Many popular software products have frameworks that allow users to extend and customize the application using plugins or add-ons. Examples include Firefox, WordPress and Google Chrome. In fact, even nerd software like irssi allows users to use plugins. Plugins help with productivity and make the software fun to use. However, plugins can also introduce risk to users. Sometimes, these issues are very overt. For example, malware was recently discovered in a Firefox add-on (I was impressed with how this was addressed though). Other times, the issues may be more subtle: perhaps the plugin could introduce a new vulnerability that, with a little research, could be exploited.
I thought I’d share some things that I keep in mind when it comes to deciding if a plugin is safe to install:
- Search the web to see if there is any mention of security issues with the plugin you’re considering. This is a quick way to make a decision about whether you should continue considering installing that plugin.
- Sometimes I peek at the plugin’s source code if it’s available, or I ask the security folks I work with if they’ve ever audited it. I trust these people. If they say a plugin is bad news, I stay away from it. But I realize that consulting with a security expert isn’t an option for all of us. (Mainly because people in the security community have trouble making friends on the outside.)
- Don’t use plugins if they’re not needed. Seriously, if you don’t need it, don’t install it. Along these lines, uninstall the plugin if you no longer need it. Minimalism is stylish even when it comes to software.
- Use plugins that have a large user base. This increases the chances that the plugin undergoes scrutiny, which improves the quality of the plugin.
- Use plugins that have a history of patching security issues. This demonstrates that the plugin authors take security seriously. Likewise, install plugin updates that address security issues. You may think “Wait a moment! If security patches exist then that means security issues exist. I thought the whole point was to help users avoid plugins with security issues?” Well, in my world, the assumption (and experience has shown that it is a reasonable assumption) is that all software has security vulnerabilities. Software authors that take the time to patch these vulnerabilities demonstrate that they understand this and have decided that improving the security of their product is worthwhile.
- Pay attention to user agreements and licenses that accompany plugins. In particular, pay attention to what these documents state about your privacy. If anything raises an eyebrow then investigate further.
- Be wary of plugins that ask for your data. Password managers in particular worry me. How do I know what happens to my passwords after I enter them into a password management tool? Please don’t misunderstand: I advocate using a good and reputable password manager, but there are many password managers available that I’ve never heard of.
- Use plugins to which reputable authors have contributed. Often, individuals or businesses that maintain plugins have a blog or mailing list used to disseminate information. I’ve found that you can use such sources to get a fairly good feel for the level of effort put into developing and maintaining the plugins.
In short, be prudent when it comes to installing plugins. The thoughts I provided above by no means a guarantee that the plugin is secure, nor is it an exhaustive list. However, I do think that this is one overlooked area of end-user education.