One of MetaMask's most exciting features is that of connecting to decentralized applications, or Dapps. Think of Dapps as a traditional website that you can access in your browser, but that have a special portal built into them that links them to the Ethereum network. In order to interact with that Ethereum functionality, you need to have a wallet connected to the Dapp portion of the website. That's where MetaMask comes in.
Trying to figure out whether a dapp is legitimate? You can always consult the details of projects registered at everest.link and verify that they match.
Many websites that have Dapp functionality will have a button somewhere on the site that says 'Connect wallet', or 'Connect to Dapp' or even just 'Launch app'. Clicking the correct button should launch a set of interactions that end up with your MetaMask wallet being connected to the Dapp you're on. That said, you might not want to do this your first visit to the site, and that's fine; you can always manually connect later (see instructions here).
Be careful about which Dapps you connect to, and what permissions you give them.
Certain types of transaction require granting a Dapp permission to access your funds--infinite amounts of your funds.
In fact, there have been cases of Dapps being created specifically with the intent to defraud users and steal all of their funds once they've granted this kind of access.
Of course, infinite access to funds is often what you want; if you're accessing a decentralized exchange, you want to be able to deposit, swap, or transfer as many tokens as you specify. That said, here are some things to keep in mind:
- How well-known is the project? Does it have a community channel? Do your research before allowing access.
- How often do you use the Dapp? If it's not something you're actively using, do you want it to have access to your wallet?
- Has the Dapp or a related project recently had a security breach? It's worth searching here.
If you're concerned about this, MetaMask has straightforward ways to manage your Dapp connections, as explained here.
That said, there are other tools available for you to audit your Dapp connections. Not all of them are free, so read the fine print:
https://etherscan.io/tokenapprovalchecker (revocation charge applies)