Open source is a bare minimum, although even that's not worth as much given how much harder it is now to load extensions that you've compiled yourself.
But those features you're talking about sound like they need extensive privileges within the browser. And while your extension might do what it says today, what's stopping you sticking a load of malware and adverts in there tomorrow? Or selling it to someone else who does?
If the author is an established person whose been known for years to develop good quality extensions and not sell out, then that gives some assurance. If it's an organisation like the EFF, even better?
But a random anonymous person making their first extension? No chance.
"Thanks for the honest feedback—this is exactly the kind of 'cold water' I need to make sure I’m not building in a bubble.
On the trust point: You’re 100% right. Trust is the one thing you can’t 'feature-complete' your way into. My goal is to use things like reproducible builds and eventually a third-party audit to bridge that gap, but I recognize that for many, there is no substitute for a proven track record over years.
Regarding subscriptions: I hear you. The 'subscription fatigue' is real, especially for utilities. I’m strongly considering a 'pay-once' model or a 'donation-supported' version for individuals to avoid that 'software rental' feeling.
And on Manifest V3: I share your frustration. It’s a major reason why I’m prioritizing a Firefox-first (and potentially a Brave-optimized) version where those restrictions aren't as crippling as they are in the standard Chrome implementation.
I really appreciate you taking the time to share these perspectives—it helps me refine the roadmap before I write too much code."
If you’ve already chosen your path, why come here asking for permission? Is it a lack of confidence, or are you waiting for a miracle? Don’t turn yourself into the man in the fable who carried his donkey just because others told him to. It’s your idea. If you think it’s a waste, then stop. Everything worth doing requires risk. If you’re looking for a 100% guarantee, go back to sleep.
(I develop Privacy Badger.) There are significant benefits to adding PB or uBO to a browser that doesn't already ship with a real built-in ad blocker. While PB and uBO work well together and you may want to use both for various reasons, I wouldn't say you need both. Either one is enough by itself for most people.
First off, thank you for everything you do with Privacy Badger—it's been a staple in my browser for years. I really appreciate you taking the time to poke holes in this.
You’re absolutely right about HTTPS Everywhere; that was a oversight in my initial write-up. Since it's now integrated into the major browsers, that’s one less 'fragment' to worry about.
To answer your questions on the 'why' behind the other features:
Phishing detection: The main gap I see with built-in Safe Browsing is the telemetry. Most users don't realize that 'Enhanced Protection' often means sending URLs/metadata back to a central server. I’m exploring a local-first approach (using bloom filters or highly optimized local sets) to keep that check entirely on-device.
Cookie auto-delete: While Total Cookie Protection (Firefox) is great, many browsers still only clear data 'on exit.' For users who keep their browser open for weeks, I see value in 'active' cleaning (e.g., clearing site data 15 minutes after a tab is closed) to minimize the session-tracking window.
The 'All-in-one' goal: My hypothesis is actually driven by the fingerprinting concern you've likely seen discussed. Using uBO + PB + a cookie manager creates a very unique extension fingerprint. I'm wondering if a single, consolidated open-source tool could actually help a user 'blend in' better than a stack of three different ones.
I’m still in the 'talking myself out of it' phase, so this technical pushback is exactly what I was hoping for. Thank you again ghostwords!
Trust is a about the author, not the code.
Open source is a bare minimum, although even that's not worth as much given how much harder it is now to load extensions that you've compiled yourself.
But those features you're talking about sound like they need extensive privileges within the browser. And while your extension might do what it says today, what's stopping you sticking a load of malware and adverts in there tomorrow? Or selling it to someone else who does?
If the author is an established person whose been known for years to develop good quality extensions and not sell out, then that gives some assurance. If it's an organisation like the EFF, even better?
But a random anonymous person making their first extension? No chance.
> What would make you trust a NEW security extension in 2025?
Time. I wouldn't trust it while it's new. I'd develop trust in it over time as I've observed the results of other people using and examining it.
> Would you ever pay for browser security ($3-5/month)?
I don't rent software, so I wouldn't pay a recurring fee. A one-time fee isn't out of the question, though.
> Is Manifest V3's limitations (30k rules, webRequest restrictions) a dealbreaker even for security-focused extensions?
Pretty much, in that I wouldn't be using a browser with that limitation in the first place.
"Thanks for the honest feedback—this is exactly the kind of 'cold water' I need to make sure I’m not building in a bubble.
On the trust point: You’re 100% right. Trust is the one thing you can’t 'feature-complete' your way into. My goal is to use things like reproducible builds and eventually a third-party audit to bridge that gap, but I recognize that for many, there is no substitute for a proven track record over years.
Regarding subscriptions: I hear you. The 'subscription fatigue' is real, especially for utilities. I’m strongly considering a 'pay-once' model or a 'donation-supported' version for individuals to avoid that 'software rental' feeling.
And on Manifest V3: I share your frustration. It’s a major reason why I’m prioritizing a Firefox-first (and potentially a Brave-optimized) version where those restrictions aren't as crippling as they are in the standard Chrome implementation.
I really appreciate you taking the time to share these perspectives—it helps me refine the roadmap before I write too much code."
If you’ve already chosen your path, why come here asking for permission? Is it a lack of confidence, or are you waiting for a miracle? Don’t turn yourself into the man in the fable who carried his donkey just because others told him to. It’s your idea. If you think it’s a waste, then stop. Everything worth doing requires risk. If you’re looking for a 100% guarantee, go back to sleep.
>You need multiple extensions
(I develop Privacy Badger.) There are significant benefits to adding PB or uBO to a browser that doesn't already ship with a real built-in ad blocker. While PB and uBO work well together and you may want to use both for various reasons, I wouldn't say you need both. Either one is enough by itself for most people.
>HTTPS Everywhere
HTTPS Everywhere has been deprecated and eventually removed from extension stores a few years ago: https://www.eff.org/deeplinks/2021/09/https-actually-everywh...
>Phishing detection
Why isn't what's built into browsers enough?
>Cookie auto-delete
Why bother when blocking trackers and ads?
>Pop-up blocking
Is that the same as the various "annoyances" ad blocker lists?
First off, thank you for everything you do with Privacy Badger—it's been a staple in my browser for years. I really appreciate you taking the time to poke holes in this.
You’re absolutely right about HTTPS Everywhere; that was a oversight in my initial write-up. Since it's now integrated into the major browsers, that’s one less 'fragment' to worry about.
To answer your questions on the 'why' behind the other features:
Phishing detection: The main gap I see with built-in Safe Browsing is the telemetry. Most users don't realize that 'Enhanced Protection' often means sending URLs/metadata back to a central server. I’m exploring a local-first approach (using bloom filters or highly optimized local sets) to keep that check entirely on-device.
Cookie auto-delete: While Total Cookie Protection (Firefox) is great, many browsers still only clear data 'on exit.' For users who keep their browser open for weeks, I see value in 'active' cleaning (e.g., clearing site data 15 minutes after a tab is closed) to minimize the session-tracking window.
The 'All-in-one' goal: My hypothesis is actually driven by the fingerprinting concern you've likely seen discussed. Using uBO + PB + a cookie manager creates a very unique extension fingerprint. I'm wondering if a single, consolidated open-source tool could actually help a user 'blend in' better than a stack of three different ones.
I’m still in the 'talking myself out of it' phase, so this technical pushback is exactly what I was hoping for. Thank you again ghostwords!
With my cookie question I meant, what's the point of managing cookies if you already do a good job of blocking trackers?
Re fingerprint, similar question: why does this matter if you do a good job of blocking common trackers that perform fingerprinting?
> I'm considering building a privacy-first browser security extension
> What I'm considering: - Zero data collection
...
> Phishing detection (local + Safe Browsing API)
Please, find the contradiction