A Defensive Computing Checklist    by Michael Horowitz
HOME | About | Domain Names | VPNs | Rules of the Road | DC Presentation | ChangeLog | Stats |

WEB BROWSER EXTENSIONS

Web browser extensions are a double-edged sword. On the one hand, they can block ads and trackers. But, if you let them, they can also read and modify the contents of every displayed page. Yikes! Nothing could be more dangerous. Your browser sees all your passwords. It sees your bank balance and account numbers. Making this worse, is that there are no clear warnings when you install an extension that it can read and modify every character on every web page. There should be a huge red flag (literally). But, there is not.

Frankly, the lack of warning is disgraceful. While the ability to see and modify everything is necessary for an extension to block ads and trackers, far too many extensions are silently granted this ability. Even the most secure, generally available operating system, ChromeOS (which runs Chromebooks), has browser extensions as an Achilles heel. The only way to hack a Chromebook is to convince someone to install a malicious browser extension.

Making a bad situation worse is that browser extensions silently self-update, with few checks to make sure they are not malicious. So, a good extension can go bad without warning. In the Extension Articles section below, there is an article from August 21, 2025 about an extension that did Break Bad.

Another problem with browser extensions are copycat extensions. Just as with domain names, bad guys create scam extensions with names similar to popular ones. Bad guys can get away with this because, by and large, nobody is looking/checking. This article, Google Chrome: legit EditThisCookie extension removed instead of malicious copycat by Martin Brinkmann (December 31, 2024) is about a good extension called EditThisCookie that had over 3 million users and 11,000 ratings. That popularity spawned a malicious extension called EditThisCookies. At some point, the bad extension was renamed to EditThisCookie®.

FYI: A Chromebook in Guest mode does not allow any extensions.

FYI: On Android, the only browser that supports extensions is Firefox.

Never install an extension just because a web site says you need it. There is a good chance, that message is a scam; very very few websites need you install an extension.

RATINGS OF EXTENSIONS

Many techies, not just me, would suggest installing an ad blocker extension. This is not because it makes web pages load faster (it does) but mostly because ads have been abused too many times to install malicious software or take you to scam websites. And, they are distracting. And, if care about privacy, you need a tracker blocker too.

The recognized leader in the "blocking" field is uBlock Origin by Raymond Hill (aka gorhill). uBlock Origin is available for many browsers. Beware however, that the popularity of uBlock Origin is such that scam copies have been created. One such scam is uBlock Pro, another goes by just uBlock. Mr Hill warns that uBlock Origin is completely unrelated to the site "ublock.org". When in doubt, check that the extension is from Raymond Hill (aka gorhill).

Needless to say, Google, which makes its money on advertising, does not like ad blocking extensions. Sometime early in 2025 Google introduced a new interface between their Chrome browser and its extensions. This new interface was not compatible with uBlock Origin and Chrome eventually disabled the extension. I got a number of calls from people who were being scammed by malicious ads after Google disabled uBlock Origin. One response to this is to use another web browser that still supports uBlock Origin (Brave, Firefox) or use the Mullvad Browser which has uBlock Origin built into the browser itself. Anyone staying with Chrome, should install the uBlock Origin Lite extension, also from Raymond Hill (aka gorhill).

The Privacy Guides website recommendations for Browser Extensions are uBlock Origin, uBlock Origin Lite and, for iOS users running Safari, AdGuard.

I suggest a default posture of installing as few extensions as possible.

The downside of any blocking (ads or trackers) is that it will break some websites. One solution is learn how to turn uBlock Origin off for a problematic site (click the blue circle that has a vertical line through its top). Another option is keep a second web browser with no extensions at all. A second (or 3rd) browser is also a good idea when you really need a particular extension. Use that browser only on the site(s) that need the extension.

I suggest that you periodically review your installed extensions, in every browser that you use, and remove any you do not recognize or no longer use. To display the installed extensions, use these address bar URLs (perhaps bookmark them):
In chrome chrome://extensions
In Brave brave://extensions   (not valid on iOS or Android)
In Firefox about:addons

See also the page on web browsers

EXTENSION ARTICLES  top

No need to believe me about browser extensions. Here are some articles on the topic.

Matt Frisbie is a software engineer focused on web browser extensions.

 

 This page: 6 views per day (over 112 days)   Total views: 639   Created: June 18, 2025
This Page
Last Updated

August 27, 2025
Site Page
Views TOTAL

 1,326,745
Site Page
Views TODAY

  47
Website by
Michael Horowitz
top
Copyright 2019 - 2025