Are Browser Add-ons Safe?

Add-ons, plugins, and other browser extensions install scripts on your computer. Just because it loads into a browser, don't assume these scripts are safe to use. In several posts here I have talked about Firefox extensions that make developing and optimising websites easier. I have also blogged about other free tools and, of course, open source software. Many people who read posts like these just race off and try the tools out for themselves. The problem is - how do you know they are safe to use?

Back in November 2008, the Security Program Manager on Microsoft's Internet Explorer team said, according to Sean Michael Kerner of InternetNews.com:

"One of the things we've seen in the last two years is that attackers aren't even going after the browser itself anymore. The browser is becoming a harder target and there are many more browsers," Lawrence said. "So attackers are targeting add-ons."

From the number of malware reports on browser add-ons this certainly looks to be true. Should you be worried? Not if you practice safe computing and stay vigilant.

Steps to Mitigate Risk From Bad Browser Extensions

• Firstly, remember that a browser add-on is a script and like all scripts (whether free, commercial, or whatever) security vulnerabilities are possible. So, you should always run antivirus software on your computer and keep this up-to-date. Firewalls and other security mechanisms are a good idea too.
• Only download from a reputable site - one that is well-known and that you can reasonably trust.
  Bad scripts have made it onto the official Firefox add-ons directory in the past but are dealt to quickly. Mozilla also scans each add-on before it is made available for you to download. Most official browser add-on repositories carry out at least basic scans before providing the download.
• Putting the add-on through a security check before installing it provides some peace of mind.
  A commercial toolbar that works with most browsers and provides a "virtual" browsing environment, effectively sandboxing your browser, is Zone Alarm's ForceField. Using this, all downloads are checked before making it onto your computer. Or you can use a free online service, such as VirusTotal, to analyse your extension before you install it.
  Just don't click for the automatic install unless you are confident the add-on is safe to use.
• Keep your browser and add-ons up-to-date. Firefox will alert you when an add-on needs to be updated but not all browsers do this.
• If you use an add-on that is not available from an official extension resource have a look at how long that add-on has been around, whether it is still being actively developed (which gives a clue as to whether bugs are likely to be fixed quickly) and then do a search on the Net for any reports of vulnerabilities, privacy issues and the like. If you find lots of recommendations for the add-on and no reports of concerns you can be reasonably assured that the add-on will be safe to use.
• Be careful about faked add-ons. Unscrupulous folk have distributed malware posing as a popular add-on. Again, search engines are your friends here - always run a search for more information before installing an add-on that is new to you.

Don't be afraid to use these free browser extensions. The points I have made are valid for ALL software and a good dollup of commonsense coupled with some research and security scans is a small price to pay for the benefit many of these browser add-ons can bring.

Have I missed anything here? Do you have more tips to share?

If you enjoyed this post, make sure you subscribe to my RSS feed!