Extensions are little helper programs that make life on the Internet a tad more comfortable for the user. Some change the way we access information on the Internet, others add extra features and functionality to a website, and others help you stay safe and secure online. Most Internet users who use extensions never bother to look at the extension’s source code to verify that it is only doing what it is supposed to do, and nothing else.
The official extension repositories verify extensions before they are made available for public download. And while that often works well, we have seen extensions slip through that verification process in the past.
This guide looks at one of the ways that normal Internet users have to verify that their extensions are not phoning home. Phoning home in this context means communicating with sites that they should not communicate with in first place.
Here is what we need: Fiddler, a web debugger that you need to install on your system. Please note that Fiddler is only available for the Windows operating system, and that it requires the Microsoft .Net Framework.
Once you have installed Fiddler start it up. You see all http connections that your system makes in the left column. Listed here are the return code, the requested host and url on the host, and the process responsible for making that connection.
I suggest you close down all applications besides the web browser that you want to check up on. For new extensions that you are not sure about, you may want to consider creating a blank profile containing no user related data. I also suggest to start with a blank browser, that is a browser with no open websites. This ensures that you won’t get overwhelmed by dozens or even hundreds of initial connections the browser makes on startup.
Wait a few seconds and you should see that the list is being populated by all connections the browser makes shortly after it has been launched. In the example below, you can see that the browser connects to the pinterest.com website, which I could link to one of the installed extensions quite easily.
It can happen that you do not know which extension is trying to connect to the host. If that is the case, disable all browser extensions but one and check if it is responsible for making the connections. Repeat the process until you find the responsible extension.
A few things need to be considered at this point. You first need to find out if the connection that is being made is legit or not. Since you see the host name the connection is made to, it is a good start to check up on that host name. A good starting point is the url verification module of Virus Total. Just enter the host name in there and see what the connected scan engines return.
You can naturally check other services as well, Web of Trust for instance, or run a search for the host name in your favorite search engine.
The second thing you may want to consider is that some extensions may not make a connection when the browser starts. You may want to browse to a few sites and use the browser for some time to see if any of the installed extensions make connections some time after the browser has been started.
Fiddler can also be helpful for other purposes. The Pinterest extension that made the initial connection to the site during browser start? It did try to connect to the site every five seconds ever since, which means it was using system resources.
This may look like overkill to users who analyze the source code of extensions instead. And that is true, but it may also be the only way to find out for users who cannot analyze the code directly. It might pay off though to check if your browser is making connections to sites that you did not request.