Desktop browser extension security and privacy issues

Abstract

Since their introduction in the 1990’s, users have adopted internet browsers as a convenient method of interacting with computers and servers whether collocated with the user or located across the planet. As browsers have become more sophisticated, additional capabilities have been made available to users through browser extensions. When written by trusted agents, these browser extensions provide safeguards for users, but browser extensions can also be written so that a user’s data can be extracted and used for purposes the user would never agree to. This paper began with the exploration of extensions in four popular browsers: Safari, Firefox, Chrome, and Internet Explorer (Edge) and the author explored the security and privacy practices inherent within the extensions, but only two of these browsers will be examined in this paper. Safari is eliminating all extensions outside of its tightly controlled delivery system beginning with the debut of its new operating system in September 2018 and Internet Explorer is being replaced by Edge, which is also tightly controlled by Microsoft. Presumably, Safari and Edge extensions will be secure once the developers submit the code and it is reviewed before the extensions are published. Because there are literally thousands of browser extensions it is not possible to examine all of them in a single paper, but it is the intent of the author to establish an evaluation framework so browser extensions can be objectively scored.