← Back to context

Comment by Lockal

5 hours ago

There are dozens of chrome extensions that translate (read: submit to untrusted server) on hover / highlight / context menu / textarea edit / etc. It is implied, that user acknowledges this functionality and accepts the risk. This includes untrusted server (because that's how they proxy requests to Google/Bing/Yandex Translate without exposing API keys).

Security illiteracy? Yes. Malicious intent? Probably no.

Does being security illiterate equal malicious? Debatable.

8 comments

Lockal

Reply
johnklos  11 minutes ago

No reasonable person expects privacy when using Google and/or Google provided products / software.

When you use Debian, you have a reasonable expectation of privacy.

People who handwave that away or say it's not as bad as something else either have an agenda or are ignorant about the history of Debian.

jeltz  5 hours ago

Not sure if I would call it malicious but I would call it gross negligence.

oblio  4 hours ago

A moderately popular Chrome extension is frequently bought for tens of thousands of dollars for various purposes, frequently malware injection. They contact extension makers.

I think the bar for trust in terms of evil intent is on the floor.

DonHopkins  4 hours ago

>Security illiteracy? Yes.

Security illiteracy is admitting you were wrong and changing it when somebody points it out.

>Malicious intent? Probably no.

Are you graciously making excuses for malicious intent without considering all the facts? Probably yes.

>Does being security illiterate equal malicious? Debatable.

Refusal to admit there is a problem and fix it, or carrying the water for people who refuse to admit they made a mistake, is deliberate maliciousness, not security illiteracy. Not debatable.

  • Lockal  3 hours ago

    Illiterate is "inability to read and write" by definition. I know people who submitted bug reports requesting: "hi, I want to use your API, please add wildcard origin header", after getting explanation they propose "ok, JUST add my domain, I'm an opensource contributor, trust me". They ask to remove security features, recognizing them as security features, but only caring about their convenience (like "don't enforce 2fa", "don't warn about untrusted links"). They don't know about defense in depth and even if you explain them, they will skip your explanation, because they can't read.