Ask HN: Would you trust a new browser security extension in 2025?

3 points by linklock a day ago

7 comments

View on Hacker News

I'm considering building a privacy-first browser security extension and want to validate the idea with HN's community before committing months to it.

The hypothesis: Current browser security is fragmented. You need multiple extensions (uBlock, Privacy Badger, HTTPS Everywhere) plus something for phishing protection. Most all-in-one options are bloated (Norton, Avira) or have privacy concerns.

What I'm considering: - Zero data collection (no accounts, no telemetry) - Open-source (MIT license) - Phishing detection (local + Safe Browsing API) - HTTPS enforcement - Cookie auto-delete - Pop-up blocking

Questions for HN:

1. Is there actually a gap here? Or is the current extension ecosystem already perfect?

2. What would make you trust a NEW security extension in 2025? Open source alone doesn't seem sufficient - there are sketchy OS extensions too.

3. Would you ever pay for browser security ($3-5/month)? Or should everything be donation-supported?

4. Is Manifest V3's limitations (30k rules, webRequest restrictions) a dealbreaker even for security-focused extensions?

I put together a survey to gather structured feedback: https://forms.gle/CrxiWDFM23wvHT7g9

But honestly more interested in the discussion here. Talk me out of this if it's a bad idea.

canhdien_15 3 hours ago

If you’ve already chosen your path, why come here asking for permission? Is it a lack of confidence, or are you waiting for a miracle? Don’t turn yourself into the man in the fable who carried his donkey just because others told him to. It’s your idea. If you think it’s a waste, then stop. Everything worth doing requires risk. If you’re looking for a 100% guarantee, go back to sleep.

Reply View 0 replies
ghostwords a day ago

>You need multiple extensions

(I develop Privacy Badger.) There are significant benefits to adding PB or uBO to a browser that doesn't already ship with a real built-in ad blocker. While PB and uBO work well together and you may want to use both for various reasons, I wouldn't say you need both. Either one is enough by itself for most people.

>HTTPS Everywhere

HTTPS Everywhere has been deprecated and eventually removed from extension stores a few years ago: https://www.eff.org/deeplinks/2021/09/https-actually-everywh...

>Phishing detection

Why isn't what's built into browsers enough?

>Cookie auto-delete

Why bother when blocking trackers and ads?

>Pop-up blocking

Is that the same as the various "annoyances" ad blocker lists?

Reply View 2 replies
  • linklock 19 hours ago

    First off, thank you for everything you do with Privacy Badger—it's been a staple in my browser for years. I really appreciate you taking the time to poke holes in this.

    You’re absolutely right about HTTPS Everywhere; that was a oversight in my initial write-up. Since it's now integrated into the major browsers, that’s one less 'fragment' to worry about.

    To answer your questions on the 'why' behind the other features:

    Phishing detection: The main gap I see with built-in Safe Browsing is the telemetry. Most users don't realize that 'Enhanced Protection' often means sending URLs/metadata back to a central server. I’m exploring a local-first approach (using bloom filters or highly optimized local sets) to keep that check entirely on-device.

    Cookie auto-delete: While Total Cookie Protection (Firefox) is great, many browsers still only clear data 'on exit.' For users who keep their browser open for weeks, I see value in 'active' cleaning (e.g., clearing site data 15 minutes after a tab is closed) to minimize the session-tracking window.

    The 'All-in-one' goal: My hypothesis is actually driven by the fingerprinting concern you've likely seen discussed. Using uBO + PB + a cookie manager creates a very unique extension fingerprint. I'm wondering if a single, consolidated open-source tool could actually help a user 'blend in' better than a stack of three different ones.

    I’m still in the 'talking myself out of it' phase, so this technical pushback is exactly what I was hoping for. Thank you again ghostwords!

    Reply View 1 reply
    • ghostwords 18 hours ago

      With my cookie question I meant, what's the point of managing cookies if you already do a good job of blocking trackers?

      Re fingerprint, similar question: why does this matter if you do a good job of blocking common trackers that perform fingerprinting?

      Reply View 0 replies
JohnFen 19 hours ago

> What would make you trust a NEW security extension in 2025?

Time. I wouldn't trust it while it's new. I'd develop trust in it over time as I've observed the results of other people using and examining it.

> Would you ever pay for browser security ($3-5/month)?

I don't rent software, so I wouldn't pay a recurring fee. A one-time fee isn't out of the question, though.

> Is Manifest V3's limitations (30k rules, webRequest restrictions) a dealbreaker even for security-focused extensions?

Pretty much, in that I wouldn't be using a browser with that limitation in the first place.

Reply View 1 reply
  • linklock 19 hours ago

    "Thanks for the honest feedback—this is exactly the kind of 'cold water' I need to make sure I’m not building in a bubble.

    On the trust point: You’re 100% right. Trust is the one thing you can’t 'feature-complete' your way into. My goal is to use things like reproducible builds and eventually a third-party audit to bridge that gap, but I recognize that for many, there is no substitute for a proven track record over years.

    Regarding subscriptions: I hear you. The 'subscription fatigue' is real, especially for utilities. I’m strongly considering a 'pay-once' model or a 'donation-supported' version for individuals to avoid that 'software rental' feeling.

    And on Manifest V3: I share your frustration. It’s a major reason why I’m prioritizing a Firefox-first (and potentially a Brave-optimized) version where those restrictions aren't as crippling as they are in the standard Chrome implementation.

    I really appreciate you taking the time to share these perspectives—it helps me refine the roadmap before I write too much code."

    Reply View 0 replies
hulitu 4 hours ago

> I'm considering building a privacy-first browser security extension

> What I'm considering: - Zero data collection

...

> Phishing detection (local + Safe Browsing API)

Please, find the contradiction

Reply View 0 replies