Would like to ask for opinions on this topic. Per my understanding it is very difficult for a website to determine that the extension installed is legit.
By design, extensions can use powerful APIs which allow them to interact with websites in almost any way. They can modify http headers, inject javascript, modify the DOM, interact with cookies, etc.
Say that a website is supposed to communicate with a single, official, chrome extension.
What could the website do to determine that the extension it is interacting with, is the official one?
Per my understanding, it is very easy to download a copy of the extension in the chrome store. Even if the code is obfuscated, it will still be possible for a third party to look at the types of interactions between the extension and the website, and mimic them in a clone extension.
The only mechanism I could think of, is to often change the mechanism in place to determine the extension is authentic. Third parties trying to mimic the extension will have to keep updating their extensions as well to follow the same patterns and hopefully one's extension could always be one step ahead, with that way.
Thanks,
Francois