I’m a fan of FOSS and reasonable privacy with data. I also often look for and install software on my computers for random tasks as they come up. Today, when I was looking to install an extension to Firefox called Wikipedia-EN that helps me search Wikipedia by highlighting a word, the Mozilla page for the extension states:

This add-on is not actively monitored for security by Mozilla. Make sure you trust it before installing.

As someone that is not educated in programming or perpetually current on tech news, what can I do to assess the safety of this and other software? Is there a site that transparently evaluates software and publishes its findings?

  • darkstar@sh.itjust.works
    link
    fedilink
    English
    arrow-up
    0
    ·
    1 month ago

    As a techie, I would say rather stay away from browser extensions. A lot of them do add great functionality but browser extensions are much more difficult to verify and it’s a lot easier for them to be malicious without you knowing

  • morgunkorn@discuss.tchncs.de
    link
    fedilink
    English
    arrow-up
    0
    ·
    2 months ago

    Mostly if you find an attached GitHub repository to the software, you can have a bit more trust in it than otherwise, it means that the developer is putting their cards on the table and not trying to hide something nefarious. Of course there are caveats to this but it’s a good start.

    • Hjalmar@feddit.nu
      link
      fedilink
      arrow-up
      0
      ·
      2 months ago

      Also, check the number of contributors to a project. All of those people do (probably) trust the project and have also (probably) read at least parts of the source code for it

  • marcos@lemmy.world
    link
    fedilink
    arrow-up
    0
    ·
    2 months ago

    As a techie, I can say that’s a hot research area. There isn’t much useful stuff in it.

    Is there a site that transparently evaluates software and publishes its findings?

    Well, you just found the Mozilla one. It has told you their findings.

  • hisao@ani.social
    link
    fedilink
    English
    arrow-up
    0
    ·
    edit-2
    2 months ago

    Not much you can do other than researching the current consensus. And for the latter you can try to search discussions about its safety. Good query to start with is “is programname malware/spyware”.

  • neidu2@feddit.nl
    link
    fedilink
    arrow-up
    0
    ·
    2 months ago

    Running any software is inherently unsafe. It’s basically the computer equivalent of eating something given to by a stranger, and you just have to trust them that it’s good for you.

    But we do it anyway, simply because we have to not all of us are software devs with unlimited time on our hands.

    It basically comes down to whether you trust the origin or not, as well as check the reviews/comments to gauge the reception of other users. If something fishy is going on, word spreads relatively fast.

    Tip: While no means foolproof, if the software in question has a github report, it adds a layer of trust, because that means anyone can review the source.

  • SpacePirate@lemmy.ml
    link
    fedilink
    arrow-up
    0
    ·
    2 months ago

    Even as a power user… You can’t.

    And, in the 21st century, nothing on your computer is safe and private, least of all, browser extensions.

    Even if an extension is safe today, with a tiny handful of notable exceptions, it will be”monetized”, or bought and sold to someone that will use it to install adware on your system, train their AI model, or steal your personal information.

    There is no feasible defense to this for a layperson, other than absolute transparency in FOSS, and even that is under attack via flaws in the software supply chain.

    The best a layperson can hope for is that major vendors care more about exclusivity and locking others out of their ecosystem, such that they are the only ones who have full control of your data (Apple, Google, Microsoft).

  • Skull giver@popplesburger.hilciferous.nl
    link
    fedilink
    arrow-up
    0
    ·
    edit-2
    2 months ago

    A lot of it comes down to trust. Scan downloads with antivirus. Decide how much you trust everything else. Err on the side of caution if you’re unsure.

    In your example, the software you’re using seems fine to me. A simple addon with limited scope that hasn’t been updated in years, but has some good reviews.

    That said, you don’t need this addon; go to your favourite Wikipedia front page, right click the search bar, and click “add keyword for this search”. If you enter keyword “wen”, you can search English Wikipedia by typing “wen <something>” in the search bar. Works for other websites too

    Github releases can contain completely different code than the source code on there. Don’t trust them blindly like others might suggest. It’d be trivial for someone with bad intent to release FOSS software and include a virus. It happened to an important Linux tool not that long ago. Most code on Github is fine and most software is just out there to help you, but it’s good to he careful.

    My personal process involves checking for things like “how many downloads does this have” and in the case of addons and apps “how many permissions does this ask”. Addon with a dozen downloads to change your Facebook theme that wants access to your entire browsing history? No thanks!

    The biggest differentiator between virus and safe in my experience is “how legal is the thing I’m downloading”. Viruses, cracks, keygens, pay wall bypasses, that sort of stuff is full of bad shit, because whether or not there’s a virus in there, your antivirus will go off anyway and you’d assume it to be a false positive.

    There are steps you can take to protect your computer, but generally “keep antivirus on”, “don’t pirate stuff”, and “when in doubt, click no” are generally good enough.

    There’s a cool trick recent pro/education versions of Windows have where you can create an entirely temporary copy of Windows by simply right clicking an executable and clicking “run in sandbox” or something like that. This is great for trying out small programs that you don’t 100% trust but seem fine at a glance. Doesn’t work well for games, isn’t 100% bullet proof, but it’s an easy way to prevent unexpected infections. The only downside is that you need to get a Windows pro/education key somewhere (though those are not hard to come by). Really wish Microsoft would roll that out to home users.

  • otp@sh.itjust.works
    link
    fedilink
    arrow-up
    0
    ·
    2 months ago

    If you have some sort of decent antivirus/antimalware like Malwarebytes, that would work for standalone applications to an extent.

    Browser extensions are a lot harder to check.

    Always make sure you get the RIGHT extension from the PROPER SOURCE. Same with most downloads and app store stuff on your mobile devices, but at least with executables, you can additionally run virus scans for some peace of mind.

    Some tips…

    • Always make sure you’re accessing the extension’s download/install page from a trusted source.
    • Check reviews AND READ THEM. Make sure they don’t look suspicious/bot-generated.
    • Consider what permissions you’re giving the extension. Your browser has a lot of personal and sensitive information… including the “keys” to a lot of your accounts. Basically any website that you don’t need to sign into every time you access it? That “key” is stored in your browser.

    I believe you can generally trust what permissions an extension or app needs (since the browser/device knows which permission an extension/app uses, and locks them away otherwise), but be wary of the implications of some of them (such as data from other websites, or accessibility features).