Hacker News new | past | comments | ask | show | jobs | submit login

Installing this extension basically means trusting a random dude (the author) with all the data passing through the browser just to screw over some random people trying to get coarse-grained stats on where people come to their websites from. Sounds like a rather idiotic idea, but I'm sure even this will have its users.



In general I would agree, but the source code is so short here that you would be able to glance through it first to confirm nothing sketchy is going on there: https://github.com/jparise/chrome-utm-stripper/blob/master/b...


Are you going to notice and reinspect every invisible OTA update?

It's a perfectly valid concern when you install a plugin. We just don't care because most people are trustworthy.

But for example there's a market for selling your browser addon to someone that wants to do this.


You're basically arguing that open source isn't really open because you don't have the time to inspect every commit...

If you build this from source, you'll have proof of any malice by the developer.


This of course assumed you installed it directly from Github as that is the code you reviewed. Otherwise, yes, that is a valid concern.


Except that if you install the add-on from the store it will auto-update with any changes (assuming they pass approval) and you likely wouldn't notice unless permissions are changed.


The addon is open source (this HN post even links to the GitHub), and the source code is very short, so it's easy to verify that it's doing only what it says. If you are extra paranoid about the addon in the Chrome store not reflecting what's in the repo, you can always install it from source.


This is wishful thinking. How confident are you that you'll spot a well planted backdoor? Hint: the more capable you are, the less confident you should be.


If you're that paranoid, it's actually not very hard to audit the code in this case. Unless you go so far as to not trust the whole stack it's running on, but in that case you should stop using your browser entirely. For a sane threat model the confidence in your own audit should be reasonably high.




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: