward; compartmentalisation and severely restrained flexibility will probably be what happens, particularly as the world seems to be drifting to wider scale war sadly.
Wow. I learn so much from you Naomi it's really fantastic. I had no idea about the problems with idle tabs. Thank you again so much for the information. You are brilliant!!
I always knew... just never thought of it in such great depth. Thanks for sharing the information and I hope many will benefit from this or at the very least think twice before simply granting access.
The fact that a transfer of ownership doesn't trigger a warning is a huge flaw in the Chrome Web Store. I can't think of any good explanation to justify not showing a warning. Given how Google positions itself as serious about protecting against bad extensions, I would like to know their official explanation for not showing such warning.
Probably why it's a bad idea to keep any old plugin or extension running that you don't use anymore. Unfortunately it's very hard to fully trust any extension as Firefox and Chrome don't actively monitor their add-on extensions.
Thats why its probably better to have at least two browsers - one for general browsing (with your useful extensions) and one without any extensions running for more secure use (like banking and shopping).
And as you mentioned when a site generally asks for your location permissions or notifications generally select no.
Excellent. Another topic to which I gave little consideration. Thank you.
Great video! very good explanation about the risk of adding them.
Naomi you're awesome! Gorgeous, intelligent and I love how much you're obsessed with privacy, security and technology! Keep it up, I love watching!
thank you for writing this, so I didn't have to 👌
Always thank you very much, Naomi! Much respect
thanks a lot for the subtitles. Great video as always
So informative ^^ thank you so much
It's like the old fashioned toolbars. Everyone was installing them because they want to search. At the moment i only have 2 extensions running, Ghostery and Adblock plus. And always block pop-ups and messages and even location service if one site wants it. I mean why should a supermarket need a location service if you need to put the credentials in later on? I try to be as safe as possible ;-)
Very well put together and informative video, liked and subscribed.
Thanks for Subscribing!
Basically, a developper creates "You can Trust me" addon, and gets a public that appreciates that trustworthiness... Then sells it to the first conman what throws enough shinies at their face and bam, customers have been fooled once more. If the former developer was so trustworthy, he wouldn't have sold it at all to begin with. This world functions on trust. When the trust is gone, everything goes to ruins.
"it's legit, trust me bro"
Yup.
I research so much before downloading extensions.
Edir: positive Snowden poster? Here, have an extra like.
Had an extension hijack my search queries. Didn’t realize that it was this easy
Super infomative video
Thanks naomi 🙏💛
Great channel! Really good topics covered here
Thank you
Very informative and well put together video. Thanks
Amazing content! Thank you very much Naomi!
Finally someone highlights how ridiculous it is that MacOS hides its scrollbar
another under utilzed browser feature are profiles, which helps to compartmentalize which extensions are needed for a given (profile) context
Number one piece of advice for users from a web developer: "If you're not paying for a product, you _are_ the product."
even when you pay for a product, you are still the product since apple, microsoft, vpns etc. collect your data even when you paid them for the product/service
So glad browsers really take the time and care to educate users on this stuff. /s
Miss Naomi Thanks 🙂 for spreading awareness for privacy...
Please also make a video on Decentralised solutions.... I mean decentralised/Web 3 alternatives of google services .......can it will be good for privacy.... ?
Data mining information had a market number of £162.6Billion in 2021, it's estimated to be worth £273.4 Billion in 2026.
These amounts show partly why this is happening, money 💰 🤑 💸!
The even more nefarious side to it is the freedoms that are lost .
I think the best solution is for browsers to instead of requesting to enable permissions should:
1. Enable them by default
2. Give a popup whenever something related to a permission (such as event capture) is attempted by the extension
3. These popups should not allow permanent override until a user set number of popups have been triggered and allowed CONSECUTIVELY, say for example 100 times by default
4. Extensions should NEVER be allowed to query that number of popups, an attempt to do so in any way (such as loading the file that contains it via another api)
5. The file that contains the popup count and any other position can be in javascript but it MUST have a "magic number" at the top that only that install of the browser would recognise (such as build number etc being used to generate invalid code of length related to the build)
I say "user set" & "allow permanent override" on that 3rd one so that extensions can't just pretend to be safe for X attempts then go nuts when the permanent permission is given since by making the count arbitrary and the permanent permission override non-automatic they'd have to guess if it was given which means it'd be so much more difficult to abuse permissions.
Popup fatigue would break that unfortunately. After a while people just click accept without even realising what they're ok-ing, and it risks that fatigue moving over to illegitimate plugins.
@@Warlock_UK Just require they answer a complex math question 1st then :)
Thank you Naomi!
Bula Vinaka, Naomi! Greetings from Fiji. Thank you for your kind informative words.
I use multiple browsers. One browser may be used for more private tasks, while others may be used for tasks where no personal information is exchanged. I find it helpful in keeping personal information safe and secure.
If I suspect that an extension is lurking where it should not, I remove it immediately. I warn others about such extensions on Twitter so that others may avoid or verify them. I wonder if my method is reasonable or if there is still a way around it?
Stumbled on this after an extension was asking for access to debugger background. Didn't expect a rabbit hole. Something you should tack on to the end of the video is if people do have extensions installed, they should at the very least switch all of them to access on click instead of the default access to all websites. I was going over all my extensions as I was watching the video, majority had access to all sites... very concerning. So, yea, anyone reading this. Change access to on click. You only need to click it once, and the access will persist on that site. But you won't be giving them access to all sides like banking or FB, unless you say otherwise.
As always thank you for the tips and the information of today that will educate us young people and most vulnerable to cyber attacks across the web and how avoid being the next victim.🎉 Peace.
Is there any website or service which keeps track of what extensions are or may be problems?? It's all very well to alert folks to install only extensions they trust, but without some source of reliable information, how would a typical user know what to trust??
nope! So my advice would be to not install any unless you have been explicitly told by someone you trust and who has the knowledge necessary to make this assessment that it's safe.
I have decided to download and install ALL THE EXTENSIONS.
🙀🙀🙀🙀🙀
Love the ending.
Great video very helpful. Thanks
stupid question, but what extensions do you personally use? thanks...
I new something was going on with the laptop when the page change from (1) to the other PLACE .Thank you .
Yeah, this is why I haven’t installed a tab manager, much as I could use one… I started work on writing my own, which then at least I can trust. Hopefully I’ll get back to that project one day, and get it to a state of being useful.
You can close the browser occasionally, you don't need all those tabs.
@@asumazilla heh. Yeah, I probably don’t. But… but… but…. ;)
@DavidLindes It's ok we all forget sometimes.
Is there any resource out there reporting and listing known "bad actor" extensions? Is there a short list of particularly problematic permission items?
This is why you should only use the most widely used and reviewed extensions. If an extension is doing covert activity on your data and privacy, it would get exposed by the huge user base and review base. Always search online on any particular app or extension for info and reviews and red flags.
Have you made a comprehensive & easy to understand guide on Matrix ??
It would nice to have more guides
I used to use Brave but it's Chrome-based and I don't want them to have a monopoly on browsers so I switched to LibreWolf which is firefox-based. So far so good. I always knew browser extensions can easily be exploited that's why I limit my use of it and only use reputable ones. 😔
There was a Firefox extension, that would supposedly hide the comments and recommendations bars on RUclips, but it would also inconspicuously like dozens of random RUclips videos and subscribe you to dozens of random channels. Most of them were South-East-Asian: Thai if I were to guess based on the script. Took me a while to figure out what was going on because it only started a couple of weeks after the installation.
Liar.
Unhook? I installed it but disabled it since I wasn't using it, it's a shame that it's not trustworthy
thatnks for this awesome video Naomi!
we all know what the best extensions is...ublock origin B)
Awesome educational video Naomi
While Linus Tech Tips was hacked after getting browser cookies stolen, it was done by a virus, not an extension.
Question on your book, do you have in spainish or can it be purchase in a different lauguages.
"NBTV" goes for the 300K very soon!...Naomi is on 🔥
Thank you very much Naomi
Amazing video,
It is sad that web so less secure than new android and ios.
browsers really should have internet access be a separate permission for extensions. there's no reason a dark mode or youtube screenshot extension should be able to access anything on the internet other than what's on the screen
This is a great "How to" video for bad guys! Thanks!
bad guys don't need a how to guide
Sounds like the internet is at. Your own risk😢😮😅 Thank u so much for the warnings ❤
I miss old internet, all safe and share
You mean when it was http only, when your ISP could watch in real time everything you do online? 😅
@@trappedcat3615 less phishing, scams, malware, keyloggers and so on, and less data analysis and data collect
Hi Naomi, could you talk about whether extensions like Cookie AutoDelete and Startpage Privacy Protection are actually private or not? Having short, 2-4 minute videos talking about the privacy and security of individual extensions, apps, programs, Linux operating systems, etc would be helpful. Thank you for all you do!
I do have a couple of questions: in regards to Chromebooks and to avoid extensions, is it possible to “Degoogle” a Chromebook to avoid have chrome extensions? I figured I ask because if your device does not have it, your data cannot be taken advantage of at that point! What are your thoughts on this?
Show Notifications could mean literally anything, got it.
What would be great is if you can detect which extensions are installed and their permissions from JavaScript - though that could be open to some malicious misuse if they're not careful.
Ideally then a banking website could determine if key listening is happening and refuse login.
That, or categorise them into 'dev' and 'production' style extensions; so certain kinds of permissions can be deemed 'dev' only; all of your network traffic manipulation plugins etc and 'production' can only have a limited subset of permissions.
Chrome in particular has too many handy permissions for debugging that are fairly dangerous out in the wild.
and what if you want to use one of the 'dev' features? ad blockers can't work without manipulating network traffic for example. The solution is a granular permission model, not disabling powerful (and useful) features
@@mega_gamer93 Well, there's the rub. You can expect production websites to block dev features. That's how you keep banking safe.
Or at least have high/medium/low 'risk' permission categorisation so that things like banking can block to keep customers safe.
Granularity is the problem, really, as people will just accept as the pages and pages of permissions will be redacted - that was the problem highlighted in this video.
For adblockers... Well, the problem there is letting a plugin manipulate your data. As mentioned in the video, having adblockers means you *really* have to trust the author of the adblocker.
However, there's no reason for (for example) video or music streaming sites to enforce high security. At least not until you go to the account page.
Medium-level plugins should still be allowed, so your adblocker will still work as it lives in the same field as the (frankly terrible) Grammarly extension.
Google need to work something out, because this shit is just a mountain waiting to collapse.
Extremely interesting, thank you for the information. Sadly, as a foreigner I can not support your work. I will point out I have always suspected many things coming to browsers as being malicious, incl extensions. I only use 3 or maybe 4, depending on the browser. Adblock and Ghostery are my selected alternatives to Ublock and Panda. On top of that, I use a VPN, #PIA , full time, and multiple browsers, each only used for the things it is ... no cross-over between sites and browsers .. and that includes portable (non installed, invisible) browsers. One thing to note is even with a VPN, some sites can see your actual location via webRTC connections. I also control that with an extension, my 3rd. What more can I do?
I stopped installing chrome extensions after your previous video on the topic. After seeing this, I’m so glad I don’t have any on any of my home devices.
But I have been using Microsoft edge more recently and it has a lot of built in functionality that would require an extension on Chrome. Do I trust Microsoft? 😬 nope
Not to mention game extensions in Chromebooks, where the kids have no idea what they're agreeing to
Thanks Naomi.
Naomi, can you do a video on the privacy intrusions of people search websites?
I never trusted the WeVPN browser plugin, the company has shut down now after being compromised over a year ago. They were not in control of their own servers. It's possible the whole operation was a honeypot. They used to claim that they never kept logs, but would contact customers who they thought used too much data! They also recommended the browser extension and now I think I know why - to obtain data and manipulate it.
There was something odd with that company - meant to be ex-PIA staff. Can anyone analyse the old WeVPN browser plugin?
I don’t use google chrome I use brave but I have a question
If a person useing chrome browser turn off all extensions on chrome browser??
you should be very careful that you fully trust all any extension you decide to keep installed
How do we get in touch with the extension makers though?
thank you, another very interesting (but scaring too) video...
I use FF and I've added right now Privacy Badger, it works togheter UBlock Origin and Block Tube... I've also Tab Session manager, is this one potentially dangerous?
... on top of all I use Pihole in a dedicated Rasp3 that act as DNS server too ;)
Your video focused on Chrome extensions. Is it safe to assume that all the same problems exist with Firefox add-ons?
Yes, but no need to assume. Any extension that requires sensitive permissions or access to the page needs to be trusted.
@@trappedcat3615 Thanks. I'm just wondering if there's something more inherent to Firefox add-ons that gives developers fewer dangerous permissions and/or allows dangerous ones to be detected and removed. Verify always, of course, but is Firefox just better at extension privacy in general than Chrome?
@@MrWhipple42 It depends on many factors. Each browser has different teams vetting software in their store. Chrome has a larger store and possibly a larger pool of bad actors they overlook. Both browsers allow extension to access history and page content if you give permission. Bookmark managers and ad blockers require this. In my opinion, it's more about trusting the extension devlopers than the browser and store security. A good practice is to avoid tools that closed source or closed to public audits, any one developer shows.
So Brave still the best (safest) browser?
The safest browser is
T o r browser with
T a i l s OS.
Brave is one of the best browsers for everyday usage for its default privacy protections, imo
@@NaomiBrockwellTV Brave is good, but I can't personally support a company run by a bigot. Until there's a change in the C-Suite there, I'm sticking with hardened Firefox.
@@tsundokujimOL, so you switch to a company founded by the same bigot. 😅 I hope you can learn to use tools without concern about the ideologies of the maker. Your car was probably invented by a bigot. I mean who knows, right?
What about Add-ons? Do they have the same vulnerabilities?
0:37 "We’ll look at the most dangerous extension ever made!"
*.EXE* ???
Does deleting the extension prevent future issues?
Hi Naomi, what about Mozilla Firefox add-ons? Especially on my mobile devices. There's a whole lot of them that are accessible from within the app itself and I'm now questioning the safety of all of them, what about noscript, privacy possum, etc?
Yep they mainly function the same way. Anything that interacts with your browser, be careful of the permissions you grant!
are there browsers where you have more granular control over given permissions? the way it currently works its either yay or nay, but no way to withdraw single particular permissions from the whole permission package
This video is enough to give me a heart attack. You can do all the security you like and then you have this back door that is essentially wide open and you can't tell if or when it's been opened. Time to purge all extensions.
if downloading a singular extension defeats your security model it is not a very good security model (but still, don't run untrusted extensions)
Thanks Real Welma Dinkey for all information.....
How can we make extensions work without giving permissions we don't want while still benefiting from their functionality?
I use Brave rather than Chrome, and my only extensions are the BitDefender extension and NordPass. I am also uninstalling apps like LinkedIn from my phone and iPad and using the webpages instead, since these slimy companies use app permissions to get at more of my data. I would love being able to ditch all internet usage from my life, but that just isn't realistic. What a cesspool.
Can you ADD a list of trusted & untrusted Chrome extensions?
Unfortunately not, code can change at any time. I recommend avoiding extensions, and just using a password manager (that is reputable) and maybe an ad blocker if your browser doesn't already do blocking by default (brave does)
Iš there any community to talk about known bad extensions, or maybe a list of crappy extensions? So to check those that you are using. Tnx
can glasswire monitor web browser extension's network activity?
Great timing, especially with the many fake chat GPT browser extensions..
How do we know things like SponsorBlock and uBlockOrigin are not doing this? Both amazingly useful, but what else are they really doing in the background.
Well ublock is prob analyzed
The difference is whether the app is open source, and after that it matters whether the app has been reviewed by a lot of people or not. UBlock is a good example of one that has been vetted by security professionals and it is built in to Mullvad Browser , which the tor project contributed to.
Don't use that garbage just get the brave browser and adjust your settings to block ads aggressively. Brave does it all baby. No stupid extrnsion for dark mode, no stupid extensions for ads, extensions are just stupid. Build your own extensions if you're really concerned about privacy.
@@lussor1 Probably is a very bad word in security & privacy. Even if it is analyzed that's history. It can change just like the chatgpt for goggle extension. Hence it needs periodic audits or at least the continued massive community engagement of many eyes.
Sponsorblock is not for privacy. Newpipe doesn't integrate it by default for the above cited reason.
Even 'reputable' ad blockers are collecting very personal information and permissions enable them to screw with everything. Might be better to put up with the ads, just not click on them?
One sec just deleting all my add-ons except uBlock