How can I be sure that a Google Chrome extension isn't doing evil things?

Solution 1:

Adblock extensions require ability to access and modify the full HTML content of pages you visit, in order for element-blocking rules to work (e.g. to hide all <div id="advert"> elements). So of course they could abuse this access, and it is very hard to determine it programmatically.

In the case of Adblock Plus, you could examine the publicly available source code; but other than that, you'll just have to trust it. The extension has been around since 2006 for Firefox and 2010 for Chrome, and hasn't caused security issues since then nor has been ever removed from either program's extension store. It is reasonable to assume that it is trustworthy.

Solution 2:

The best way is to look at the source code if it's available. You can also do a bit of investigating yourself.

You can view the network traffic of the Chrome extension by first enabling developer mode by ticking the checkbox you find at chrome://extensions/.

After this, under each extension you should see an option to inspect the extension.

Clicking on the link to inspect the background page brings up a developer tools window. Click on the Network tab, and leave it open as you use the extension while watching the network tab for any traffic.

You can also click on Resources and have a look under Session Storage, Local Storage, to see what data the extension is storing locally (if they are using those specific features).

Further, if you click on the Sources tab, you can click on the little arrow (top left) and see the actual JavaScript files that make up the extension.