Most active commenters
  • zwnow(3)

←back to thread

Claude for Chrome

(www.anthropic.com)
795 points davidbarker | 26 comments | 26 Aug 25 19:01 UTC | HN request time: 0.001s | source | bottom
Show context
dfabulich ◴[27 Aug 25 01:10 UTC] No.45034300[source]
Claude for Chrome seems to be walking right into the "lethal trifecta." https://simonwillison.net/2025/Jun/16/the-lethal-trifecta/

"The lethal trifecta of capabilities is:"

Access to your private data—one of the most common purposes of tools in the first place!

Exposure to untrusted content—any mechanism by which text (or images) controlled by a malicious attacker could become available to your LLM

The ability to externally communicate in a way that could be used to steal your data (I often call this “exfiltration” but I’m not confident that term is widely understood.)

If your agent combines these three features, an attacker can easily trick it into accessing your private data and sending it to that attacker.

replies(11): >>45034378 #>>45034587 #>>45034866 #>>45035318 #>>45035331 #>>45036212 #>>45036454 #>>45036497 #>>45036635 #>>45040651 #>>45041262 #
1. afarviral ◴[27 Aug 25 01:51 UTC] No.45034587[source]
How would you go about making it more secure but still getting to have your cake too? Off the top my head, could you: a) only ingest text that can be OCRd or somehow determine if it is human readable b) make it so text from the web session is isolated from the model with respect to triggering an action. Then it's simply a tradeoff at that point.
replies(3): >>45034626 #>>45035055 #>>45035249 #
2. kccqzy ◴[27 Aug 25 01:57 UTC] No.45034626[source]
I think Simon has proposed breaking the lethal trifecta by having two LLMs, where the first has access to untrusted data but cannot do any actions, and the second LLM has privileges but only abstract variables from the first LLM not the content. See https://simonwillison.net/2023/Apr/25/dual-llm-pattern/

It is rather similar to your option (b).

replies(2): >>45035209 #>>45035740 #
3. jimbokun ◴[27 Aug 25 03:10 UTC] No.45035055[source]
I don't believe it's possible to give an LLM full access to your browser in a safe way at this point in time. There will need to be new and novel innovations to make that combination safe.
replies(2): >>45035323 #>>45036664 #
4. maximilianthe1 ◴[27 Aug 25 03:38 UTC] No.45035209[source]
Can't the attacker then jailbreak the first LLM to generate jailbreak with actions for the second one?
replies(3): >>45035244 #>>45036219 #>>45036522 #
5. arthurcolle ◴[27 Aug 25 03:45 UTC] No.45035244{3}[source]
Yes they can
replies(1): >>45035434 #
6. csomar ◴[27 Aug 25 03:46 UTC] No.45035249[source]
In the future, any action with consequence will require crypto-withdrawal levels of security. Maybe even a face scan before you can complete it.
replies(1): >>45036301 #
7. brookst ◴[27 Aug 25 03:59 UTC] No.45035323[source]
Is it possible to give your parents access to to your browser in a safe way?
replies(3): >>45035500 #>>45035910 #>>45036896 #
8. ares623 ◴[27 Aug 25 04:22 UTC] No.45035434{4}[source]
Hmm so we need 3 LLMs
replies(1): >>45035849 #
9. seemaze ◴[27 Aug 25 04:35 UTC] No.45035500{3}[source]
That’s easy. Giving my parents a safe browser to utilize without me is the challenge.
replies(1): >>45035842 #
10. pishpash ◴[27 Aug 25 05:26 UTC] No.45035740[source]
That's just an information bottleneck. It doesn't fundamentally change anything.
11. zwnow ◴[27 Aug 25 05:46 UTC] No.45035842{4}[source]
Because there never were safe web browsers in the first place. The internet is fundamentally flawed and programmers are continously having to invent coping mechanisms to the underlying issue. This will never change.
replies(2): >>45036342 #>>45036864 #
12. zwnow ◴[27 Aug 25 05:48 UTC] No.45035849{5}[source]
Doesn't help.

https://gandalf.lakera.ai/baseline

This thing models exactly these scenarios and asks you to break it, its still pretty easy. LLMs are not safe.

13. aydyn ◴[27 Aug 25 06:00 UTC] No.45035910{3}[source]
Why do people keep going down this sophistry? Claude is a tool, a piece of technology that you use. Your parents are not. LLMs are not people.
replies(1): >>45042721 #
14. dfabulich ◴[27 Aug 25 06:47 UTC] No.45036219{3}[source]
If you read the fine article, you'll see that the approach includes a non-LLM controller managing structured communication between the Privileged LLM (allowed to perform actions) and the Quarantined LLM (only allowed to produce structured data, which is assumed to be tainted).

See also CaMeL https://simonwillison.net/2025/Apr/11/camel/ which incorporates a type system to track tainted data from the Quarantined LLM, ensuring that the Privileged LLM can't even see tainted _data_ until it's been reviewed by a human user. (But this can induce user fatigue as the user is forced to manually approve all the data that the Privileged LLM can access.)

replies(1): >>45046231 #
15. ares623 ◴[27 Aug 25 06:58 UTC] No.45036301[source]
Ahh technology. The cause of, and _solution to_, all of life’s problems.
replies(1): >>45036531 #
16. nertirs1 ◴[27 Aug 25 07:04 UTC] No.45036342{5}[source]
You seem like the guy, who would call car airbags a coping mechanism.
17. j45 ◴[27 Aug 25 07:31 UTC] No.45036522{3}[source]
One would have to be relatively invisible.

Non-deterministic security feels like a relatively new area.

18. ◴[27 Aug 25 07:32 UTC] No.45036531{3}[source]
19. melagonster ◴[27 Aug 25 07:50 UTC] No.45036664[source]
People directly give their agent root, so I guess it is ok.
replies(1): >>45037330 #
20. Arisaka1 ◴[27 Aug 25 08:25 UTC] No.45036864{5}[source]
Just because you can never have absolute safety and security doesn't mean that you should be deliberately introduce more vulnerabilities in a system. It doesn't mtif we're talking about operating systems or the browser itself.

We shouldn't be sacrificing every trade-off indiscriminately out of fear of being left behind in the "AI world".

replies(1): >>45036907 #
21. lelanthran ◴[27 Aug 25 08:30 UTC] No.45036896{3}[source]
> Is it possible to give your parents access to to your browser in a safe way?

No.

Give them access to a browser running as a different user with different homedir? Sure, but that is not my browser.

Access to my browser in a private tab? Maybe, but that still isn't my browser. Still a danger though.

Anything that counts as "my browser" is not safe for me to give to someone else (whether parent or spouse or trusted advisor is irrelevant, they're all the same levels of insecurity).

22. zwnow ◴[27 Aug 25 08:32 UTC] No.45036907{6}[source]
To make it clear, I am fully against these types of AI tools. At least for as long as we did not solve security issues that come with them. We are really good at shipping bullshit nobody asked for without acknowledging security concerns. Most people out there can not operate a computer. A lot of people still click on obvious scam links they've received per email. Humanity is far from being ready for more complexity and more security related issues.
23. samrus ◴[27 Aug 25 09:38 UTC] No.45037330{3}[source]
Yeah i drive drunk all the time. Havent crashed yet
24. brookst ◴[27 Aug 25 17:49 UTC] No.45042721{4}[source]
If you think it's sophistry you're missing the point. Let's break it down:

1. Browsers are open ended tools

2. A knowledgeable user can accomplish all sorts of things with a browser

3. Most people can do very impactful things on browsers, like transferring money, buying expensive products, etc.

4. The problem of older people falling for scams and being tricked into taking self-harming actions in browsers is ancient; anyone who was family tech support in the 2000's remembers removing 15+ "helpful toolbars" and likely some scams/fraud that older relatives fell for

5. Claude is a tool that can use a browser

6. Claude is very likely susceptible to both old and new forms of scams / abuse, either the same ones that some people fall for or novel ones based on the tech

7. Anyone who is set up to take impactful actions in their browser (transferring money, buying expensive things) should already by vigilant about who they allow to use their browser with all of their personal context

8. It is reasonable to draw a parallel between tools like Claude and parents, in the sense that neither should be trusted with high-stakes browsing

9. It is also reasonable to take the same precautions -- allow them to use private browsing modes, make sure they don't have admin rights on your desktop, etc.

The fact that one "agent" is code and the other is human is totally immaterial. Allowing any agent to use your personal browsing context is dangerous and precautions should be taken. This shouldn't be surprising. It's certainly not new.

replies(1): >>45046364 #
25. yencabulator ◴[27 Aug 25 22:42 UTC] No.45046231{4}[source]
"Structured data" is kind of the wrong description for what Simon proposes. JSON is structured but can smuggle a string with the attack inside it. Simon's proposal is smarter than that.
26. aydyn ◴[27 Aug 25 23:01 UTC] No.45046364{5}[source]
> If you think it's sophistry you're missing the point. Let's break it down:

I'd be happy to respond to something that isn't ChatGPT, thanks.