49

I'm a fan of FOSS and reasonable privacy with data. I also often look for and install software on my computers for random tasks as they come up. Today, when I was looking to install an extension to Firefox called Wikipedia-EN that helps me search Wikipedia by highlighting a word, the Mozilla page for the extension states:

This add-on is not actively monitored for security by Mozilla. Make sure you trust it before installing.

As someone that is not educated in programming or perpetually current on tech news, what can I do to assess the safety of this and other software? Is there a site that transparently evaluates software and publishes its findings?

all 13 comments
sorted by: hot top controversial new old
[-] morgunkorn@discuss.tchncs.de 25 points 2 months ago

Mostly if you find an attached GitHub repository to the software, you can have a bit more trust in it than otherwise, it means that the developer is putting their cards on the table and not trying to hide something nefarious. Of course there are caveats to this but it's a good start.

[-] Hjalamanger@feddit.nu 18 points 2 months ago

Also, check the number of contributors to a project. All of those people do (probably) trust the project and have also (probably) read at least parts of the source code for it

[-] neidu2@feddit.nl 23 points 2 months ago* (last edited 2 months ago)

Running any software is inherently unsafe. It's basically the computer equivalent of eating something given to by a stranger, and you just have to trust them that it's good for you.

But we do it anyway, simply because we have to - not all of us are software devs with unlimited time on our hands.

It basically comes down to whether you trust the origin or not, as well as check the reviews/comments to gauge the reception of other users. If something fishy is going on, word spreads relatively fast.

Tip: While no means foolproof, if the software in question has a github repo, it adds a layer of trust, because that means anyone can review the source.

[-] SpacePirate@lemmy.ml 8 points 2 months ago

Even as a power user… You can’t.

And, in the 21st century, nothing on your computer is safe and private, least of all, browser extensions.

Even if an extension is safe today, with a tiny handful of notable exceptions, it will be”monetized”, or bought and sold to someone that will use it to install adware on your system, train their AI model, or steal your personal information.

There is no feasible defense to this for a layperson, other than absolute transparency in FOSS, and even that is under attack via flaws in the software supply chain.

The best a layperson can hope for is that major vendors care more about exclusivity and locking others out of their ecosystem, such that they are the only ones who have full control of your data (Apple, Google, Microsoft).

[-] otp@sh.itjust.works 7 points 2 months ago

If you have some sort of decent antivirus/antimalware like Malwarebytes, that would work for standalone applications to an extent.

Browser extensions are a lot harder to check.

Always make sure you get the RIGHT extension from the PROPER SOURCE. Same with most downloads and app store stuff on your mobile devices, but at least with executables, you can additionally run virus scans for some peace of mind.

Some tips...

  • Always make sure you're accessing the extension's download/install page from a trusted source.
  • Check reviews AND READ THEM. Make sure they don't look suspicious/bot-generated.
  • Consider what permissions you're giving the extension. Your browser has a lot of personal and sensitive information... including the "keys" to a lot of your accounts. Basically any website that you don't need to sign into every time you access it? That "key" is stored in your browser.

I believe you can generally trust what permissions an extension or app needs (since the browser/device knows which permission an extension/app uses, and locks them away otherwise), but be wary of the implications of some of them (such as data from other websites, or accessibility features).

[-] marcos@lemmy.world 5 points 2 months ago

As a techie, I can say that's a hot research area. There isn't much useful stuff in it.

Is there a site that transparently evaluates software and publishes its findings?

Well, you just found the Mozilla one. It has told you their findings.

[-] SpaceNoodle@lemmy.world 7 points 2 months ago

They stated that they literally didn't evaluate the plugins.

[-] marcos@lemmy.world -2 points 2 months ago

Yep. That's the answer. That's all the information the OP has available.

[-] hisao@ani.social 4 points 2 months ago* (last edited 2 months ago)

Not much you can do other than researching the current consensus. And for the latter you can try to search discussions about its safety. Good query to start with is "is programname malware/spyware".

[-] ef9357@lemmy.sdf.org 4 points 2 months ago

Try virustotal.com. You can scan files and URLs.

[-] xia@lemmy.sdf.org 3 points 2 months ago

Both practically and theoretically, it might be impossible. It basically comes down to trusting trust. https://www.youtube.com/watch?v=SJ7lOus1FzQ

[-] darkstar@sh.itjust.works 2 points 2 months ago

As a techie, I would say rather stay away from browser extensions. A lot of them do add great functionality but browser extensions are much more difficult to verify and it's a lot easier for them to be malicious without you knowing

this post was submitted on 09 Sep 2024
49 points (100.0% liked)

No Stupid Questions

35868 readers
394 users here now

No such thing. Ask away!

!nostupidquestions is a community dedicated to being helpful and answering each others' questions on various topics.

The rules for posting and commenting, besides the rules defined here for lemmy.world, are as follows:

Rules (interactive)


Rule 1- All posts must be legitimate questions. All post titles must include a question.

All posts must be legitimate questions, and all post titles must include a question. Questions that are joke or trolling questions, memes, song lyrics as title, etc. are not allowed here. See Rule 6 for all exceptions.



Rule 2- Your question subject cannot be illegal or NSFW material.

Your question subject cannot be illegal or NSFW material. You will be warned first, banned second.



Rule 3- Do not seek mental, medical and professional help here.

Do not seek mental, medical and professional help here. Breaking this rule will not get you or your post removed, but it will put you at risk, and possibly in danger.



Rule 4- No self promotion or upvote-farming of any kind.

That's it.



Rule 5- No baiting or sealioning or promoting an agenda.

Questions which, instead of being of an innocuous nature, are specifically intended (based on reports and in the opinion of our crack moderation team) to bait users into ideological wars on charged political topics will be removed and the authors warned - or banned - depending on severity.



Rule 6- Regarding META posts and joke questions.

Provided it is about the community itself, you may post non-question posts using the [META] tag on your post title.

On fridays, you are allowed to post meme and troll questions, on the condition that it's in text format only, and conforms with our other rules. These posts MUST include the [NSQ Friday] tag in their title.

If you post a serious question on friday and are looking only for legitimate answers, then please include the [Serious] tag on your post. Irrelevant replies will then be removed by moderators.



Rule 7- You can't intentionally annoy, mock, or harass other members.

If you intentionally annoy, mock, harass, or discriminate against any individual member, you will be removed.

Likewise, if you are a member, sympathiser or a resemblant of a movement that is known to largely hate, mock, discriminate against, and/or want to take lives of a group of people, and you were provably vocal about your hate, then you will be banned on sight.



Rule 8- All comments should try to stay relevant to their parent content.



Rule 9- Reposts from other platforms are not allowed.

Let everyone have their own content.



Rule 10- Majority of bots aren't allowed to participate here.



Credits

Our breathtaking icon was bestowed upon us by @Cevilia!

The greatest banner of all time: by @TheOneWithTheHair!

founded 1 year ago
MODERATORS