this post was submitted on 27 Jul 2024
744 points (99.3% liked)
Technology
59438 readers
3397 users here now
This is a most excellent place for technology news and articles.
Our Rules
- Follow the lemmy.world rules.
- Only tech related content.
- Be excellent to each another!
- Mod approved content bots can post up to 10 articles per day.
- Threads asking for personal tech support may be deleted.
- Politics threads may be removed.
- No memes allowed as posts, OK to post as comments.
- Only approved bots from the list below, to ask if your bot can be added please contact us.
- Check for duplicates before posting, duplicates may be removed
Approved Bots
founded 1 year ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
You live by that and I'll live by the advice I've seen from infosec professionals that recommend as few add-ons as possible due to security concerns. But yes, browsers are getting more secure over time and that's good.
I'm an cybersec MSc and an infosec professional.
You obviously shouldn't install closed source or otherwise shady extensions from dodgy authors you don't know, but on the whole there is very little they can do that you should worry about.
Most "advice" comes from people who want to sell you something and the infosec industry is mostly a scam to drain B2B procurement budgets plus a few gay furry researchers at defcon who are incomprehensible savants and actual malware authors who do something, unless they just write crappy .NET junk.
Take for example an average """zero-day""" in 2024: https://arstechnica.com/security/2024/07/threat-actors-exploited-windows-0-day-for-more-than-a-year-before-microsoft-fixed-it/
This isn't even a vulnerability. It's just phishing that requires a user to have file extensions turned off, then download a dodgy as hell .PDF file that isn't one due to hidden extension, which then uses a milquetoast .hta trojan downloader that only works if one has IE enabled on Windows AND opens the .pdf in MS Edge to pull in reverse shell code via probably psexec of some sort.
There are so many steps one wonders why not just send a iamnotavirus.exe uac prompt and all to download, compile and run ransomware from vxunderground source code then and there.
Worrying about stuff like this in browser is akin to using a VPN on public WiFi to avoid MITM attacks, there's nothing wrong with it but there's basically nothing to actually worry about there.
Sorry if I'm nitpicky or confused here. You just said it's obvious that you shouldn't install closed sourced or otherwise shady extensions. Do you think a normie knows and cares if an extension is open source? And how do they know if an extension is "shady"? And what about legit extensions that get bought by shady people and turned into shady ones long after they've been installed and the user base trusts it?