Is turning off a browser extension just as secure as uninstalling it? I’m specifically thinking about ad blockers because they can read and change anything. As a result, I prefer to turn off my ad blocker when doing something sensitive like entering passwords. So, does off really mean completely off? Does it vary by browser?
If you are using Firefox, you could create a separate profile for sensitive browsing and dont install the adblocker in that profile. Do sensitive browsing using that profile in a fresh browsing session, closing the browser immediately after you finish. I use only one profile for all my browsing but I dont mix regular and sensitive browsing. Whenever I do sensitive browsing, I open a fresh browsing session of Firefox, go straight to the site where I am going to write password, etc, and immediately after I finish, I close the browser. I do it sandboxed so everything deletes and I trust 100% the 2 extensions I use. If I didn't completely trust an extension. I wouldn't use it. Bo
Thanks. I do trust the extensions that I use. But things happen. No software is perfect. That’s why I thought I would lock things down if possible. So, returning to my original question. Does off really mean completely off when an extension is disabled? Suppose, for the sake of discussion, that an extension was somehow compromised through no fault of the author, could it do something if it was turned off?
it is! this is mandatory to work! rubbish when speaking about trusted solutions like uBlock (origin) Adblock Plus, Adguard and some more. the source code is open, extensions can be analysed. in fact you should watch about the current site where you enter your personal data. again: no! what you dont have in mind - web sites could be compromised, some ad+script blocker could prevent such abuse. either https or not. disabling a blocker is lowering security concerning bad content in no good way. if you disable blockers because site wont work - you'd better ask for a valid configuration.
Some extensions provide their own on/off switch and voluntarily stop performing their actions when asked to do so. That, obviously, couldn't be trusted in a rogue extension scenario. Some browsers provide their own mechanism to disable individual extensions that have been installed. Such a feature *should* fully, immediately, reliably, disable the extension so that none of its functionality will be operable until it is enabled again. Given that specific browser versions may have quirks or bugs, it would be wise to run some tests of your own. You could also review the related source code if you are up to it. Warnings. One, a proper "ad-blocker" is a security/privacy protection tool. Running without one installed and enabled, even for a brief period, can put you at risk. Two, temporarily disabling an extension during the password entry and submission phase *might* be of some benefit in a rogue extension scenario. However, there are likely to be a number of other ways/times such an extension could do you harm. Rather than assume you will encounter a harmful extension and try to reduce your exposure to that through temporary disabling or uninstalling, have you considered what you might do to reduce the chances of encountering such an extension in the first place?
