389 comments

[ 5.7 ms ] story [ 272 ms ] thread
It seems auto-updating browser extensions are riskier than leaving them non-updated?
It'll be a "great" day when someone manages to do big damage with code that Google hosted and delivered to the victims... IMO it's just a matter of time.
Blindly letting anything auto-update.
I think the difference with browser extensions is the anonymity and speed of changing owners. There's more momentum to notice big companies going downhill (+- stuff like sourceforge)
...which happens all the time in the free software world, when you type `apt-get|yum|brew update`.

What are the odds of one dependency being taken over by a shady anonymous entity?

Packages in the default repos for some large Linux distro are usually reviewed and tested by many people until they make it into updates for current stable version, so while it's probably not entirely impossible for some malicious code to get in, it seems pretty unlikely. Unlike browser extensions, where the current owner can upload anything they want and it's pushed to the users without them even knowing.
How about `npm`, `pip`, `cpan`?...

We have seen bad updates breaking the entire Javascript ecosystem, but they were not intentional.

All it takes to inject a bad dependency is a burned out developer willing to delegate his free project to someone else...

It's more the chance of an unexpected breaking change. When you use a package manager, you're expecting stuff to change (and get to review what's changing).

Upgrading manually regularly: Good idea.

Having a cronjob to do it automatically without user intervention: Bad idea.

The fact that you have to manually type in `apt-get update` (or similar) means it's not automatic. You have full control over when the update takes place, and which packages get updated.
I don't think the question is about control but rather whether automatic updates, when intentionally activated by the user, contribute more positively to the system's security than negatively.

Without automatic updates, you might be more inclined to put off a patch which turns out to be urgent. Or you might be more likely to lose track of which patches have been applied across your various systems.

When discussing software updates, I feel like folks on HN commonly overestimate how much impact opportunity for controlling updates has. I haven't seen someone in my social/professional circles ever hesitate before applying an apt-get update. Nobody I've known checks changelogs (except developers checking on direct dependencies), nobody reads the patches for the updates to verify nothing malicious slipped in. "There's an update, I'd better apply it, unless it smells like a breaking change."

So in practical terms, my experience is that vanishingly few people will behave differently than an auto-update system would behave, except in rare occasions like a malicious update making the headlines. We definitely need a solution for rejecting malicious updates, but I feel backing away from auto updates throws the baby out with the bathwater and would be a net-negative change for the industry and for users.

There's also the occasional _necessity_ for making a breaking change, in particular _breaking some exploit_ and thereby making the software more secure.

I don't envy Chrome leadership's decision or having that problem to solve.

There are exceptions but I think that’s true in the same way people tell their doctor they eat well, exercise daily, and go to sleep on time every night — aspirational, almost certainly discounting the times it doesn’t happen as exceptions and ignoring the actual frequency. The most I’ve seen people consistently do is delay a little in case an update is pulled, and statistically nobody does the kind of analysis that you’d need to catch an unadvertised change.
Auto-update is a mixed bag. We got into auto-update as a standard practice over the last decade because a large fraction of users never updated anything, so security issues would linger forever (not to mention ancient software versions holding back platform technologies, and financial concerns for software shops).

So it's not that auto-update is flatly a bad idea, it's more that it's a trade-off that sometimes makes security issues almost evaporate, and sometimes makes them impossible to dodge.

I recently had to install Certbot on a CentOS 8 server and discovered that the Certbot documentation recommeds using Snap (for almost every popular GNU/Linux release). They have their reasons[1]. I figured it was time to investigate using Snap and the benefits it could provide.

While researching, I found many users reporting that forced updates of software installed by Snap caused many problems and I decided against using it; I was able to install Certbot via a good old-fashioned RPM from EPEL.

I also removed Snap from a different Ubuntu server which had recently been upgraded to 20.04 (I wasn't using LXD on that server so there was no need for it).

1. https://community.letsencrypt.org/t/how-to-install-certbot-w...

FWIW, I've been allowing Apt and Yum package managers to automatically update for about 8 years without any problems. The only manual OS updating I do is for a set of physical (non-virtual) servers that are operational 24/7.

This is really Google's fault. They make it impossible to turn off automatic updates for Chrome extensions from their store. That would be kind-of-ok if they actually had a rigorous approval process. But they don't. The Chrome Web Store has become one of the prime Vectors for malware. The only way to be safe is to exclusively download releases from the extensions github repo and to manually install them.
The fact that Google has not addressed this gaping security hole in Chrome is borderline criminal.
You can do better to voice your displeasure by not stretching credulity.
It's hyperbole. Welcome to the Internet.
In general, taking control away from users sets up all kind of bad incentives. For example, automatic updates with no way to downgrade save vendors from having to compete with their own older versions. This means regressions in functionality or design can be pushed out with little recourse for users other than complaining online. This is compounded by ecosystem lock-in and lack of data portability. The software industry as a whole is heading towards treating users more and more paternalistically.
Conversely, before automatic updates web developers were stuck supporting Internet Explorer for the best part of twenty years. Many of the people using it had neither reason or knowledge to update it, and it became the reason my parent's computers got riddled with malware.

There's a sensible middle ground here. Take the paternalistic approach that (generally) protects people like my mum. Add settings that allow people like you and me to turn off updates or roll backwards. Push the people controlling the updates (like the Chrome store) to better protect their users.

Despite automatic updates, web developers are still stuck with Safari, IE, old android browsers and old edge. Automation doesn't help with bugs and functionality if there are just no updates to be installed that fix bugs and bring new functionality.
Internet Explorer was only replaced by automatic updates after its usage felt enough that sites stopped supporting it.
Users need to be motivated to upgrade. If their current software works sufficiently on the sites they care about, then they have no need to upgrade. If the sites themselves are enabling this behavior, by bending over backwards to work on with old browsers, then they are part of the “problem”.

I don’t like automatic updates and generally keep them disabled. Software upgrades tend to reduce functionality and instead force unnecessary UX redesigns on users, so I’d rather avoid them. I wish developers had the [EDIT: incentive] to release security patches independently from functionality changes, but few do that anymore, sadly.

>I wish developers had the competence to release security patches independently from functionality changes, but few do that anymore, sadly.

You do realize it's not competence developers are lacking, it's resources that are finite, do you?

It's been an age since I've worked in an agency, but back in the IE era, at least once a month a dev would ask to use a 'modern feature'. Something to support some a new piece of design from the design team, or save hours or days of dev, or remove the need for hacky 'fixes' that could be done cleanly with modern browser support.

So off to analytics they would go. "X thousand users are using IE8. We're converting at X%. Removing support for IE8 just means these people will shop elsewhere and we'll lose X thousand pounds a month. You need to support IE8."

Believe me, I wish it was as simple as saying developers are "part of the problem," because it would be an easy fix. But try selling that (without a huuuuge struggle!) to the person who holds the purse strings.

Sadly the new features usually only came on new sites. It's much easier to push it through when you're not cutting off an existing income stream.

>Conversely, before automatic updates web developers were stuck supporting Internet Explorer for the best part of twenty years. Many of the people using it had neither reason or knowledge to update it, and it became the reason my parent's computers got riddled with malware.

The failure is not that of Internet Explorer, but rather the OS in which it runs, which has a faulty security model. No operating system should trust executables with everything by default.

It wasn’t faulty at the time since people were more concerned about protecting computers from users than protecting users from applications.

We all seem to forget that computing has changed drastically in the last decade.

I would say that "protecting users from applications" (or at least, external attackers) has been commonplace for maybe even two decades now, ever since major malware 'plagues' of the early 2000's (pre-SP2 Windows XP) like Blaster or Sasser.

That said, in that era it was often assumed (more so than now) that software the user installed himself is trusted.

The major problem with internet explorer was that it was impossible to update without updating windows which costs money so most people and organizations didn't do it.
On the other hand users are generally pretty poor at managing software themselves and as long as it works they'll happily and probably ignorantly run something that is not secure already and needs an update.
That would cover users who are poor at managing software. Being able to turn them off would require someone to be good at managing software. Why remove control from those users?
I want to think that folks who would chose that option would be responsible, but the amount I hear from other developers who defer updates on Windows 10 to the maximum (1 year...) and still are upset when they have to reboot makes me think that even experienced users present a risk.
I don't want to be saying that we should remove control, but I actually do think it's reasonable to. Even on a single-user device, security issues are not isolated. An infected machine will likely be used for things like spam and DDOS.

If you make something available for people to toggle that improves their experience, people are going to take advantage of that even if they don't really grasp or decide to ignore the consequences. In the case of updates the improved experience is not being nagged or forced to restart an application or the whole OS. And unfortunately the only way to really gatekeep that control to people who know what they're doing is giving it enterprise pricing.

> users are generally pretty poor at managing software

This is an assertion which begs many questions.

Who are these users? What do you mean by "generally"? What do you mean by "poor"? What do you mean with "managing software"? Which software specifically? Why is "managing software" hard? What are specific case where this might be true? Is this statement falsifiable?

For instance, how does age, social background, education level, language, culture,... factor into the experience of "managing software"? Sure, the problem can't be software itself in it's entirety?

See, statements like these tend to break down once you start digging into the murky nuances and specificities of reality.

Moreover, accepting them at face value tends to reinforce a belief which isn't based on fact: that the users of digital technology can't manage their devices, and therefore shouldn't be confronted with managing their devices.

... which is then translated and implemented in interfaces and systems that simply lack the functionality that gives users fine grained control over what is or isn't installed.

Over a longer term, this promotes a form of "lazy thinking" in which users simply don't question what happens under the hood of their devices. Sure, people are aware of the many issues concerning privacy, personal data, security and so on. But ask them how they could make a meaningful change, and the answers will be limited to what's possible within the limitations of what the device offers.

A great example of this would be people using a post-it to cover the camera in the laptop bezel.

People don't know what happens inside their machine, they don't trust what happens on their machine, and there's no meaningful possibility to look under the hood and come to a proper understanding... so they revert to the next sensible thing they have: taping a post-it over the lens.

The post-it doesn't solve the underlying issue - a lack of understanding which was cultivated - but it does solve a particular symptom: the inability to control what that camera does.

I honestly am not at all sure what you mean by much of that.

Demographics don't change the fact that if you don't automatically update software, many users simply won't. That's bad.

... in the usual pedantry of HN your use of "poor" was interpreted to mean socio-economic, rather than... "just bad at something"...
Oh I see. That's, weird, but thanks for letting me know.
I don’t see how one could parse ”On the other hand users are generally pretty poor at managing software themselves” and assign that interpretation to “poor”.
I agree, but the user who responded to me seemed to talk about demographics as if I had meant "poor" as in not having much money.

The internet is global, sometimes I think things get lost in translation.

That's a reductionist reading of my comment.

I'm challenging your initial assertion that "people are poor at managing software". That's not enough of an explanation to support the second part of your claim:

> and as long as it works they'll happily and probably ignorantly run something that is not secure already and needs an update.

Are they poor at managing software because they are ignorantly running insecure software? Or are they ignorantly running insecure software because they are poor at managing software?

The replies so far take the entire context out of the picture and reframes the issue to "Users use their devices the 'wrong way'." and this can only be solved through technological advances.

I'm here questioning and challenging those assertions.

It really doesn't beg those questions - we have 25+ years of data backing it up. People across the board are bad about running updates. I'm guessing you missed the mid-late 90s when things like buffer overflows started to be exploited and firewalls became necessities because even the folks whose job it was to run updates of vulnerable systems with public IPs on the Internet... weren't. Then came the early 2000s and all the worms running amok because people still weren't running their updates. Then the collective web development industry screamed in pain because things like Windows XP and IE6 just would not die.

The collective Internet has been through this before and (mostly) learned its lesson. People don't run updates when it's not shoved down their throat. And it's not a small segment of people. And it hasn't changed. Look at how many hacks still happen because of servers and apps that aren't patched for known vulnerabilities. Or the prevalence of cryptojacking which is still largely based on known vulnerabilities that already have patches available - indicating it's successful enough that people keep doing it.

Most users don't question what happens under the hood of their devices because they don't care. They have other things to care about that actually mean something to them besides the nuances of the day to day maintenance of their devices. There does not exist an effective way of making people care about things like this, let alone educating the masses on how to appropriately choose which commit hash of their favorite browser extension they should really be on. How many security newsletters do you really expect the average person to be subscribed to in order to make informed decisions about these things?

Hell my "Update" notification on Chrome is red this morning and I'm at least in the top 10% of security-conscious folks in the world (it's really not a high bar).

I'm not saying automatic updates are without their problems - I'm in a thread on HN about that exact thing. But trying to claim it's somehow about sociodemographic issues and the answer is solving that and going back to selectively running updates is just ignoring the lessons of the past.

I, and everyone else I know, do not install updates to our software in a timely manner unless we actively need a feature.

Users are "I, and everyone else I know".

Generally is "unless we need a feature".

Poor is "do not install updates to our software".

Managing software is "install updates".

Software is any software we use that provides updates, which is all of it.

Managing software is hard because doing it manually would require checking the website of every piece of software you've ever downloaded at regular intervals, where regular could be as frequently as minutes for security-critical tools.

If I ever downgrade my software and lock it to a specific version, I am now managing it manually, and all of the above applies.

I honestly don't think there are unquestioned assumptions here, because the task of keeping security-critical software up to date manually is nearly impossible for any user.

I don't mind automatic updates per se as long as they're thoroughly checked and vetted. I'm not convinced Android and the Chrome web store do ANY checking / vetting. I have more trust in Apple's stores.

Vetting could be better with a lot of companies as well; remember not so long ago when Windows Defender decided a critical system file was malware and broke a ton of systems?

Verification. Vetting. Gradual release. Automatically disable extensions if they changed ownership, or if there's suspicious activity on the account of the owner (e.g. new login in another country).

And they need to take a MUCH harder stance on malware. Right now they're not even acknowledging there's a problem, let alone acting on it.

For any extension that makes any money, the solution is a deposit scheme.

"Google will withhold $1 per user of your ad revenue forever. If your extension is found to contain malware, you forfeit all the $1's. Decisions on malware'y ness shall be made by XYZ malware researchers."

Allow a developer to get back their $1 when a user uninstalls the extension, or the developer stops making the extension. Also give the developer a certificate anytime showing how many $1's you hold of theirs (they could use that to get a loan from someone willing to trust them not to distribute malware).

Not really a solution, just the minimum price a buyer would need to pay.
True. But even the most profitable malware won't want to forfeit hundreds of millions of dollars for a popular chrome extension.
(comment deleted)
>The only way to be safe is to exclusively download releases from the extensions github repo and to manually install them.

Or not use chrome

I never even patch automatic updates to my OS either (e.g. OS bigSur). I'd rather not guinea pig the latest updates and they usually don't add all that much value for chrome extension releases either, so a way to turn off automatic updates in chrome is highly desirable for me.

Download and unpacking from github is a pita, I'd need to do this to each of my computers seperately

This is a terrible security practice.

Switch to Chromium and use a package manager to stay up to date. Don't freeze updates, especially on your browser.

I work in software. I know the dangers of a day 0 exploit. I also know the dangers of an x.0 release of software.

Security is often in tension with convenience/usability (as in this case).

Concretely: I don't update to the latest MacOS day of release. I do update after a few weeks of "no significant issues reported" (or I'll update manually faster if I learn of a serious exploit). I still haven't updated to BigSur as some of the software that I rely on doesn't work on BigSur yet, so I'm on the latest patch of Catalina.

I'm not going to update to a new MacOS "named" release until it's been out for a while and probably has a patch release or two, agreed.

But I install MacOS patch releases as soon as they are offered. It has never caused me a problem I am aware of, and I don't want to miss out on security patches, or even just bugfixes and perf improvements.

Heck, I actually just upgraded a MacBook that was still on 10.12, which was EOL'd. But I upgraded it because it was EOL'd, and wasn't getting patch releases for security fixes, and I want those patch releases as soon as they are released!

You should let clients and users know that you care more about convenience than security so that they can make an informed decision about whether to trust their data with you.

I don't know what x.0 software updates you're talking about (Chrome or Mac), but my comment never mentioned any. You don't seem to know that browser vendors don't really do those like OS vendors do. Either way, you can still avoid those while gettong security updates.

In my memory, there hasn't been a breaking auto-update in Chrome in years, but there have been hundreds of 0-days. The numbers don't really work out for the tradeoff you claim to be making.

Or just add permissions and ask the user when the extension asks for new ones? e.g. permission to talk to the outside world that something like TGS shouldn't need to just do its job.
It already does. If a new release of the extension requires new permission, it gets disabled till the user gives consent.
Users never upgrading their software certainly also leads to security problems though, it's not a solution, and it is reasonable to try to set things up so this doesn't happen.
Wouldn't an easy solution be to turn auto updates on by default, and warn users that turn it off that they are opening themselves up to potential security issues, and to do so wisely?
The issue comes when an auto update regresses something that the user relied upon. As long as the automatic update has a 'downgrade' option that's tenable but most of the solutions out there make downgrading difficult.

I prefer automatic updates that are presented to the user for action, sadly feature update/release notes are often hidden or content-free (cf. Google's apps' updates on the Play Store) and downgrading path varies heavily with OS (easy on Linux, impossible on iOS).

Good point, being able to roll back to a specific release would be very handy.
Sure, that'd be one solution. I wonder how many users would end up with auto-updates off, and how many of them would actually understand the risk.

Many users are going to change configuration because some tutorial on the internet somewhere tells them to do it, without totally understanding what they are doing, and are unlikely to revisit this configuration again ever. (Heck, I have done that with some configurations I don't totally understand, and don't even remember what I did and will never revisit to change back).

But it might be a fine way to do it.

But in analysis there is a shift from "can we blame someone else [users who ignored our advice] if the ecosystem ends up very insecure", to "how do we actually keep the ecosystem secure, not just have someone to blame when it isn't?" Doing the latter while also providing for user flexibility and autonomy can be a challenge for sure.

I don't think turning automatic updates would be the right way to deal with this. See: Windows. If a piece of software becomes malware it needs to either be forked or retired completely, running unmaintained legacy versions of software is not sustainable.

I have plenty of things I want to complain about when it comes to Google's user-adversity but mandatory automatic updates is definitely not one of them.

If you're a technical user and really know (or really think that you know) what you're doing there are ways to effectively freeze a given version of an extension.

Either the second or third time it lost all my tabs was when I stopped trusting it.
And this is why we need to rethink how we do software distribution.

Package managers are nice for the lazy, but then we get stuff like this:

https://qz.com/646467/how-one-programmer-broke-the-internet-...

Actually you might be pulling a bunch of malicious updates in 2-3 modules deep in your dependency tree anytime.

As a society we should be moving away from a culture of “immediate” updates eg on Twitter etc. And go towards more “peer review” like in science. Otherwise we are putting responsibility on every individual to verify all sides of the story and get informed. They don’t and society gets more and more dicided. Imagine if a scientist tweeted at 3am and half their followers instantly believed them. Or if an open source contributor’s pull request was instantly accepted and pulled overnight by everyone. That’s why USA and other countries are now so divided politically. Individual responsibility of 100% of the downstream nodes is strange to outsource responsibility to.

I wrote about this back in 2012 predicting what would happen:

https://magarshak.com/blog/?p=114

Recently I wanted to build one of Signal’s libraries so that I could use it with signal-cli. It astonished me that building this secure messenger requires automatically downloading a whole host of third-party dependencies through wget from some disparate repositories, which presumably had received little vetting.

What happened to the notion of using stable, centralized package repositories like Debian’s or Red Hat’s in order to build one’s software? I did a lot of Free Software development in the early millennium, then was away from the scene for a few years, and when I came back this desire for convenience above all else really baffles me.

Thanks for sharing.

I'm now framing the problem as "inauthentic speech".

> ...go towards more “peer review” like in science.

Ditto journalism and reporting.

This is a universal problem. The core solution remains the same.

  Cite your sources
  Show your work
  Sign your name
WRT John Walker's screed, I really thought certificates and web of trust would have become the norm by now. Anything unsigned would be treated as gossip or worse. Certs could be revoked as needed.

Further, every trusted digital relationship would start with a key exchange. Vs relying on username and password. eg Banks would issue me a Secure Enclave of some sort, like a USB fob.

I'd like to understand why this didn't happen. My best guess is "Worse is better" enabled predators and parasites. Which has been acceptable during the gold rush.

The MS Edge dev channel has a basic form of tab suspending built into it now. Based on my non-rigorous testing it seems to actually save more memory than TGS ever did so I just removed the extension entirely.

It is really a shame that basic functionality like this isn't built into more browsers and we have to rely on extensions to fill the gaps just to keep memory usage under control for tab-a-holics like myself. :(

In fact tab suspending/discarding has been built into Chrome for some time now and Great Suspender does optionally make use of the built-in functionality.

I still sometimes use extensions like Great Suspender to give more control over the process (e.g. to suspend more aggressively on RAM-constrained machines or where the user uses a lot of tabs).

Since this news came out I have switched to "Auto Tab Discard".

Chromium-based browsers and Firefox have discarding built-in.

chrome://discards/ has some advanced options (in Chromium-based browsers).

Funnily enough, Google mentions The Great Suspender as inspiration for this feature in the August 2015 changelog: https://developers.google.com/web/updates/2015/09/tab-discar...

> We actually had a great chat with the author of the Great Suspender extension while developing tab discarding and they're glad to see us natively tackling this problem in ways that are more efficient than an extension might be able to, such as losing the state of your user inactions.

The functionality is built-into Chrome, the native tab discarding just happens when it thinks memory pressure is too high. Extensions like this give you extra granularity to set it to happen after a timer.
> It is really a shame that basic functionality like this isn't built into more browsers and we have to rely on extensions to fill the gaps just to keep memory usage under control for tab-a-holics like myself. :(

The way I see it, extension developers get to come up with innovative new features first, and then the first-party vendors like Apple, Google, and Microsoft take note and eventually do just that: Integrate it into their own products.

For example: The Great Suspender → Sleeping Tabs [experimental] (Microsoft/Edge); Flux → Night Shift (Apple/iOS); Growl → macOS Notifications (Apple/macOS); Swype → iOS Built-in Keyboard (Apple/iOS); etc

Edit: Fix formatting.

A reddit link, from the blog post [0] has all the details for those who don't use chrome.

TLDR: A popular extension was quietly sold off to an unknown party that subsequently added tracking/analytics. Not specifically malware, but not trustworthy either.

Did I miss anything?

[0]: https://www.reddit.com/r/KyleTaylor/comments/jowlt2/open_sou...

Why do people keep 100s of tabs open at a time? I get irritated if I have more than 8 open.
Because they have not found the bookmarks feature yet.
That brings me to the problem with links as well as with e-books: you don't usually see them. When you have an open tab, you see it all day long until you get rid of it. When you have a printed book, you bump in it on a daily basis (unless you hide it in more books).
Also bookmarks don't save page context. If I'm doing something -- even something simple like scrolling down a page -- and get interrupted, it's just easier to leave it open.
Yep. Tab history is important. How I got to some page is almost as important as the page itself.

I've been using large tab sessions ever since Opera 5 in the early 2000s. Back then I'd have 20-50 tabs or so. These days I have sessions of 500 active tabs and 500 suspended. It's great. I have full text tab search, and since my sessions last years, I know the general location of all important tabs. ALso, since I use a single process brower and NoScript, all those 500+ tabs take under <3 GB of ram.

It's matter of taste, but it's no new trend. Tabs, and tab users, have been around for 20 years now.

When I have 100 tabs open, 90 of them are one time use pages. I need to compile bits of information from each page, and then I never need those pages again. Why would I use bookmarks?

For example, last week I was shopping for a very specific, very expensive ceramic thrust bearing. I had 20+ pages open from 10+ suppliers and documentation sources. I needed those open all week while we decided on which one to buy. This was a minor background task, so I also had 60 other tabs open for my normal work flow.

Just because people use a tool differently than you doesn't make them wrong.

It'd be great if someone invented a method of working with bookmarks that worked as easily and seamlessly as tabs.

Back in the days of social bookmarks (like del.icio.us) pretty much everyone had a "toread" folder. The main problem is that you have to remember to delete them after reading them. That's not really a problem for good articles you remember reading, but the crap articles you don't remember, or quit reading are easy to forget to delete from the bookmarks. So, you end up reading the same crap articles several times. With a tab, you close the window and you're done. With bookmarks, you have to close the window, go through your bookmarks, find the one that was crap that you have already forgotten and delete it.

There's several other advantages to tabs too:

Like the fact that they're naturally organized by window based on the task you're doing.

You'll see them more often, and thus be reminded more often.

They save context, like forwards and back history, and information you may have typed in, or a UI you may have manipulated.

Why do people not understand why I have 100s of tabs open? I get irritated when asked this question.
Why indeed. Is that because bookmarks are too clumsy to use, and don't save your scroll position and other user input?
Any time I'm working on something, I inevitably end up with 20-30 tabs with different things I'm referencing. Especially documentation. I think I have around 6-8 open when I'm not doing anything, since I pin some web apps (e.g. Facebook Messenger) or dashboards.

It's also the best way to browse image galleries: middle click everything into new tabs, navigate them with the keyboard, and close them as you go. Beats clunky JavaScript lightboxes.

Tabs are my lazy man's to-do list. Leaving them open saves all the context I need. Closing them means I have to spend effort to get them back.
Try the extension 'Session Buddy'. You can view all open tabs and windows, group them as needed, and then save, close, and reopen sessions and groups.

I routinely research several related topics for a project, and I will need 10-30 tabs per topic open at once. Surprisingly, chrome manages to handle 100+ tabs on my system with out issue.

Please dont have more than 8 tabs open... problem solved.

Other persons have other treshold... and use cases.

Some user support need many searches that will help if be documented later... if I bookmark all of them I will never do that.

I'm a software developer and am always hovering around this mark. It's usually from digging through documentation, having multiple tabs with different areas of the app you're working on open, productivity tabs like Slack and Gmail, then personal tabs like Reddit and YouTube
I multitask. A lot. It's my job.

You should see my desktop

Thanks for this! I've been using this extension for a long time and just removed it today. Honestly, with Macbook Air M1 there is no need for suspending tabs any more because the battery life is amazing, so that also helps.
I recently switched to Auto Tab Discard.[1] It uses the browser's built-in tab suspending. It doesn't have all the features of TGS, though.

Edit: OneTab[2] is also pretty good when you have lots of tabs open for research or work.

[1]: https://github.com/rNeomy/auto-tab-discard

[2]: https://www.one-tab.com/

perfect! I was looking for [1] the other day. Plays nicely with sideberry which uses the same api but can't do "unload all other tabs".
I've been using it for the last few weeks, and it's been pretty good so far. It doesn't suspend music tabs when they're not playing (which TGS did automatically), but nothing much to complain about.
I personally use OneTab but it's worth noting that in the GH issue on TheGreatSuspender there's some ongoing (and mostly unsubstantiated, in this thread) concerns about OneTab's data collection and management[0].

[0] https://github.com/greatsuspender/thegreatsuspender/issues/1...

I wouldn't say it is "unsubstantiated".

Sharing bookmarks, is not the same as "sharing it with anyone in the world" - without any notification.

It is "mostly unsubstantiated" because the thread makes multiple claims without proof. The bookmark pages on Google provide some evidence for one of the claims but it is, by no means, proof of the claim's validity.
Quick note about the workaround mentioned in this article - the suggestion to download the last known good version of the extension and sideload it is a good one, but it has some problems on Chrome.

Chrome has features to dissuade users from installing extensions from outside the Chrome Web Store. If you load an unpacked extension, Chrome will issue an ominous warning (something like “this extension is untrusted, click here to uninstall”) on every launch.

One could argue this is for security, but this change was implemented around the same time that Google disabled the ability to self-host extensions that install into Chrome. Really this is a mechanism to shut out independent extension developers from any potential plausible third-party distribution method that doesn’t rely on the Chrome Web Store (which Google controls and aggressively moderates.)

Use Firefox.

> Use Firefox.

Firefox has similar restrictions... you have to side load through Developer Options. If you’re not a developer, you will be questioning why you’re doing this and the less-technically inclined will simply never do it (like my wife)

And it is not entirely nefarious as you suggest. It limits the damage that sideloaded extensions did roughly 2010 and earlier. The WebExtension API was another assault on extensions. These days, chrome and Firefox have essentially closed a huge attack vector even though extensions are a shadow of their former selves. I was a skeptic for a long time (why should power users pay for the faults of everyone else?) but no more. Kudos.

Kudos?

Availability is part of security, and the most secure system is disconnected from the internet and powered off. Why are we cheering our software becoming less useful in the name of safety? The switch to WebExtensions was a monstrous loss of functionality!

Chrome sideloads extensions through a similarly obscure menu - My main quarrel is the prompt where the default option is to uninstall that appears on every launch. Firefox doesn't have that.

Firefox also permits self-hosting extensions signed through their store, providing more freedom for extension developers.

> you have to side load through Developer Options

I'm not sure what screen "Developer Options" is referring to, but you can load add-ons directly from your hard drive with no fuss from the Add-ons page (though you must be running the Nightly or Developer version of Firefox). Click the gear icon right above your list of installed add-ons (this is also the menu that lets you disable auto-updates).

So you have to use an experimental version of Firefox. These nightly versions are less tested and can be a serious downgrade from any stable browser.

That's hardly what "Use Firefox" implied.

The Developer Edition is not a nightly build, it’s a beta build, so there has been some testing (Before I switched to stable, I only once had an issue). Your point stands though.
I can see why you'd think that but in practice I assure you that your concern is unwarranted. I've been using Nightly Firefox exclusively for almost ten years and I honestly can't remember it ever crashing (excluding the times when I was manually futzing with experimental about:config flags back in the electrolysis days).

As for the developer edition, it's literally the version that they expect web developers to use; it's not half-baked software by any means.

"Stable" doesn't necessary medan that it is secure, from an end-user perspective.
Do you have any stories or articles that corroborate that nightly is less secure?
Installing extensions from a file is supported in the latest mainline FF (84.0.2), nightly or dev are not required. I currently have one installed. It just shows a confirmation dialog and then installs it.
This is true but misleading: the extension you install from file has to be signed by Mozilla in exactly the same way that extensions on the store are signed.
You can remove the signature requirement on stable by setting `xpinstall.signatures.required` to `false` in your user.js / about:config

(I wrote most the extensions I installed for my own bespoke use, built locally as zip files and installed via "Install Add-on From File...", and I don't have a problem trusting myself.)

I don't think this is is true for the official Mozilla builds (except for Nightly, Beta and unbranded). It's possible that your distro has a custom build that allows the setting. Arch builds Firefox with `--allow-addon-sideload` which could be the culprit.
Ah indeed. My distro also builds with `--allow-addon-sideload`
No promises that that's actually the right flag. I had a rummage around searchfox and it looks like that just enables extensions that have been placed in special directories (whether they must be signed or not is a different flag). There clearly is a setting somewhere though as the unbranded builds exist...
yeah i kind of hate it but i can't really blame them for doing it, since before they did that, if you installed software from questionable sources like, say, java from the oracle website, it would bundle an ask toolbar with it. and this was so common
Signed XPIs are valid for eternity*, and you can just re-sign it for free if you really care about it.

* Unless it was explicitly revoked (updates do not revoke the signature) or Mozilla broke something that affects everything.

You could download it and publish it yourself. I have a extension I wrote myself, and while I occasionally see something about having to pay $5 in the extension management panel, it never forces me to do so. If they closed that hole, perhaps it's worth the $5 developer registration fee to some.
When did you publish your extension? I'm an extension developer that makes a mildly popular extension used by a niche group (1-2k MAU) and the Chrome Web Store has tightened their policies over the years. It's possible that you're grandfathered in (and haven't hit any of the extra reporting requirements if you haven't updated your extension recently.)

Extensions these days go through a rigorous review process, and Google regularly shuts down / imposes arbitrary restrictions against extensions due to changing policies.

I understand the importance of strong moderation to protect users from malicious extensions, but I believe Google is using that as an excuse to further lock down their store, increasing barriers to entry and making it harder for developers to build software to extend the most popular browser in the world without Google's blessing.

I hadn't looked at it for a while, so I just did so.

You're right...it won't let me update it now without a lot of justifications on their privacy tab. However, it is still published. The status is "Status: Published - unlisted", so I can't search for it, but I can go direct to the store url for it.

Yeah, that matches up with what I've seen. They've at least been decent enough not to kick people off the store, but I don't think it's possible to just have them sign / publish something unlisted these days without a good deal of policy writing and justifications.

Yet the large actors still publish malicious updates to extensions. ¯\_(ツ)_/¯

They have this "private" feature now where you have to list the email addresses of people that are allowed to use the extension. I don't see why that couldn't be coupled with "no review required", so long as the list is relatively short. But, yeah, likely will never happen.

Fortunately for me, I can re-do my extension to use the JS postMessage api which won't require hardly any permissions, and thus, not much to review.

(comment deleted)
> Chrome will issue an ominous warning on every launch.

That's google's shtick. They do the same if you unlock bootloader on your android phone. Black nag screen with scary text on every reboot.

There is another problem by sideloading the extension: you don't have cloud sync anymore, thus forcing you to sideload on every computer you have.
I'm pretty sure if you enable Extension Developer Mode, you won't get that nagging message on launch.
This sounds right. I've got Developer Mode on for my own custom written extensions and don't have mine disabled at all.
> Chrome has features to dissuade users from installing extensions from outside the Chrome Web Store. If you load an unpacked extension, Chrome will issue an ominous warning (something like “this extension is untrusted, click here to uninstall”) on every launch.

I've been sideloading vimium and thegreatsuspender for years and I haven't seen this message ever. Not on Mac nor Linux.

I'd switch to firefox but it is noticeably slower loading facebook and twitter, the sites I go to most often, and I trust it only like 25% more than chrome. :/
I have always used The Great Discarder instead [1]

It's by the same dev too but it uses Chrome's Native Tab Discarding feature and I found it way more efficient (at the time I started using it a few years ago - haven't compared recently).

[1] https://chrome.google.com/webstore/detail/the-great-discarde...

I like the idea of using the discard mechanism, but if it’s from the same developer, wouldn’t it be at risk of having the same thing happen?
True that's possible if it were to get popular. But since this wasn't the popular extension, it'd seem it wasn't sold off.
Great Suspender eventually added functionality to use Chrome's native tab discarding as well and so they stopped updating Great Discarder.
(comment deleted)
Just sent him this email:

Saw your article via HN.

As an easier permanent fix, just uninstall The Great Suspender and install Auto Tab Discard (https://add0n.com/tab-discard.html). It does the same thing.

It's available on:

Firefox - Auto Tab Discard – Get this Extension for Firefox (en-US)(https://addons.mozilla.org/en-US/firefox/addon/auto-tab-disc...)

Edge - Auto Tab Discard - Microsoft Edge Addons (https://microsoftedge.microsoft.com/addons/detail/auto-tab-d...)

or even if you're still using Chrome - Auto Tab Discard - Chrome Web Store (https://chrome.google.com/webstore/detail/auto-tab-discard/j...)

Discarding inactive tabs is not what I use The Great Suspender for. I use it to... suspend tabs. Auto Tab Discard doesn't seem to do that.
Ah damn, I was about to try it to see if it actually discarded or suspended tabs.
What is the difference?

From the website it sounds like the favicon is changed. So the tab doesn’t go away it’s just on pause

Google: “ a discarded tab doesn't go anywhere. We kill it but it's still visible on the Chrome tab strip. If you navigate back to a tab that's been discarded, it'll reload when clicked. Form content, scroll position and so on are saved and restored the same way they would be during forward/backward tab navigation.”

In the future this will be updated to also use a serializer for discarded tabs.

Discarding the tab is superior to what Great Suspender used to do. Why would you want the old behaviour?

Tab discarding is just a more efficient, native implementation of what Great Suspender aimed to do in the first place.

I don't use Chrome so I have no idea what either of these extensions did, but FF's implementation of tab discarding causes it to reload the page when I switch to the tab, which means I have to wait for the page to load before I can do whatever I wanted to do.

I'd much rather have a way to just stop all JS on a "suspended" tab so that FF doesn't burn 20% CPU on tabs that aren't even visible. (Yes I'm aware that JS timers, etc operate at reduced frequency for unfocused tabs. I'm talking about stopping them entirely.) Discarding may be more efficient for the browser but it's less efficient for me the user, so I don't use it.

Fair enough, although that is not what Great Suspender did. Great Suspender also causes the page to be reloaded on resumption, just like an early version of tab discarding.

Tab discarding does have the slight advantage that it remembers what you typed in on the page and where you were scrolled (but nonetheless still causes a reload).

What you are asking for regarding slowing the performance of background JS is something browsers already do: https://stackoverflow.com/questions/15871942/how-do-browsers...

Making that behaviour more aggressive seems like it is liable to cause significant problems to the user experience with minimal benefits. E.g. background media playback would likely be broken, notifications, etc. Whereas you could simply use bookmarks instead of open tabs to get the same effect (EDIT: actually tab discarding would already be better than that method as you note).

>What you are asking for regarding slowing the performance of background JS is something browsers already do

As I wrote:

>>(Yes I'm aware that JS timers, etc operate at reduced frequency for unfocused tabs. I'm talking about stopping them entirely.)

>Making that behaviour more aggressive seems like it is liable to cause significant problems to the user experience with minimal benefits. E.g. background media playback would likely be broken, notifications, etc.

I want none of those things from the "suspended" tabs.

>Whereas you could simply use bookmarks instead of open tabs to get the same effect

How? Do you mean I would load the bookmark into a new tab when I wanted to visit it? That not only has the same problem that I described for discarded tabs (have to wait for a page load), but is even worse because it loses all the context that discarded tabs do retain. Not to mention the annoyance of maintaining bookmarks for arbitrary tab groups that I just happen to have open.

(comment deleted)
(comment deleted)
Discard doesn't mean "remove" in this context. It will unload the tab, but still keep the state for when you switch back to it. E.g. suspend it.
Edge (dev) has built-in sleep tabs. It work quite good
I wish they had one that would do that based on memory or CPU usage of a tab.
Auto Tab Discard has a setting, "Discard a background tab if its memory usage (totalJSHeapSize) exceeds (in MB)"
I'm now curious how much money the original developer was paid to hand it over. I imagine he/she knew what the buyer's plan was.
According to the homepage of a company that buys apps, and as a first approximation, that would be "anywhere between 8x - 36x monthly revenue for apps. In most cases this is well above the standard market value of 6-12x".

Whether they are lowballing candidates with that offer, I can't say.

Lifesaver. Much obliged, davidfstr.
Wow, this is why just recently my Macbook pro was registering high CPU usage even when all tabs were asleep using Great Suspender. For some reason, Chrome was registering high CPU usage, and I thought it was some Chrome bug.
You lost me. What's this "this" in "this is why", exactly?
anyone able to compare Tiny Suspender and Auto Tab Discard?
> Apparently recent versions of this extension have been taken over by a shady anonymous entity...

That's something that worries me, whenever I install a software with trusted privileges.

Software companies can sell their products -- and user base -- to other companies without notice.

And it can be even worse in the free software world: think about all the updates that happen when you type `apt-get|yum|brew|npm|pip update`. What are the odds of a single dependency being taken over by a shady anonymous entity?

(comment deleted)
(comment deleted)
At this point, I would gladly pay good money for a browser that prevented ads and tracking, provided most of the standard plugin functionality oob and vetted the rest. This whole mess is a massive time suck.
(comment deleted)
I'm using Brave. Not sure it exactly matches what you want, but it's the closest I've found.