What Are Browser Extensions?

A browser extension is a mechanism that exists in most modern browsers allowing the browser's capabilities to be expanded. They are often referred to as plugins or add-ons, similar to how mobile apps extend the functionality of a smartphone. Users can browse and install extensions through browser web stores like the Chrome Web Store.

The Security Risk: VPN Extensions

The primary concern with browser extensions from a content filtering perspective is how easily users can install Virtual Private Network (VPN) extensions to bypass network controls. Via the Chrome Web Store, users are able to search for extensions across a wide range of capabilities, and VPN extensions are among the most popular.

These VPN extensions create encrypted tunnels that allow users to evade network security measures and content filters. The challenge is that there are hundreds of VPN extensions available, and it is not realistic to think you will be able to block them all individually.

How VPN Extensions Circumvent Controls

When a user installs a VPN extension, all browser traffic is routed through the VPN's servers rather than your network's DNS resolver. This means that any DNS-based content filtering you have in place is completely bypassed. The user can access any website without restriction, regardless of your network policies.

This is particularly problematic in environments like schools, libraries, and workplaces where content filtering is required by policy or regulation.

Recommended Solution: Windows Registry Controls

For Windows devices, CleanBrowsing recommends using the Windows Registry to restrict extension installations. This approach uses a whitelist model that blocks all extensions by default and only allows specifically approved ones.

CleanBrowsing provides a downloadable registry file that accomplishes the following:

• Blocks unauthorized extension installations, showing a "blocked" message when users attempt to add new extensions
• Uses a whitelist model allowing only approved extensions
• Includes pre-approved extensions such as AdGuard, LastPass, and Google Docs suite
• Disables DNS-over-HTTPS (DoH) in Chrome to prevent another common bypass method

Implementation

To apply these restrictions, administrators decompress the registry file and double-click it to import the settings. It is important that user accounts on the devices do not have administrator-level privileges, as users with admin access could modify or remove the registry settings.

This approach, combined with DNS-based content filtering, provides a robust defense against extension-based bypass methods.