My laptop was lying to me.

I wanted to look up information on a hacker named Morgan Marquis-Boire. He’s a New Zealander, a security specialist noted for his research on surveillance and censorship - he also works with journalist Gleen Greenwald’s The Intercept, where he is chief of security. I was researching a story, so I Googled his name, then clicked on the first entry: his Wikipedia page.

I expected the usual broad dump of information. Instead, what I got was a screen displaying the words ERROR: CERT_UNTRUSTED.

I use Google Chrome, and take full advantage of the plug-ins in its store, which allow me to customise my browsing experience. The reason I was seeing this error was because one plug-in, WikiWand (which reformats Wikipedia pages to make them look slightly less crappy) was refusing to display Marquis-Boire’s page.

Every day, we put our data in the hands of companies we know absolutely nothing about.

Curious, I tried to look up other entries. Edward Snowden’s worked fine, as did Glenn Greenwald's, but Marquis-Boire remained stubbornly inaccessible. Further experimentation made the hairs on the back of my neck stand up: in multiple browsers, whenever WikiWand was enabled, his page could not be loaded. For anybody using WikiWand, information on one of the most skilled hackers on Earth - a man who had worked with journalists in direct opposition to the US government - had simply vanished.

I knew nothing about WikiWand. I didn’t know who owned it, or what its code looked like. Even if I could find the code, I wouldn’t be able to interpret it. I simply took it on faith that WikiWand would show me what I needed. And there were dozens of tiny programs – Chrome extensions, Android apps, Kindle apps - that I had already installed, ostensibly changing my browsing experience for the better. They could have been showing me a distorted view of the world for years, and I would have been none the wiser.


Every day, we put our data in the hands of companies we know absolutely nothing about.

I’m not talking about Google and Apple and Microsoft. They all have an interest in making their own software as robust as possible: they’re big companies, with share prices and extensive media coverage, and security breaches are death to them. But independent developers? The ones creating the apps on your phone and the add-ons that make Wikipedia more pleasant to look at? Outside of the security requirements of the individual app stores, there’s nothing stopping them from sneaking malicious code in under the radar. There are millions and millions of apps available - 2.2m in the Android app store alone - and no way to tell if they’re kosher.

It depends on the nature of the app, and whether or not it’s operating in a visual capacity or is doing operations behind the scenes

Just ask Gunter Ollman. He’s the Chief Security Officer at Vectra Networks, a security firm with a reputation for rooting out dubious behaviour. Last year, his firm performed a technical analysis of the popular app Hola, which allowed users to access content from any location. They found that it had some serious security issues, which was particularly concerning for me, as I’d been merrily using it for months to watch Saturday Night Live episodes from Canada.

Like Marquis-Boire, Ollman is a Kiwi. The two of them are actually quite friendly, spending time together at various conferences (we did contact Marquis-Boire for this story, but he declined to comment, saying he was unfamiliar with WikiWand). “I spent the first part of my career breaking stuff, and the second part teaching companies to stop people like me!” Ollman jokes. But when it comes to extensions like Hola and WikiWand, he’s firm: we simply don’t have the capacity to know if they’re doing what they say they are.

“It depends on the nature of the app, and whether or not it’s operating in a visual capacity or is doing operations behind the scenes,” he says. “It’s the difference between a plug-in for Google chrome, like the Web Developer Toolkit, versus something like an adblocker. Unfortunately, with many of those apps, there is little control over the code that goes into them.”

And herein lies the problem. I only picked up the issue with WikiWand because something went wrong. Ollman says that unless an app crashes, or does something like use a huge amount of bandwidth, there’s simply no telling. Most of us, myself included, don’t even have the capacity to diagnose the correct source of the problem. If my browser started acting up, I wouldn’t blame one of my plug-ins: I’d blame Google. I am almost hysterically unqualified to know if I’m being lied to.

But that doesn’t change the fact that any of the dozens of extensions and apps in my life, and yours, might not be.

This problem is neatly summed up by something Ollman already mentioned, and which you probably use already: adblockers. In September, tech site The Verge reported that one of the more popular ones, AdBlock Plus, wasn’t just removing ads from websites. It was inserting others in their place, ones it had deemed “acceptable”. This wasn’t a secret – the company had been doing it for years – but it wasn’t something they went out of their way to publicize.

The bigger app stores have made significant strides towards making their security more robust. But they can’t catch everything, and for many of the smaller stores, it’s a lot easier to focus on sexy apps than it is to beef up safeguards. “Those stores have loosened the reins on the type of applications they allow in there,” Ollman explains. “It also potentially reduces the cost of running the stores, at least until they’re established. Security is the expensive part.”


Fortunately – or unfortunately, if you’re me and hoping for a big conspiracy erasing dissidents from the Internet – the problem with WikiWand came down to something pretty mundane.

“We had a technical problem accessing Wikipedia servers that caused pages that were uncached (usually pages that are not accessed very often) to show this error,” WikiWand’s Lior Grossman told me in an email. An OpenSSL configuration had prevented the plug-in from communicating with Wikipedia’s servers - OpenSSL is a widely-trusted piece of software used for secure communication online. Morgan Marquis-Boire wasn’t the only page affected. Others included Thornton, Colorado, a list of episodes for the TV show The Americans, and an entry for the caricaturist Roger Law (me neither). Marquis-Boire, it seems, was just an unfortunate coincidence.

“The Wikiwand is a ‘man in the middle’ for the SSL connection,” Ollman says, when I put Grossman’s explanation to him. “If the open SSL is doing something that’s a little bit more complicated or they hadn’t fully implemented that feature, if the Wikiwand is working on that secure channel to analyse the certificates, then it sounds quite probable. These sort of things do happen, especially on open source platforms and some of the smaller apps. The tell would be how long it takes them to acknowledge that there is a fault there, and how quickly they fix it.”

It took less than a day after I first emailed Grossman for the error to be noted and fixed. WikiWand, it appears, is legit. But that doesn’t change the fact that any of the dozens of extensions and apps in my life, and yours, might not be. And at this point in time, unless you know your code, there is simply no way to tell.