Privacybadger: Questions about trusting Privacy Badger
So, in light of recent events with the Chrome extension “The Great Suspender”, I’m trying my best to better understand and re-evaluate the few extensions that I do have installed on my systems. Privacy Badger is one of those.
The situation with the aforementioned extension was that the developer sold the extension to still unknown parties, only informed users on GitHub about it, then the new maintainer pushed code to the Web Store version which differed from the GitHub and contained remotely executed unknown code. People were concerned since at least November and I (and many others) did not know this extension was acting maliciously until Google disabled and pulled it from the store on Feb 4. I’ve gathered there is a trend of this behavior recently- established extensions get bought out by secret new maintainers, who push fishy or outright malicious code and then Google/Microsoft/etc pulls it.
I'm not a developer and this may be naive, as I have a good deal of respect for the professional integrity of the EFF, but I’m left with these questions:
1) Would there ever be a situation where the EFF wouldn’t maintain Privacy Badger themselves? Perhaps being handed off to the community?
2) Why does the community trust this extension? How does one trust any developers without having the technical ability to pour through all the code themselves?
4) I sort of doubt this, but does Privacy Badger execute any remote code or any obfuscated code? If this is true, how would we know it’s trustworthy?
5) How far reaching can damage be done with a Chrome/Firefox/etc extension? Are they sandboxed? Can they break out of the browser and infect the machine, at-large?
6) What’s the easiest way for a person to stay up to date on major changes with the extension?
Thanks so much!
tophtophtoph64
All 4 comments
Hello, and thanks for reaching out!
The Electronic Frontier Foundation is a leading non-profit organization that fights for your rights online. You can look at everything EFF has ever done and judge for yourself. EFF would never hand over Privacy Badger's users to another party. If EFF could no longer maintain Privacy Badger for whatever reason, Privacy Badger would stop getting updates. Perhaps a community fork would arise, but again, Privacy Badger users would never get handed over to another party.
Privacy Badger does not make use of remote code or code obfuscation.
A malicious browser extension can have full control over your browsing, including stealing passwords and other sensitive account information. You should absolutely only install extensions made by organizations you trust. (Please see our Privacy Badger extension permissions explainer for information on why Privacy Badger requires the permissions it does.)
To get notified about Privacy Badger updates, you can tell GitHub to "watch" releases on this repository, or you could subscribe to Privacy Badger's mailing list.
Let me know if you have any further questions. My answer is probably incomplete; I just wanted to promptly acknowledge and respond to your concerns.
@andresbase Please chime in if I missed anything.
ghostwords
on 6 Feb 2021
Thank you so much for the kind and detailed response @ghostwords !
I do expect well of the EFF and this extension's maintainers (and I thank both for the hard work over the years) and am quite glad to see these answers, especially that the EFF would never hand over the extension.
This has been an enlightening couple days for me and I've been learning a lot- I suspect this will change my technology habits. I'm feeling quite concerned and humbled from this event. Do you happen to know if the EFF has a best practices write-up anywhere regarding web browser security, privacy, and/or malicious extensions?
I'd love to hear anything @andresbase or other EFF folks would have to say, if anything, about any of this as well- but I'm glad to hear this much.
tophtophtoph64
on 6 Feb 2021
You're welcome!
I should also point out that we will always try to notify users of any big changes to Privacy Badger. A recent example of this is when we disabled local learning by default. This major change was explained in a blog post. The blog post was linked to from a UI notification shown to all Privacy Badger users.
EFF publishes the Surveillance Self-Defense guide, which (without going into browser extensions specifically) covers a number of important computer security concepts.
I personally suggest using a browser that isn't made by an advertising company that consistently fails to secure its own extensions store.
ghostwords
on 6 Feb 2021
I did notice when the local learning change happened, thanks to the efforts listed above. I think it's very important for extension developers to notify end-users of major changes through the UI, as you pointed out. Most folks who use these extensions may not have the time or are not engaged enough, knowledgeable enough, or care enough to keep track of things with development on places like GitHub. So, I'm quite glad Privacy Badger and the EFF has taken these steps to inform their users. I think it's important to highlight the value of this UI disclosure.
I've already fully switched away from using the mentioned browser since these events transpired. I intend on continuing my use of Privacy Badger, as well. Thank you for the resources and advice! I truly appreciate it.
tophtophtoph64
on 7 Feb 2021
Related issues
andresbase
·
4Comments
smarkwell
·
5Comments
DJCrashdummy
·
5Comments
BlackRabbit22
·
5Comments
da2x
·
3Comments
Most helpful comment
Hello, and thanks for reaching out!
The Electronic Frontier Foundation is a leading non-profit organization that fights for your rights online. You can look at everything EFF has ever done and judge for yourself. EFF would never hand over Privacy Badger's users to another party. If EFF could no longer maintain Privacy Badger for whatever reason, Privacy Badger would stop getting updates. Perhaps a community fork would arise, but again, Privacy Badger users would never get handed over to another party.
Privacy Badger does not make use of remote code or code obfuscation.
A malicious browser extension can have full control over your browsing, including stealing passwords and other sensitive account information. You should absolutely only install extensions made by organizations you trust. (Please see our Privacy Badger extension permissions explainer for information on why Privacy Badger requires the permissions it does.)
To get notified about Privacy Badger updates, you can tell GitHub to "watch" releases on this repository, or you could subscribe to Privacy Badger's mailing list.
Let me know if you have any further questions. My answer is probably incomplete; I just wanted to promptly acknowledge and respond to your concerns.
@andresbase Please chime in if I missed anything.