"I have no idea how to make it safer": Security and Privacy Mindsets of Browser Extension Developers (god2025)

Chaos Computer Club - recent audio-only feed

Contenu fourni par CCC media team. Tout le contenu du podcast, y compris les épisodes, les graphiques et les descriptions de podcast, est téléchargé et fourni directement par CCC media team ou son partenaire de plateforme de podcast. Si vous pensez que quelqu'un utilise votre œuvre protégée sans votre autorisation, vous pouvez suivre le processus décrit ici https://fr.player.fm/legal.

16d ago 24:42

MP3•Maison d'episode

Browser extensions are a powerful part of the Web ecosystem as they extend browser functionality and let users personalize their online experience. But with higher privileges than regular web apps, extensions bring unique security and privacy risks. Much like web applications, vulnerabilities often creep in, not just through poor implementation, but also through gaps in developer awareness and ecosystem support. In this talk, we share insights from a recent study in which we interviewed and observed 21 extension developers across the world [1] as they worked on security and privacy-related tasks that we designed based on our prior works and observations [2, 3]. Their live decision-making revealed common misconceptions, unexpected pain points, and ecosystemic obstacles in the extension development lifecycle. Extending beyond our published results, we plan to highlight some of the untold anecdotes, insecure development practices, their threat perception, the design-level challenges, as well as the misconceptions around them. The audience will take away the following items from the presentation/discussion: Common insecure practices in extension development. Why security ≠ privacy ≠ store compliance, as often perceived by extension developers! Hidden design gaps and loopholes in extension architecture that developers can't spot or comprehend. Anecdotes on the course of extension development in the era of LLMs. Developers, regulations (GDPR/CCPA/CRA), and a few “interesting” opinions. And, most importantly, why you should NOT give up on them just yet! :) References: [1] Agarwal, Shubham, et al. “I have no idea how to make it safer”: Studying Security and Privacy Mindsets of Browser Extension Developers. Proceedings of the 34th USENIX Security Symposium 2025. [2] Agarwal, Shubham, Aurore Fass, and Ben Stock. Peeking through the window: Fingerprinting Browser Extensions through Page-Visible Execution Traces and Interactions. Proceedings of the 31st ACM SIGSAC Conference on Computer and Communications Security. 2024. [3] Agarwal, Shubham. Helping or hindering? How browser extensions undermine security. Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security. 2022. Licensed to the public under https://creativecommons.org/licenses/by-sa/4.0/ about this event: https://c3voc.de

2408 episodes

#CCC media team #Ccc Congress Hacking Security Netzpolitik #Sicherheit #Technologie #Software-Entwicklung