Secure Browser Chrome Extensions

[katycomputersystems 1]

Thankfully, I find LastPass is loaded with the Secure version of Chrome, other extensions are not.

Is a list of acceptable extensions documented somewhere? Can this list be edited.

For example, what if I have a client using Bitwarden and we find out, it's not on the list of acceptable extensions. What to do?

[Marcos 5,070]

2 minutes ago, katycomputersystems said:

For example, what if I have a client using Bitwarden and we find out, it's not on the list of acceptable extensions. What to do?

You can report it through your local ESET support. However, if the password manager is not commonly used by ESET users it won't be added since each trusted extension creates additional costs due to updates of the extension.

[katycomputersystems 1]

How do we get a list of trusted extensions?

[Marcos 5,070]

6 minutes ago, katycomputersystems said:

How do we get a list of trusted extensions?

There is no such public list.

[itman 1,659]

Fortinet has a blog article on the state of Chrome and FireFox extension here: https://www.fortinet.com/blog/threat-research/browser-extensions-a-new-threat . Although a bit dated, the article sums up that extension vetting is pretty much left to the browser developer. Current published articles on Google periodically pulling en mass extensions from its Store due to malicious status is de facto proof it does not perform an adequate job in its vetting process.

Bottom line is extension use should be closely controlled in any commercial environment.

[itman 1,659]

I will add that Firefox does have a recommended list of browser extensions here: https://addons.mozilla.org/firefox/search/?recommended=true&type=extension

Quote

Recommended extensions differ from other extensions that are regularly reviewed by Firefox staff in that they are curated extensions that meet the highest standards of security, functionality, and user experience. Firefox staff thoroughly evaluate each extension before it receives Recommended status.

 

[katycomputersystems 1]

itman, you points are well-taken, however the day is going to come when a client wants to use their password manager to log into their bank and for whatever reason hates LastPass (actually there are a few reasons to hate LastPass starting with the PE firm holding title to the code) they will then say John what extension can I use. I will not have an answer. It seems like a silly eset position to take.

[Marcos 5,070]

If it was possible to allow any extension in the secure browser then it would not be secure anymore. If there are enough users who use a particular password manager extension, it shouldn't be a problem to add it. Therefore I'd recommend reporting it as a whish through your local ESET distributor. The more people request it, the higher chances it could be added.

[katycomputersystems 1]

We purchase directly from eset.

I see Bitwarden is one of the accepted password managers, Bitwarden is the password manager we recommend when clients don't want to use LastPass.

I completely agree and applaud the blocking of extensions in secure browser. It is the lack of documentation that causes heart-burn.