Yes, some people absolutely take things way too far, and often unproductively.
Like the person who was trying to disable websockets. Or the people who will shun signal, but jump directly on the flavour of the month signal clone, which might be completely backdoored.
If you dont know what you are doing, randomly turning things on and off at best does nothing, at worst makes you even more signaturable/trackable.
Its good to educate yourself on various protections, but unfortunately, it requires a lot of careful research and understanding.
One way or another, the server that hosts a resource can track who is requesting what. You as the server owner can just as easily track who is accessing what, but if you avoid using a CDN, then it limits the tracker to just yourself. The cost is that you’ll have increased traffic, and there is always the suspicion that you may have tampered with the lightbox.js file to do something malicious.
On the self include side, the instructions you linked seem pretty straightforward, so it should be possible to use it that way. What is issue your facing?
Not all android TVs are bad, but I think a lot of the cheap ones are pretty bad. Mine is horribly laggy, and will occasionally refuse to turn on unless I powercycle it.
Which Chromecast do your parents have? The ones pre-Google TV are pretty brainless to use, but I hate the new google TV ones as well.
That really doesn’t sound that easy…
Pihole has its issues, ~~but at least you dont need to setup each and every device individually. ~~ edit: I have been informed that this is not the only way.
For balance, the main issue I have with pihole is that family members can’t easily bypass it when they need to, which is inconvenient.
The major one that concerns me is who is behind them. Even if we trust that their encryption is not backdoored, there is a lot of information that can be gathered just from the frequency of messages and who they are between.
If it came out that a three letter agency was running one of these networks, it would not suprise me at all.
Essentially, yeah? Unless you calculate the OTPs by pen and paper, you have to use some kind of software, and therefore you have to trust that it is safe. Writing your own like OP is actually a very safe option, because you can trust yourself, but everyone else needs to trust OP.
Attack vectors apply to the add-on itself, it is (potentially) the shady site. OP has the potential to update the add-on later with its own malicious code. This is true of all addons, hence the trust issue.
I dont have any problem with OP advertising their addon, but potential users should be aware of the risks.
I appreciate you have put effort into this, and you have gone out of your way to make it safer, but if the extension were to become malicious at a later date, expanding permissions (and relying on users brainlessly-clicking accept) or using an exploit or sidechannel would undo any of that.
The downside of browser extensions is that they are operating within a massive codebase, and thus have a huge attack surface if they decide to become malicious.
For what its worth, I commend your efforts here, its just near impossible to trust any peice of software not backed by the reputation of an established company/developer.
With all due respect, it doesnt matter what the code is right now. This is an extension that you can update at any point in the future to replace with something malicious.
Trust is near impossible to build in todays internet.
https://www.kaspersky.com.au/blog/dangerous-chrome-extensions-87-million/32170/
Note that a plugin’s malicious functionality can evolve over time in line with its owners’ goals. And the owners themselves may change: there have been cases when malicious features appeared in a previously safe extension after its creators sold the plugin to someone else.
Every day, millions of people discuss oil changes. If an article (was it an article or an ad?) is published on oil changes on X date, it is going to coincide with a large number of unlinked conversations. Today, it was you.
Once is a coincidence, if you can prove a pattern then you should concerned.
They are literally publically claiming that they have a zero day (or at least a zero day level capability). Google/Apple would be all over it trying to fix it. Cyber security researchers would be all over it as well.
NSA can get away with using 0 days for years because they keep quiet about them, and dont use them frivilously.
Almost every OS nowadays has some form of microphone detection right? So if this was on, you would be aware of it? And to jump ahead, even google is incentivised to prevent this company listening in, as they are direct competitor.
I wonder if this company is just trying to fleece advertisers with a made up tech? The “Claim your exclusive territory before your competitor” feels like the high pressure tactics that other scams use?
I might go disable the microphone in my TV remote anyway :/
There was a “quantum safe” encryption scheme proposed that had a non-quantum vulnerability found in it. Perhaps they are hedging against that occuring again? The scheme was rejected in the end so didnt matter to much.
I have no issue with tinkering, my issue is more when tinkering gets turned around into advice.
I think I would be happier if these communities/subreddits were a bit more explicit about “We are amateurs, for actual advice, go to X, Y, Z”.