I am too wary of malware extensions to install that many. It is clearly trivial [0] for malware to get into the Chrome store, and Google is not doing enough to make me feel comfortable with it.
Additionally, I know that even as non-malware extensions grow in popularity they are solicited by malware companies to integrate their software in an update. I experienced this first hand with the HoverZoom extension. [1]
I really wish browsers would change their security model for extensions :\
"all or nothing" is ridiculous as the only option - let me revoke access or restrict it to specific sites. I may not care if X has access to site Y, but giving it access to Z means giving it the keys to my life so hell no. I don't even want to use it on Z.
> "all or nothing" is ridiculous as the only option - let me revoke access or restrict it to specific sites.
Thank you. I've been waiting for Firefox to add this feature for almost 2 years. For a privacy focused browser, this should be a must have, top priority.
I think they have already? In the old days, you just click once to install a mouse gesture addon.
Now you have to dig into the settings. And give it permission before it could work. At first I found that annoying. But upon reflection. I guess it's a necessary evil.
I wish there was a way to exclude some websites instead! I want most of the extensions like ad/script/etc blockers to run everywhere, except say GMail.
I only discovered it because I was going to add a similar feature to my Chrome extension, and I was researching to see how others tend to implement it. I was glad to see that Chrome offers the feature natively, and surprised to see that Firefox didn’t.
Agreed. Like with Pocket's Chrome extension permission model[1] that has a "read everything on all websites", when really it only needs brief access to the URL when I want to save something.
I tried changing the "Site access" setting to "On click" -- but then the extension started acting funny or not working in some cases.
Chrome has added a more limited "activeTab" permission[2], but even that might be too much since it grants control to the tab and continues to allow permission on the same origin.
Like the GP said, even if the extension developer isn't trying to exfiltrate data, they should do more to protect users from a compromise of their extension, and browsers should give them the models to do so.
IMO, good security models can be a foundation forward to better overall security compared to desktop apps since it seems that browsers are becoming an OS of their own.
while true, you can say this about anything which doesn't have any permissions system too. why worry about end-user security, they can just fork and modify.
which means, effectively, that it becomes a 0.001% or worse event. arguably the whole point of privacy-focused (or even -aware) software is to increase that beyond "fork and modify"'s ratio, as far as possible, because it doesn't work in practice for the vast majority of the globe.
Yes, this - absolutely. Every extension you install is another potential risk/attack vector. Consider the sources carefully and run the least number of extensions possible. Each one potentially has control of your browser, so choose accordingly.
If there were ever a post to drive me away from a product, this'd be it. Good to know that I should stay well away from KeepassXC, if this is what its defenders sound like.
It's really disappointing to see what's a now flagged post and push-back to what was obviously a flagrant comment. For a more level-headed opinion on KeepassXC, it's decently polished and easy to use. It's also open-source and cross-platform. I like it and came from the original Keepass. I didn't have any specific issues with the first besides wanting to try something new. I haven't noticed any major issues with KeepassXC myself but open to hearing others' experiences.
Comment was flagged so I have no idea what they said, but I use KeePassXC and I'm happy with it. Regular KeePass is good too, but I use XC because it's cross-platform.
If you turn on showdead in your user profile settings you can see flagged comments. I find it helps with context in situations like this, but certain types of posts do attract a lot of racist/sexist garbage that you normally cant see so be forewarned.
I signed up for LastPass a couple of weeks ago, and they started sending me spammy emails every single day. I went into account settings and disabled the emails, and they kept coming. I opened a support thread on their forum, linking many other similar threads going back several years, and saying that they have to fix this under GDPR... Silence.
I deleted my account and switched to BitDefender. Still getting the LastPass emails though, whenever I check my spam folder.
Also, LastPass slowed my Android phone a lot. BitDefender doesn't seem to do that.
In short, my recommendation is: stay the hell away from LastPass. They can't even handle an email system, I don't trust them at all to handle my passwords.
Their Windows application was also painfully slow.
I paid them for years but I no longer trust them, it seems to me they are incompetent as an organization even if the people who work there might or might not be smart.
I can't count the time I have heard good things about an extension, went to the chrome store page and ... "asks to read your data on all websites".
Hard pass.
I can't prevent the apps/OSes I use from gathering data about me, but that's at least one vector (although sadly a small one) I can do something about.
Isn't this true, to some degree, with all software distribution channels? Weren't CCleaner and FileZilla hacked to distribute malware alongside the main payload?
Unvalidated auto-update really is an anti-pattern. Giving arbitrary third parties the power to install and run software on your system in perpetuity is a massive attack vector. Most software doesn't represent a large active and ongoing attack surface that auto-updates would be a net positive.
Just yesterday I ran into an invisible layer right here on HN when replying with a comment that opened a new page when I tried to click on something.
I disabled all extensions that I don't commonly use and am watching for now, but I have no idea how to actually tell which one did it (many of them were recently updated due to a Chrome change on August 6th or something).
There's an incredibly useful extension that's not on that list that I bet a good number of HN folks would like:
Vimium [1]
It lets you use keyboard shortcuts to navigate through webpages, click buttons, jump to text boxes, etc. it's been huge for me both as a productivity tool (it's significantly faster than using a mouse for navigation) and also for reducing RSI/strain on my hands.
Here's a video of it in action as you really need to see it being used to understand the different interaction model it provides.
I used to use vimperator and/or pentadactyl back before the big firefox change that redid how the browser buttons/menus/etc were rendered and it was pretty ideal. The bar at the bottom, the ability to do bind any menu action, the quick addon management interface, the beautiful completion when opening a link.
Since eventually switching to Chrome, I've tried vimium every now and then and always found it lacking. It usually got in the way when I didn't want it to and I'd get sick of trying to figure out how to turn it off for a particular site/just for this one interaction and just uninstall it.
It's been a year probably, so I guess I'm about due for another go.
Ironically Vimium (and most extensions) are disabled on the Chrome Extensions domains. So when I hit 'yy' to copy the URL of the existing page it didn't copy it, so I instead pasted the last URL I had, which was the CPRA checklist.
Not something I had intended to do, but I hope the checklist was useful.
SingleFile. Allows me to save a snapshot of a page when I bookmark it (or at any other time). This means that when I encounter a page, I can automatically archive a copy to read later without worrying if the author will delete it, or the site will be unavailable. https://addons.mozilla.org/en-US/firefox/addon/single-file/?...
Default Bookmark Folder. Always save new bookmarks to the same place, which is useful for keeping stuff together. I tag my bookmarks when I make them too, to make finding them again much easier. https://addons.mozilla.org/en-US/firefox/addon/default-bookm...
In the post:
"Shut Up disables comments everywhere. When I trust a platform's audience enough to read the unfiltered outputs from their brains, I enable comments for just that site. Sometimes I turn it back off immediately"
At the end of the post: A comments section with spam in it.
Honestly, I can imagine that content creators would love the option of not seeing their comment sections, at least after they take off. If I were, say, Dan Harmon, I'd be really happy to have the option of filtering every post anywhere with a reference to his work.
As far as I know they still send everything you type to their cloud service, and their privacy policy gives them broad latitude to use that info to "improve the service."
Right now I use "LanguageTool" with the Java-based server running locally. After I imported the ngrams it works good enough to be a clear improvement over Firefox's bad built in spelling/grammar checker. The UI is passable. It does randomly decide I typed another language though and tell me everything I typed is misspelled in that language.
In an ideal world I'd prefer to pay LanguageTool money for their premium product, but they have the same privacy problems as Grammarly. Heck I'd pay Grammarly if they had a more private offering, it is a good idea.
In a 300 word email I make at least 3-4 spelling errors either because I don't know the words spelling properly (yes there are many words) or because I type fast make mistakes. Grammarly checks their database and compare my sentences and suggest different ones. Try it, it really does help.
Out of curiosity, is English your first language? I can see that it would be helpful for fixing the types of errors you mention, and the kinds that appear in your comment. Does it give suggestions for text boxes like in HN comments as well?
I have tried it and found nothing useful for me, but am interested to know why/how people use it.
You guessed it right. No, it is not my first language that's why maybe I am more inclined to use paid tools like Grammarly. Although, my coworkers/employees are native speakers they make more spelling mistakes than non-native speakers (maybe confidence?). I force them to use grammarly and almost every email there is 5-10 corrections. If you didn't try yet, just download and scan some of your old emails. I bet you will find minimum of 5 mistakes. Better safe than sorry.
I just use uBlock Origin to clean up websites I visit of their trending sections, recommendation sections, comment sections. Sometimes I get rid of links that I might mindlessly click, like the whole top bar of reddit.com.
For example, these filters work really well on youtube.com
The days of uBlock Origin on Google Chrome are numbered. It may not work for Google Chrome when Manifest V3 is implemented (and no recourse provided for uBlock Origin). [1]
P.S: I haven't kept up with the latest developments on this since last year.
Although it’s not quite as good as uBlock Origin, moving to a network based setup, like PiHole or AdGuard Home, can make great strides across all your devices with minimal headache or worrying as much about Google making it harder to control your web content. It makes it very apparent when I’m browsing on my phone or iPad and they switch over to LTE because all the sudden there are ads everywhere.
At some point I’m sure they’ll start trying to bypass local DNS by forcing DNS over HTTPS to only their approved servers, at which point someone will build a MITM HTTPS proxy for home users that you can seamlessly install onto a Raspberry Pi until we see the next escalation in the never ending battle for our eyeballs.
GP here. You can also try NextDNS.io, which allows you to choose blocking lists. There are apps for iOS as well as other platforms to allow it to be used on all networks (or even configure it not to be used on specific WiFi networks).
> If uBlock Origin doesn't update, there'll be a dozen adblockers that work with Manifest v3 on day 1.
You seem to not know what manifest v3 is actually doing.
Any adblocker with a static list of domains per-update of the crx file's manifest is useless. Users would have to install hundreds of extensions (each with dozens of domains that they themselves block), just to have the same functionality.
If any anti adblocking team of any ad network decides to just rename foo.tracker.net to bar.tracker.net, all adblocker extension users would have to REINSTALL the chrome extension manually because the manifest's list of domain is statically builtin.
You're operating off of outdated information. Rules do not need to be baked into the manifest.
>The Declarative Net Request API now allows for the registration and removal of dynamic rules - specified at runtime rather than statically in the manifest. We’ve also added the capability to remove common tracking headers, such as Referer, Cookie, and Set-Cookie.
The one extension I cannot live without is hover zoom+. Hover over any thumbnail (for a customizable amount of time) and it loads the full size image on top. When people see me using it with google images, they always ask how I did that.
Does HTTPS Everywhere actually work for you? It's utterly useless for me as far as I can tell. Try going to some site (say, example.net) in Chrome and watch it just load HTTP.
IIRC, you have to enable the "strict" mode, or something along those lines, in the settings before it rejects HTTP connections from being made. I had the same issue.
Thanks, but then what do I do about HTTP-only sites? Why can't it default to HTTPS and then auto-fallback to HTTP when HTTPS connections fail for sites that aren't in the known-HTTPS list? It seems like a logical thing to do instead of just going straight to HTTP.
Google makes money from websites showing ads, so making a reader mode readily available would be counter to that. There used to be a hacky way to approximate reader mode in Chrome [1] but not sure if that still works. Just another reason to favor Firefox over Chrome IMO.
Google will always give only enough privacy options to give the veneer of supporting privacy, but never enough to truly allow it (e.g., anti-fingerprinting measures). You can't blame them really, it's just not their business model, but if you disagree with that model and its effects on you, you can choose a different browser.
I have seen it a few times, but only on mobile IIRC and it wasn't consistently shown across all pages where I wanted the functionality. I definitely can't seem to find it anywhere on desktop Chrome.
I think of extensions as a way to adapt the web to my preferences. Sane defaults are not that universal and it's good to harness the power of the web to make everyone happy.
For me it's uBlock Origin and uMatrix. The web is unbearable without those two. Pages load at least 50% faster. Makes you realize the amount of crap modern sites load.
It is mentioned in the link, but I just want to emphasize that Video Speed Controller [1] has been amazing for me. Unfortunately, it didn't work as well on Firefox (stuttering on higher speeds above 2X) when I tried it a year ago. Which means I'm stuck with chrome for at least a decent amount of my activity.
- Opens pdfs in my pdf reader right away: https://add0n.com/open-in.html?from=pdf (invert sumatra pdf on windows and you even have a dark mode: "...\SumatraPDF.exe" -bg-color #000000 -set-color-range #FFFFFF #000000 )
- (there is also one to open in chrome, really good if you are using FF but need to use google products like meet or jamboard)
- stylish if you know CSS. I made wikipedia look more like the mobile version, make visited links visible globally, hide jira crap for sprint plannings etc.
- for good keyboard hint navigation: trydactyl (but saka keys is probably more beginner friendly)
I actually use this one a lot, lets you take a video and make it the full size of the browser. I find that theater mode youtube isn't quite big enough on a 4k screen, but I don't want to pop into fullscreen mode.
Honestly, most of them. Grammarly in particular because of privacy concerns, but I avoid using any that are not both open source and high payoff.
I use Privacy Badger and NoScript. I may add Ublock Origin to cover the edge cases where I need to enable JS. Anything else is adding bloat, not cutting back on it.
NoScript in particular covers:
UBlock Origin, Nano Defender, Hover+Unpaywall, and ShutUp
Most of the others, I already use something outside of a browser or don't need.
Monitor website changes and get notification popups, email, SMS or push notifications on change. There are other alternatives that have the same basic functionality but I stayed with Distill as it is more customizable.
Slightly irksome when by "Browser Extensions" the author only means "Chrome Extensions" and provides no links to equivalents for other browsers. That in itself is fine, but they could've titled it with "Chrome" in the headline, not a general term like "Browser".
Nice list. There are still extensions I wish someone would come up with. Like an extension to make Google Image Search only return images, not videos. I've basically given up on embedding gifs into HTML because it's impossible to find an actual gif with Google. All you get is videos pretending to be gifs.
Oh god, I really need something like this in my life. I end up losing myself on reddit, hacker news, lobsters like websites. This might ease my burden a bit. Do you happen to have a GitHub link or something, so I can follow the progress ?
Just learned hnreplies.com (thanks for that) I am subscribed now. Also, Firefox user here so thanks for the link :). Saved add-on page for now. Good luck on the project!
Yes it's exactly as the name implies ! It will BLINK the text you are trying to find on a page via "Ctrl+F" or "Cmd+F".
I honestly can't believe I'm the only user of this extension. I can not for the live of me find half the text I'm looking for on a webpage without it blinking.
Panorama view (think spaces for tabs)
Multi-account container (keeps facebook properties and google properties on their own world)
User-agent switcher (I switch to mobile on heavy websites)
Evernote clipper
FoxyProxy
Auto-tab discarder
HTTPS Everywhere
S3 translator
Probably generation difference. The author is depending on google products and social platforms way more than I'd ever do. Facebook, youtube, gmail, chrome...
I hate captchas and love how buster is feeding them their own dog food by using speech to text to defeat captchas!
Seriously though, it almost makes me look forward to sites that have captchas to feel like I’m sticking it to google instead of working for free to help them make their computer vision models better.
I try to keep things light—less time and energy thinking about things that only squeeze out that extra sliver of speed in obscure (for me) use-cases.
I use AdBlock and LastPass, and maybe a clipper—Notion, Instapaper. But other than that, I’ve found more extensions make me less able to focus on getting stuff done, and much more focused on whether I’m using the ‘right’ tool
One websites I use often, it's no hassle because the appropriate scripts are already enabled by domain. On websites I haven't been to before, it's less hassle to take the whitelist approach with than deal with random parasites.
All very well, but each new extension adds to "waiting on extension". I tried moving the cache and chrome profile to tmpfs to speed things up. Could some developer embed such functionality into the executables?
Here are all the ways I know how to duplicate a tab:
- ctrl drag the tab to the side until a downwards arrow appear and then release
- ctrl click the refresh button (any of the navigation buttons really, although they will clone the previous or the next in the history)
- middle click the refresh button
And my favorite: “yt” key combo when using Vimium-ff.
Additionally, it’s useful because I like to keep related tabs next to each other, so I often used these methods to duplicate a tab (or ctrl/middle click on the new tab button to open a blank one next to the current tab), but now I only need to press “t” to open a new blank tab right next to my current one.
Page Monitor is pretty great for getting notified when the code on a specific page changes so you can be first to grab something that pops back in stock.
There is a certain sort of phenomena I've noticed recently where the act and skill of posting are becoming a focus in itself. The podcast Report this Post kind of gets at the essence of it and the joy of delightfully bad posts, specifically. That said, I think that the subtle art of trolling is really understated on the modern web, too (at least to the mainstream, because they're usually the butt of the jokes).
"I Don't Care About Cookies" slowed my browser down so much on so many sites, it was more annoying than the cookie messages themselves. I got rid of it.
I recently deleted all of my extension off all three browsers (Chrome, Firefox, and Safari). The ad blocking on Firefox is almost as good as Ublock Origin. I found privacy badger to be largely useless.
The only thing I miss is lastpass, but I've gotten used to having it run as a desktop app.
Containers in Firefox were nice, but I've also gotten used to switching accounts.
The fact that extensions get 100% access to everything on your page (including password forms) is just a no-go for me. I have to draw the line somewhere.
Well if you're worried about chain of trust, you could only use recommended extensions on Firefox. They're manually reviewed so you're still only really trusting the organization that runs your browser.
Bonus point if you download the extensions and manually review it yourself.
If you can live without Chrome, you can live without all Chrome extensions in the article; If you can live without a desktop/laptop, you can live without all Chrome extensions.
I just don't like this kind of eyeball-attracting title: Too much exaggeration
Additionally, I know that even as non-malware extensions grow in popularity they are solicited by malware companies to integrate their software in an update. I experienced this first hand with the HoverZoom extension. [1]
[0] https://awakesecurity.com/blog/the-internets-new-arms-dealer...
[1] https://www.ghacks.net/2013/12/26/hoverzooms-malware-controv...