How to check that an add-on doesn't spy on you ?

loaExMachina@sh.itjust.works to Firefox@lemmy.ml – 54 points –

Many add-ons have somewhat spookiy authorisation requirements, such as "access all of your activity". In many cases this is justified by it's function, and of course there isn't any problem with it as long as we're sure all this data stays on your computer and isn't shared with any remote server. How are we sure of that tho? Is there an easy way to check for each add-on ?

12

Packet sniffer? Like wireshark maybe?

But wouldn't that just tell you, "Firefox was connecting to the internet"?

Nope, it'd give details. Combing through and decrypting those details is another matter, though.

No, it would say which packet is being sent to which destination.

Easiest way is to use packet sniffing. but they could be set-up to only send data at random intervals, which could be hours, days or weeks. so you're best bet is go through the source code by extracting the extension file and look for any links, domains or mangled code which may be encoded with something malicious.

I think it's "access your data" permissions that are the ones to be wary of, due to the explanation here. Defending against this, I'm not really sure. Someone who knows more should chime in, but maybe a software firewall like Little Snitch/OpenSnitch that will let you approve/deny every connection. (This will probably get fatiguing fast.)

As a longtime Little Snitch user, it's freakin exhausting.

I thought little snitch worked per app and not for each connection one app makes

You can make rules network-wide, per-app, or per-incident. The latter is useful for getting a handle on app behavior. Like if you see it contacting 'updates.somedev.com' weekly, you can choose to allow or disallow permanently based on how benign you think the app is. But more likely, anything trying to phone home has a dozen CDNs it's trying to hit rather than an easily identifiable URL. Block one, it tries to hit the other. Maybe today, maybe next week. It gets overwhelming (which IMO is a feature for the dev, not a bug).